House bill would elevate HHS CISO from CIO’s purview

A House bill introduced Tuesday would establish a presidentially appointed Chief Information Security Officer for the Department of Health and Human Services, independent of the department’s CIO. 

Sponsored by Reps. Billy Long, R-Mo., and Doris Matsui, D-Calif., the HHS Data Protection Act is the fruit of a House Energy and Commerce Committee December 2013 investigation into the department’s cybersecurity, particularly at the Food and Drug Administration, which had faced a breach of its internal network months earlier. 

That investigation revealed several other breaches across HHS agencies. It found that all of them were due in some part to an organizational structure that sacrificed security for operational efficiencies. 

Committee Chairman Fred Upton, R-Mich., called the findings “alarming and unacceptable,” particularly in the fallout of massive breaches at the Office of Personnel Management that were revealed last year.


A report on the investigation recommended HHS separate its CISO from the CIO’s office, and this new legislation would do just that: With the establishment of an HHS CISO’s office, the position would not longer reside under the CIO.

“We’ve developed a thoughtful solution to improve cybersecurity at HHS, based on committee findings. We must do all we can to ensure greater security of the government’s health networks and Americans’ sensitive data,” Long and Matsui said in a joint statement. “This legislation is a critical step toward safeguarding the delicate information countless Americans have entrusted in HHS’s hands.”

Under the bill, the CISO’s office would report to the Office of the Assistant Secretary for Administration of the Department of Health and Human Services, and the position, a presidential appointment, would have “primary responsibility for the information security (including cybersecurity) programs of the Department.” 
Also, within a year after its passage, the bill would require the HHS secretary to file a report to the House committee and its Senate Committee on Health, Education, Labor and Pensions counterpart on the CISO’s plans to oversee information security for HHS, as well as similar plans of CISOs at HHS operating divisions, like the FDA and the Centers for Medicare and Medicaid Services.  

There is no companion legislation on the Senate docket and HELP Committee staff did not immediately respond to a request for comment.

Latest Podcasts