Move Would Mirror Private Sector CISO Trend.
Marianne Kolbasuk McGee • May 3, 2016
A bipartisan bill proposing to elevate the position of CISO within the Department of Health and Human Services seeks to emulate moves that some larger private sector organizations – mostly outside of healthcare – have made in recent years.
The HHS Data Protection Act, recently introduced by Reps. Billy Long, R-Mo., and Doris Matsui, D-Calif., would establish the Office of the Chief Information Security Officer within HHS independent from the Office of the CIO, where the CISO position now is located, according to a Congressional statement about the bill
HHS CISO Sara Hall resigned in February after serving in the post for six years, and the department has not yet replaced her. Hall’s LinkedIn profile indicates that she currently heads security and privacy at Human Longevity, a biotechnology firm.
The proposed legislation calls for HHS to create the CISO office at the start of the next federal fiscal year, Oct. 1, within the office of the assistant secretary for administration of HHS. The new HHS CISO would be appointed by the president.
Under the new arrangement, the HHS CISO, “in consultation with the CIO and the general counsel of HHS shall have primary responsibility for the information security – including cybersecurity – programs of the department,” the bill states.
Motivation for the Move
The proposed bill is based on recommendations made in an August 2015 House Energy and Commerce Committee report following its investigation into an October 2013 network breach at the Food and Drug Administration, a unit of HHS. In that incident, an unauthorized user gained access to the account details of more than 14,000 users of one of the FDA’s information systems.
The committee report notes that “while the breach did not result in substantial harm to the agency’s network and users, it highlighted the susceptibility of FDA’s network to attacks and raised questions about the adequacy of FDA’s information security program.”
The committee, in the statement about the proposed bill, notes that the investigation into the FDA breach “revealed several other information security incidents across HHS, and identified pervasive and persistent deficiencies across the department and its operating divisions’ information security programs.” To address these deficiencies, the report recommended that HHS separate the CISO from the CIO to ensure that information security is appropriately prioritized, the statement says.
Private Sector Moves
Bill Liguori, a partner at executive recruitment firm Leadership Capital Group, says the proposed changes at HHS would follow moves made at many large private sector organizations – including Equifax in the financial services industry and Comcast in the communications industry – in recent years to elevate the role of CISO “so that they are peers to the CIO” and not direct reports.
By separating the role of CISO from the office of the CIO, he says, “the CISO is not labeled just under technology, but is also part of operations and privacy.”
Elevating the role of HHS’ CISO makes sense in light of growing cyber threats facing many high-profile HHS systems including HealthCare.gov, some experts say.
Separating the role of CISO from the CIO also matches how those roles are structured in some other federal departments, notes Mac McMillan, CEO of security consultancy CynergisTek, who formerly was director of security at the Department of Defense.
“I support this proposal. I think it’s a great idea,” he says. “In some other parts of the government, including the DoD, the CISO or director of security is on par with the CIO and has an equal voice.”
At the DoD, McMillan notes, “the CIO cannot deploy any systems on his own,” he says. All information systems have to be signed off on by the director of security, he says. “It’s a matter of checks and balances.”
While some government agencies and private sector organizations have elevated their CISO roles to be on the same level as their CIOs, this trend hasn’t yet caught on at most healthcare organizations, McMillan notes. “Healthcare is behind in even having a CISO at many organizations.”
The bill calls for the HHS secretary to submit a report to the Congress within one year that describes the plan of the HHS CISO “to oversee and coordinate the information security programs of the department.”
HHS did not immediately respond to an Information Security Media Group request for comment on the proposed legislation.