On April 26, 2016, House Representatives Billy Long (R-MO) and Doris Matsui (D-CA) introduced the HHS Data Protection Act, legislation aimed at improving cybersecurity at the Department of Health and Human Services (“HHS”). If enacted, the bill would create a separate Office of the Chief Information Security Officer (“CISO”), elevating the CISO from its current position within the Office of the Chief Information Officer (“CIO”).
The bill would also officially designate the CISO as the primary authority for information security programs—including cybersecurity measures—within HHS.
The bill stems from an investigation and subsequent report by the House Energy and Commerce Committee, of which Reps. Long and Matsui are members, that found “pervasive and persistent deficiencies across HHS and its operating divisions’ information security programs.” The committee initiated the investigation shortly after a 2013 security breach at the Food and Drug Administration (an agency within HHS) exposed account details of more than 14,000 people. The security review conducted by the committee revealed at least five additional data breaches at HHS, many of which resulted from mistakes or unsophisticated means. The committee released its report nearly two years later in August 2015.
According to the report, the data breaches at HHS resulted in part because the Office of the CIO subordinated security issues to operational concerns. Accordingly, the report recommended separating HHS’ CISO from the Office of the CIO and creating a separate Office of the CISO which would prioritize informational security above all other responsibilities. The bill’s current language calls for the appointment of a new CISO and the creation of the separate Office of the CISO by October 1, 2016. The HHS CISO position has been vacant since former CISO Sara Hall left her post earlier this year. In addition, the bill would require the HHS Secretary to submit a report to Congress no later than one year after the legislation’s enactment, detailing the CISO’s plan to oversee, coordinate, and implement the department’s information security programs.
Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.