A new healthcare cybersecurity bill has been introduced by members of Congress which aims to improve cybersecurity at the Department of Health and Human Services (HHS).
The bill was introduced by two House Energy and Commerce Committee members: Rep. Billy Long (R-MO) and Rep. Doris Matsui (D-CA). The Committee had previously conducted an investigation to determine how cybersecurity could be improved at the HHS.
The new legislation requires the creation of an Office of the Chief Information Security Officer (CISO) at the HHS. Currently the HHS CISO is underneath the HHS’ Chief Information Officer (CIO). This decision was taken to make the change following an investigation of the FDA in 2013. The FDA investigation followed a breach of its network.
While investigating the FDA breach, the committee learned of a number of other security incidents that had affected HHS departments. The committee also discovered a number of “pervasive and persistent deficiencies” in HHS information security programs.
To address these deficiencies, the committee decided that the CISO and CIO should be separated in order to ensure that information security was prioritized. This will also help to ensure that information security expertize is better spread across the HHS.
The existing structure needed to be reorganized to create a system that incentivizes better security, according to the Committee’s report. The investigation identified a number of security failures and vulnerabilities, and while the HHS was able to address all of the issues raised, there were no policy reforms or structural changes made to “address the systemic tensions within HHS’s information security program.”
According to the bill, “The Chief Information Security Officer, in consultation with the Chief Information Officer and the General Counsel of the Department of Health and Human Services, shall have primary responsibility for the information security (including cybersecurity) programs of the Department.”
Under the new structure, the CISO will be primarily responsible for information security at the HHS and its operating divisions. The CIO will be required to pass over current information security responsibilities to the CISO.
Under the new structure, the Committee believes there will be a better balance of operations and security, and it will make it easier to address legal concerns arising from information security matters.