Will Legislation Pass to Make the CISO and CIO Equals at HHS?

May 20, 2016 Jana Langhorne

Recently introduced legislation aims to establish the office of the CISO within HHS independent from the CIO. This move mirrors a trend seen in private-sector organizations and would allow the CISO to be a peer of the CIO, rather than a subordinate. According to Mac McMillan, CEO of CynergisTek and former director of security at the Department of Defense, this type of structure is common in the federal government. In a recent interview with InfoRiskToday, McMillan said, “I support this proposal. I think it’s a great idea. In some other parts of the government, including the DoD, the CISO or director of security is on par with the CIO and has an equal voice.” McMillan also points out that “healthcare is behind in even having a CISO at many organizations.” The trend to have the CIO and CISO at the same level has been slow to catch on with the healthcare industry, so he is very pleased to support this proposal.

The proposal has been driven in response to the FDA suffering a breach of its internal network where an unauthorized user gained access to the account details of over 14,000 users of one of FDA’s information systems. While the breach did not result in substantial harm to the agency’s network and users, it highlighted the susceptibility of the FDA’s network to attacks and raised questions about the adequacy of the FDA’s information security program. To examine these questions, the Energy and Commerce Committee began an investigation into the FDA’s information security in December 2013. Then in August of 2015 the Committee released a report that recommended separating the CIO and CISO at HHS.

On Wednesday May 25, 2016, the House Energy and Commerce Committee, Health Subcommittee will hold a hearing, “Examining Cybersecurity Responsibilities for HHS” in Washington, DC. CynergisTek will support the bill by having Mac McMillan appear as a witness, providing written and oral testimony at the hearing. McMillan plans to say, “When these two positions have equal authority, are both focused on a common mission and working collaboratively, the CIO and CISO form a complementary and effective team to ensure the protection of information assets for an organization.” 

As a result of the healthcare industry’s lack of qualified CISO resources, CynergisTek offers a virtual CISO service (vCISO). It is designed to fill the resource gap by providing experienced, certified security practitioners and engineers. This service will also assist organizations through the process of establishing, improving and managing an effective security program to meet their unique demands. Our consultants will integrate with your existing information security team to help you meet compliance requirements. Contact us to learn more.

Previous Article
OCR Updates: Audit Program Falls Behind Schedule & Ransomware Attacks
OCR Updates: Audit Program Falls Behind Schedule & Ransomware Attacks

Audit Updates Deven McGraw, Deputy Director for Health Information Privacy for the Office for Civil Rights,...

Next Article
An Ounce of Prevention: How Penetration Testing Can Benefit Your Organization
An Ounce of Prevention: How Penetration Testing Can Benefit Your Organization

What is a penetration test, and what does it do for your organization? What information can be generated by...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!