House leaders urge restructuring at HHS to improve security

Security concerns too often are playing second fiddle to maintaining network operations in the Department of Health and Human Services, according to a report from the House Committee on Energy and Commerce that recommends agency chief information security officers (CISOs) not report to the chief information officer (CIO).

Instead, it wants the CIO and the CISOs of each HHS operating division to be part of the Office of the General Counsel where agency lawyers are trained to minimize risks, reports Federal News Radio.

CIOs are focused on maintaining networks that run smoothly, while the security activities of CISOs may delay or slow down those operations.

When there is a conflict between the two, "operational needs are prioritized and security concerns downplayed, delayed or ignored," according to the report.

It notes that five HHS operating divisions have been breached using "unsophisticated means" within the past three years. HHS Office of Inspector General (OIG) reports over the past seven years have repeatedly cited "pervasive and persistent deficiencies" in the agency's information security programs.

In looking into these breaches, "what we found is alarming and unacceptable," Committee Chairman Fred Upton (R-Mich.) and Rep. Tim Murphy (R-Pa.) said in a joint statement.

"Of concern to the committee, officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents during the committee's investigation," according to the report.

Among the issues cited:

  • Information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks
  • Two information security breaches at two different operating divisions resulted from misconfigurations. A separate breach resulted when a "critical" software patch had not been installed. "These incidents raise questions about whether information security officials have the appropriate level of expertise"

"Organizations are migrating away from the traditional CIO-CISO reporting structure to eliminate the tensions between security and operations that the traditional structure creates. It also removes information security from the IT 'silo' and allows experts from across the organization to see and influence information security decisions," the report says.

One recent survey found healthcare executives especially harsh on their CISOs, viewing them as scapegoats when data breaches occurred.

To learn more:
- read the report (.pdf)
- check out the Federal News Radio story