During a House Energy and Commerce Subcommittee on Health hearing, healthcare IT leaders and security experts testified in support of proposed legislation to elevate and empower the CISO at the U.S. Department of Health and Human Services (HHS).
During the hearing, Health Subcommittee members discussed the cyber readiness of HHS through the lens of a bill, the HHS Data Protection Act. H.R. 5068 would move the Chief Information Security Officer (CISO) position away from reporting to the Chief Information Officer (CIO), instead making it a position equal to the CIO and directs that the CISO report to Assistant Secretary for Administration at HHS.
The legislation also directs the Secretary of Health and Human Services, within one year, to submit a report to the House Committee on Energy and Commerce outlining the HHS CISO’s plan to oversee and coordinate the information security programs at HHS and the steps being taken within each operating division to implement the security plan.
Mac McMillan, a healthcare IT security expert and CEO of the Austin, Texas-based CynergisTek consulting firm, testified that he supports the elevation of the CISO role to a position equivalent to other senior leaders within HHS. “When these two positions have equal authority, are both focused on a common mission and working collaboratively the CIO and CISO form a complementary and effective team to ensure the protection of information assets for an organization,” McMillan said. “When there is disparity in these relationships there is opportunity for conflicts of interest to arise, stifled or abbreviated discussion of risk and an imbalance of priority.”
McMillan pointed out that since 2009 when the HITECH Act was passed and healthcare embarked on the wide scale digitization of patient information there has been a steady in increase in the number of cyber incidents in healthcare. “Healthcare is particularly lucrative to attack because unlike other industries it presents a rare opportunity to steal all forms of sensitive personal information, medical information, personal information and financial information,” he said.
He also stated that security is best achieved as “top down priority,” with strong visible leadership, disciplined practices and constant reevaluation. “What most healthcare organizations suffer from most today is a lack of leadership. This resolution seeks to address that situation by creating a cyber security leadership post within HHS by elevating the CISO position,” he said.
During the subcommittee health, Rep. Joseph Pitts (R-Pa.) asked McMillan, who had previously served as head of security for the On-Site Inspection Agency and Defense Threat Reduction Agency within the Department of Defense, how his agency coordinated with other federal departments.
“We had a very formal process for doing that at the Department of Defense. We had formal accreditation standards for information systems and sensitive information and it dependent on everybody in the department following that accreditation process. So all the directors of security across defense and the military were all marching to the same drum. And, that created a trust environment and facilitated sharing of information,” McMillan said.
Samantha Burch, senior director of congressional affairs at Healthcare Information and Management Systems Society (HIMSS), also testified in support of H.R. 5068, saying that the organizational change included in the legislation would mark “an important step in elevating the critical importance of information and cybersecurity within HHS.”
Burch also noted that conversations at the hearing mirror conversations occurring in healthcare organizations regarding the most effective approach to organizational governance “to ensure optimal data flows, processes and reporting for effective data protection and incident response.” She also noted that many healthcare organizations now have a CISO and others are in the process of hiring a CISO as the organization’s lead executive responsible for safeguarding data and IT assets.
Burch also said that the healthcare sector is now easier and more profitable than ever before and cybercriminals are more sophisticated and agile, “nearly equaling the sophistication and ability of the highly trained, nation state actor.” And, cyber criminals with a low level of skill can conduct cyber attacks if healthcare organizations have unpatched systems and applications and have vendor default or null passwords, she said.
HIMSS supports the evaluation of the CISO to be a peer of the CIO as it reflects the recognition that information security “has evolved into a risk management activity, historically the purview of other executives,” Burch said. And, this recognition, she said, requires a removal of the traditional subordination of the information security program to the information technology program to create a direct channel to the CEO, CFO, general counsel and other senior executives.
“Direct reporting to an organization’s CEO or other executive management facilitates management of security risk in the context of business risk, which can be operational, legal, and/or reputational. A significant security incident or breach may lead to a disruption in patient care or coordination of patient care. As such, it is clear that healthcare organizations need a cybersecurity leader to manage, as well as mitigate, security risk. Recent surveys find CISOs prefer to report to the CEO, and see the trend moving in that direction,” Burch said.
She also cited a study that indicated that when CISOs reporting to the CEO or the Board of Directors, instead of the CIO, significantly reduces downtime and financial losses resulting from cyber security incidents.”
One study, she said, found that organizations in which the CISO reported to the CIO experienced 14 percent more downtime due to cyber security incidents than those organizations in which the CISO reported to the CEO. And, organizations in which the CISO reported to the CIO reported financial losses 46 percent higher than when the CISO reported to the CEO.
However, Burch also pointed out that an organizational change is not enough to improve the security posture of HHS. “The right people, processes and technology must also be in place. Additionally, information sharing must be encouraged and fostered within the organizations.”
HIMSS also sees an important external facing role for the CISO at HHS, including working with the healthcare sector and National Institute for Standards and Technology (NIST) on security best practices and minimum standards for the healthcare industry.
Marc Probst, vice president and CIO at Salt Lake City-based Intermountain Healthcare and Board Chair of the College of Healthcare Information Management Executives (CHIME), told Health Subcommittee members that it is vital that HHS have a coordinated plan to address threats to HHS data and systems.
At Intermountain, the CISO reports directly to Probst (the CIO), as the CISO is focused on developing and overseeing the implementation of the technical strategy to achieve the health system’s security posture.
The health system’s compliance and privacy office handles the interpretation of regulations, rules, corporate policy and procedure. “Our management structure helps us achieve a high-level of cooperation. My peer in Compliance and Privacy is aligned with me; the chief privacy officer is aligned with the CISO. Together we develop the plans and manage execution.”
And, Probst said Intermountain senior executives have developed a cooperative model for cybersecurity that insures checks and balances. “This works at Intermountain. The focus isn’t on the CISO’s reporting structure. Rather, what’s important is that there is an appropriate focus and appropriate checks and balances on both security plan development and execution,” he stated.
A similar reporting structure exists at Penn State Hershey Medical Center, however Probst noted there is a great deal of variation with reporting structures across the industry.
“Where the CISO should report is highly dependent on how the role is defined by the organization,” Probst said.
McMillan said that while the healthcare industry has made considerable strides since 2005, the industry continues to be behind where it needs to be. “Many of the challenges we face include the lack of a credible framework for cyber security, lack of standards for medical devices and a lack of resources and investment in security technologies, to name some. HHSS can provide leadership in solving some of these challenges. I believe the right individual given appropriate authority and resources can and will improve the security posture at HHS and also serve as an industry leader at a time when it is needed most,” he said.