Reps. Billy Long, R-Mo, and Doris Matsui, D-Calif., recently introduced the HHS Cybersecurity Modernization Act, which would enable a designated chief information security officer to report directly to the HHS Secretary rather than the chief information officer.

“Any such designated officer shall report directly to the secretary or directly to another senior officer within the department of the secretary’s choosing,” the legislation said. “And the secretary may transfer the functions, personnel, assets, and liabilities of the chief information security officer in the Office of the Chief Information Officer of the Department of Health and Human Services, as such position exists on Sept. 30, 2017, to such designated officer.’’

Federal Times was not able to identify any agency among the 24 CFO Act agencies that has its CISO report directly to the agency head, making the HHS Cybersecurity Modernization Act a groundbreaking change in the way agencies structure cybersecurity leadership.

“We can always do more to boost our cybersecurity efforts, and while HHS has made some important strides in this effort, we think more can and should be done to help protect the sensitive information the department holds,” said Long and Matsui in a joint statement on the bill. “We are particularly hopeful for the results that could yield from HHS detailing such a plan and look forward to continued efforts to address potential cyberthreats.”

Recent executive initiatives, like the Cybersecurity Executive Order signed in May 2017, hold agency heads accountable for future cyber practices and decisions within their agency. Bringing the CISO into direct communication with the HHS Secretary could help to fulfill those requirements.

The current HHS CISO, Christopher Wlaschin, has served in the position since January 2017 and led efforts such as the development of the Healthcare Cybersecurity Communications and Integration Center.

The bill would also require HHS to develop and submit a plan on how HHS will prepare and respond to cyber threats. This plan would include:

  • The responsibilities of HHS in maintaining the security and integrity of their respective information systems.
  • The responsibilities of HHS in regulating and providing guidance to the healthcare sector.
  • How HHS will delineate and coordinate between those responsibilities.

Currently the bill awaits a hearing by the House Energy and Commerce Committee.