House lawmakers introduced a bill Thursday that reignites a push to elevate the CISO position at the Department of Health and Human Services.
The HHS Cybersecurity Modernization Act would move the CISO, who currently reports to the department CIO, to report directly to the secretary or another senior official.
The bill, introduced by Billy Long, R-Miss., and Doris Matsui, D-Calif., follows former attempts from the same lawmakers to introduce similar legislation, like the HHS Data Protection Act.
“We can always do more to boost our cybersecurity efforts, and while HHS has made some important strides in this effort, we think more can and should be done to help protect the sensitive information the department holds,” the House members said in a joint statement. “We are particularly hopeful for the results that could yield from HHS detailing such a plan and look forward to continued efforts to address potential cyber threats.”
As CyberScoop reports, the bill comes in response to congressional hearings on the state of cybersecurity in the health care sector. A recent federal task force report on the state of hospital cybersecurity was starkly negative in its diagnosis.
It’s also directly tied to a House Energy and Commerce Committee 2013 investigation into the department’s cybersecurity, particularly at the Food and Drug Administration, which had faced a breach of its internal network months earlier. That investigation revealed several other breaches across HHS agencies. It found that all of them were due in some part to an organizational structure that sacrificed security for operational efficiencies.
The bill also calls for a report from HHS on how it plans to respond to evolving cyberthreats, including differentiating among the cybersecurity responsibilities of HHS’s component agencies internally and externally, and any conflicts that may arise.