Experts weigh in on elevating CISO within HHS to improve cybersecurity

Several data security experts testified before a congressional panel in favor of a House proposal to elevate HHS’s chief information security officer (CISO) to a separate office, while one expressed concerns about making the office a presidential appointment.

Speaking before the House Energy and Commerce Committee May 25, witnesses emphasized that making the CISO a peer of the chief information officer (CIO), rather than a subordinate, mirrors what private companies are doing.

“Elevating the CISO to be a peer of the CIO reflects the recognition that information security has evolved into a risk-management activity, historically the purview of other executives,” said Samantha Burch, senior director of congressional affairs for the Health Information and Management System Society. “In the private sector context, this recognition requires not just a revised job description, but a removal of the traditional subordination of the information security program to the information technology program to create a direct channel” to senior executives.

Burch advised that changes shouldn’t end at reshuffling offices, suggesting information sharing must be improved if the newly elevated CISO is to take action to address security issues.

Support for the idea wasn’t unanimous. Speaking on behalf of the College of Healthcare Information Management Executives (CHIME), Intermountain Healthcare CIO Marc Probst suggested the reorganization doesn’t matter as much as reprioritizing security.  

“Coordination is key and cooperation and architecting how you’re going to do security is the probably most important aspect, I think, of cybersecurity, not necessarily where an individual reports,” Probst said. “If the strategy is by raising a particular position, and that’s somehow going to raise cybersecurity, I don’t think that’s the case.”

In his written testimony, Probst also expressed concerns about making the CISO a presidential appointment, writing “we’ve seen other instances where politicizing a role can hamper an agency’s ability to affect change.”

Elevating the CISO was the top recommendation of an August 2015 report by the Energy and Commerce Committee, which placed some of the blame for data breaches at the FDA in 2013 on the current CIO-CISO organizational structure.

Lawmakers on the committee said there’s some degree of urgency to address those cybersecurity concerns at HHS before a major cyberattack occurs.

“We’ve learned that there are fundamental weaknesses in the foundation of data security at every major division of HHS and that hardly inspires confidence,” said Rep. Michael Burgess, R-Texas. “Although the breaches and vulnerabilities at HHS have been not as serious as ransomware attacks in the private sector, there’s no reason in the world to just sit back and wait for that disaster to happen and then be tasked with examining smoking ruins.”

Committee chairman Joe Pitts, R-Pa., said HHS was asked to testify, but nobody from the agency could appear. He promised the committee would consult the agency before advancing the legislation. 

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.