Government & Policy

Congressional attempts to empower HHS CISO could serve as model for private hospitals

Proposed legislation would elevate Health and Human Services' CISO from its current position under the CIO. Whether it passes or not, the notion is raising questions about typical reporting structures in the healthcare C-suite.
By Jessica Davis
July 07, 2016
12:05 PM

To hear the chief information security officer of a major mid-Atlantic provider network tell it: Health and Human Services CISO is a toothless post. The reason? HHS CISO reports to the CIO with a dotted line to compliance.

But some U.S. Congress members are aiming to change that. In late April, House Energy and Commerce Committee Members Rep. Doris Matsui, D-California, and Rep. Billy Long, R-Missouri, introduced the HHS Data Protection Act to establish the Office of the CISO with the Department of Health and Human Services.

The proposed legislation would essentially elevate the HHS CISO from its current position under the HHS' chief information officer.

"The integration of information technology into nearly every aspect of our daily lives means our security landscape has changed dramatically," Matsui said. "As the network of cybercriminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly."

To that end, the bill extends the Obama administration's Cybersecurity National Action Plan, which emphasizes the need for a CISO to improve cybersecurity. In response to the plan, the administration created a Federal Chief Information Security Officer position to exclusively focus on Federal cybersecurity operations.

The legislation is also in part a response to the committee's August 2015 report on the FDA's information security that found "pervasive and persistent deficiencies across HHS and its operating divisions' information security programs" after its internal network was breached.

>> CASE STUDIES: Where do CISOs fit in the healthcare C-suite?
>> STRATEGIES: CIOs and CISOs share insights on strategic collaboration

Whether or not it actually works to empower the HHS CISO and better safeguard the organization and its data will likely depend more on what responsibilities that position entails than anything else, said David Finn, Symantec Healthcare IT Officer.

“They need to have the right person,” Finn added. “The CISO should not be writing passwords or managing firewall settings.”

Christiana’s Santiago agreed that HHS also must fill that post with someone with the appropriate skill set.

“To be successful, it really has to be the right leader with visibility, empowerment and tools to drive change,” Santiago explained. “But if it’s done correctly and they hire and empower the right leader, they can affect change across the industry.”

The question of how quickly the matter of change would trickle down to private healthcare entities is also one that needs to be assessed.

Topics: 
Business Intelligence, Government & Policy, Privacy & Security

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Winning cybersecurity warfare is the ultimate millstone for CISOs
A passwordless future for clinicians? Industry paper points to a new paradigm
White House OMB is reviewing proposed cybersecurity updates to HIPAA
NHS to roll out radiology AI across 10 health trusts
Oracle Health to apply for QHIN status
HC3 alerts providers of Scattered Spider threat

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care