Two House Energy and Commerce Committee members have introduced a bill that would reform the Department of Health and Human Services (HHS) to designate the HHS Chief Information Security Officer (CISO) as the primary authority on all matters of information security at the agency.
The bill, the “HHS Data Protection Act of 2016,” is from representatives Billy Long (R-MO) and Doris Matsui (D-CA). Following their investigation into the vulnerability of federal agency networks, The House Energy & Commerce Committee released their “Information Security at the Department of Health and Human Services” study last August. Among the results was proof that five HHS operating divisions had been breached using unsophisticated means, and further non-public HHS Office of Inspector General (OIG) reports detailing seven years of deficiencies across HHS’s information security programs, according to statement from the office of Congressman Long.
The bill calls for the position of HHS CISO, to be appointed by the president, to begin on Oct. 1, 2016. “The Secretary shall transfer the functions, personnel, assets, and liabilities of the Chief Information Security Officer in the Office of the Chief Information Officer of the Department of Health and Human Services as such position on September 30, 2016 to the Chief Information Security Officer,” the bill states.
What’s more, Long said the study also demonstrates that throughout HHS and its operating divisions, when information security is put under the purview of the chief information officer, operations become the priority concern while security becomes a secondary interest. Included in the report are a number of recommendations to improve information security at HHS and its operating divisions.
“It is impossible to completely eradicate the threat of cyber attacks, but the American people deserve to know that their sensitive information is being safeguarded with the utmost security,” Long said in a statement. “In light of recent data breaches across America’s federal agencies, we have the responsibility to root out vulnerabilities and maximize data protection to give them that peace of mind.”
Congresswoman Matsui added, “The integration of information technology into nearly every aspect of our daily lives means our security landscape has changed dramatically. As the network of cyber criminals becomes increasingly sophisticated, our operational structures and strategies must evolve accordingly. This common sense legislation incentivizes best security practices and encourages organizational efficiencies as our federal agencies continue to confront the modern threat environment.”
The HHS Data Protection Act follows the report’s recommendation to make the Chief Information Security Officer the “primary authority for information security” and moving all information security functions to the general or chief counsel’s office, where reducing and mitigating risk is the primary function.