New HHS CIO Killoran sets cybersecurity priorities

The new CIO at the Department of Human Services brought together members of the agency’s diverse groups to plot its IT strategy even before took the job in July.

“I thought it was important not just for me to tell them what we needed to do, but to have them all come together,” Beth Anne Killoran tells Healthare Info Security.

Cybersecurity is one of the goals in the agency’s first IT strategic plan, completed in September. A 2015 report from the Brookings Institution slammed HHS and other federal agencies for failing to make cybersecurity part of their strategic plans.

“The overall objective ... is to beat or at least keep abreast of the security challenges for healthcare. We’re ensuring we’re deploying the technology and workforce to combat the challenges,” she said.

That includes making sure the agency has the resiliency to deliver its services and has skilled and effective staff.

Among the agency’s cybersecurity priorities:

  • Defining the capacities the agency needs now, as well as those it will need in five years. For instance, phishing is a big threat internally right now, she said, but threat vectors are changing and it need to understand how they’re changing.
  • Making sure it’s using the right tools to effectively monitor and act on threats.
  • Taking a risk-based approach. It must prioritize for the greatest risk, while at the same time be agile enough to change as threats change.

So far the agency has invested a lot in threat response. Now it’s shifting its investment strategy to be more effective at prevention, she told the publication.