House Panel Discusses Improving Cybersecurity Efforts at HHS
May 27, 2016 11:09 AM
The U.S. House of Representatives Energy & Commerce Subcommittee on Health held a hearing on Wednesday, May 25, 2016, to discuss the responsibilities at the U.S. Department of Health and Human Services (HHS) with regards to cybersecurity. Last year, the committee released a report stating that structural flaws at HHS have led to problems in the department’s information security efforts. Following up on the report’s findings, the hearing included discussion on H.R. 5068, the HHS Data Protection Act, introduced by Rep. Billy Long (R-MO) and Rep. Doris Matsui (D-CA), which would establish the Office of Chief Information Security Officer (CISCO) within HHS. This would involve elevating the HHS CISCO so that the position no longer reports to the HHS Chief Information Officer. Supporters of the legislation argue that the current organizational structure at HHS prioritizes information operations over information security.
“As a result of an investigation conducted by the Energy and Commerce Subcommittee on Oversight and Investigations to examine information security at the U.S. Food and Drug Administration, it was determined that serious weaknesses existed in the overall information security programs at the U.S. Department of Health and Human Services (HHS),” stated Chairman Pitts. “It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations.”
While noting his agreement about the need for greater attention to improving cybersecurity efforts in both the public and private sectors, Full Committee Ranking Member Frank Pallone (D-NJ) expressed disappointment that the subcommittee was unable to ensure that HHS had an opportunity to testify at the hearing. “HHS should be able to testify to whether this organizational change makes sense from their perspective and whether it could potentially exacerbate the problem it’s trying to solve,” he said, adding that he wished the majority had not “rushed” the hearing.
Full committee Chairman Fred Upton (R-MI) also expressed his support for the legislation. “Our oversight identified a problem. And we have a thoughtful solution in the HHS Data Protection Act to address it.”
Subcommittee Ranking Member Gene Green (D-TX) similarly said he was “surprised” by the majority’s decision to move forward with the hearing to discuss the legislation so quickly without accommodating HHS ability to provide a witness. “Unfortunately with the last minute timing of the hearing it’s impossible for the administration to testify,” Rep. Green said. “Having the HHS perspective would have greatly enhanced our evaluation of the current cybersecurity improvement efforts and the legislation, since HHS would be carrying out the organizational reforms proposed in H.R. 5068.”
Rep. Matsui conceded that receiving HHS’s perspective would be very important as the committee’s continues its discussion on the legislation and stated that she looks forward to continuing to working with her colleagues to develop “forward thinking solutions to combat cyber threats across both the public and the private sector.”
Cybersecurity has been a growing concern for health care providers as health networks have been hacked by ransomware attackers. NAHC appreciates efforts and guidance by Congress and the administration with regards to protecting and preventing such attacks.