Congress Explores Healthcare CISOs' RolesDoes Proposal to Create HHS 'Office of the CISO' Make Sense?
Should a healthcare CISO report to the CIO, or someone else? And should the CISO be at the same level as the CIO? The answer depends on whom you ask.
The House Energy and Commerce Committee's Subcommittee on Health explored these and related questions during a May 25 hearing focused on examining cybersecurity responsibilities at the U.S. Department of Health and Human Services.
The subcommittee was seeking private sector input as legislators consider a bipartisan bill that proposes to "elevate and empower" the current HHS CISO role with the creation of a new "Office of the CISO" within HHS. Under the proposal, the HHS CISO - who would be appointed by the president - would become "an organizational peer" to HHS' CIO. Under the current structure, the CISO reports to the CIO (see Proposed Legislation Aims to Elevate HHS CISO Role).
Conflict of Interest?
"In today's digital, connected world, cybersecurity is one of the most important, most urgent problems that we as a society face," said subcommittee chairman Rep. Joseph Pitts, R-Pa., in his opening statement.
An investigation conducted last year by the Energy and Commerce Subcommittee on Oversight and Investigations to examine information security at the Food and Drug Administration determined that "serious weaknesses" existed in the overall information security programs at HHS, he said. "It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations," he says. "The official in charge of building complex information technology systems is also the official in charge of ultimately declaring those systems secure. This is an obvious conflict of interest."
In examining whether it makes sense to elevate the HHS CISO role, subcommittee members questioned a panel of healthcare industry experts seeking a better understanding of how the CISO role works in the private sector.
What the legislators were told was the role of CISO, and to whom that person reports, is not one-size-fits-all across healthcare entities. A lot depends on the culture and size of the organization.
Many of those healthcare organizations that have a CISO - some smaller entities still do not - have that individual report to the CIO, but often with mixed results wrought with conflict, testified Mac McMillan, CEO of security consulting firm CynergisTek. He's a former director of security at the Department of Defense.
That conflict arises, McMillan says, because CIOs are often judged by IT systems' uptime as well as meeting project deadlines and budgets. And the CISO can potentially create obstacles by insisting that systems get taken down to apply software updates and patches that address security vulnerabilities or by refusing to sign off on security testing and mitigation for a project that's slated to go live.
In situations where the CISO reports to the CIO, security is often left out in the planning stages of systems projects, McMillan testified. And then, as a project approaches its finish line, it's often the CIO who overrules important security measures in favor of meeting IT deadlines, he contended, noting: "If security comes in at the end, steps get skipped."
Risk Management Leader
Elevating the CISO to be a peer of the CIO "reflects the recognition that information security has evolved into a risk management activity, historically the purview of other executives," testified Samantha Burch, senior director of Congressional affairs at the Healthcare Information and Management Systems Society.
"In the private sector context, this recognition requires not just a revised job description, but a removal of the traditional subordination of the information security program to the information technology program to create a direct channel to the CEO, CFO, general counsel and other senior executives," she testified.
At some healthcare organizations, when CISOs report to CEOs, the arrangement gives cybersecurity more visibility - and sometimes when the CISO reports to the CFO, it helps to strengthen accountability and auditing processes related to security, testified Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, a non-partisan think tank.
It also can be beneficial when CISOs report to the general counsel because that can help strengthen the attention to protecting trade secrets, intellectual property and other sensitive information, testified Corman, who is also founder of I Am The Cavalry, a grassroots organization focused on cyber safety. Corman serves on the HHS Cybersecurity Task Force, which was initiated by Congress in the Cybersecurity Act of 2015.
But Marc Probst, longtime CIO of Utah-based integrated health system Intermountain Healthcare, offered the subcommittee a different point of view. He testified that his organization's CISO reports to him, a relationship that's worked out well and has prioritized attention to security.
"We have made cybersecurity and privacy a major priority and focus," he testified on behalf of the College of Healthcare Information Management Executives in his role as board chairman. "As an example, I have instructed my team that, as they prioritize their efforts each day, I would rather have our data centers go completely dark - meaning a complete loss of all of our information systems - than to have a major breach of our data.
"Losing our information systems would be horrible and highly disruptive, but our patients, members, employees, clinicians and others have entrusted us with their most personal data, and we need to do all we can to protect it. Security is not an afterthought. Everyone across the organization needs to make it a priority."
McMillan, however, testified that not all organizations are as successful as Intermountain Healthcare when having a CISO report to the CIO. The consultant, who supports the House proposal to formally elevate HHS' CISO role, testified: "Some excellent CIOs support their CISO ... but I don't trust personality. I want structure regardless of personality."
The CISO's responsibility, he stressed, is "to protect [data] and raise alarms in terms of risk, regardless of stopping progress [by the IT team]."
Due in large part to the massive digitization of health records as a result of financial incentives provided by the HITECH Act, cybercriminals are sharpening their focus on healthcare sector attacks, as shown by the many data breaches and ransomware attacks in the sector, witnesses testified.
Corman told the subcommittee he's less concerned about ransomware and the profit that extortionists are looking to make in these attacks and more worried about "what this has shown to attackers who want to harm patients" using similar tactics.
"We need to focus on the impact of [all] malware," McMillan testified. "[For] those who take down systems, and disrupt patient care, we need to increase the penalty."
Unfortunately in healthcare, "these environments are target rich, and resource poor," Corman testified.
But some healthcare organizations are waking up to the threats and challenges.
Six years ago, there were only two people doing mostly "passwords" related work at Intermountain Healthcare, but now there's a team of 50 individuals on Intermountain's security team, Probst testified.
Pitts said HHS was unable to send a witness to testify at the hearing but that the subcommittee planned to consult with the agency as it further considers the CISO bill.
In the meantime, some witnesses at the hearing voiced concern about a provision of the bill that proposes the HHS CISO be appointed by the president. "That will politicize the role," Probst testified.