A bill to establish an Office of the Chief Information Security Officer (CISO) at the Department of Health and Human Services (HHS) was introduced in the House of Representatives. The office would issue guidance to better protect sensitive personal information and data from potential exposure to cyberattacks.
Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) sponsored the HHS Data Protection Act of 2016, which seeks to make the CISO the “primary authority for information security.”
The legislation has been created in light of a year-long investigation by the House Energy and Commerce Committee regarding security protocols at HHS. In a report published in August 2015, congressional investigators found “serious structural flaws” in HHS’ current protocols, resulting in numerous security deficiencies. Investigators reported that these problems leave operation divisions of the department vulnerable to cyberattacks.
The existing information security regime is “poorly structured,” according to the committee’s report. In the last three years, five HHS operation divisions have been compromised, including a serious breach of the Food and Drug Administration’s internal network back in October of 2013.
The newly proposed legislation will be beneficial in making security a primary focus within HHS. Lawmakers say that the reorganization will be the first step in creating a system to incentivize better security measures.
The plan builds on the Cybersecurity National Action Plan, which is designed to enhance cybersecurity protections, Long and Matsui said. The plan also recognizes the need for a Chief Information Security Officer in improving security measures. This new bill comes on the heels of the Obama Administration’s creation of the Federal Chief Information Security Officer position earlier this year, a position focused exclusively on cybersecurity operations.
The bill also comes in the aftermath of several ransomware and cyberattacks to various healthcare organizations throughout the US. Since the start of the year, there have been five large-scale ransomware attacks on hospitals in the US and Canada. HHS has released some guidance on the issue so far, and it seems that creating the CISO position is just another step toward addressing this growing problem.
Because digital information is becoming integrated into most aspects of our daily lives, the importance of cybersecurity has grown dramatically. As cyber criminals become more sophisticated, operational structures must grow in tandem to deter them. This legislation will encourage the best security practices and organizational efficiency as federal agencies confront newfound cyberthreats head on.