Coordination, not organizational reporting structure, should be the focus of federal efforts to defend against cyber criminals, College of Healthcare Information Management Executives (CHIME) Board Chair Marc Probst recently told a congressional panel.
"Just as health care institutions must coordinate efforts to thwart cyber threats, it is vital that the Department of Health and Humans Services [HHS] have a coordinated plan to address threats to the data and systems used and housed by the department," said Probst, vice president and chief information officer (CIO) at Intermountain Healthcare in Salt Lake City, Utah.
Probst was part of a panel testifying before the House Energy and Commerce Subcommittee on Health, which is examining how HHS aligns its cybersecurity programs and is soliciting comments on the HHS Data Protection Act (H.R. 5068). Among other things, the legislation would change the reporting structure at HHS by making the department's chief information security officer (CISO) a presidential appointee and removing security responsibilities from HHS' CIO.
By way of comparison, Probst noted that CISO reporting structures vary greatly across the health care industry. At Intermountain Healthcare, for instance, the CISO reports directly to Probst, the CIO. A similar reporting structure exists at Penn State Hershey Medical Center. But at a multistate health system, the CISO reports the chief technology officer. At many smaller hospitals, CHIME members often fill the dual role of CIO and CISO. Ultimately, Probst said, it depends on how the organization defines security and the role of the CISO. What's most important, he told subcommittee members, is that there is coordination across the enterprise and a series of checks and balances.
Commenting specifically on the HHS Data Protection Act, Probst said that legislation should account for ongoing efforts at HHS to coordinate cybersecurity programs. He noted that the Cybersecurity Act of 2015 calls on the department to issue a report to Congress by the end of this year identifying the individual who will be responsible for coordinating and leading efforts to combat cybersecurity threats. HHS must also present a plan from each relevant operating division detailing how each will address cybersecurity threats in the healthcare industry.
Probst also cautioned subcommittee members to fully evaluate the potential negative consequences that could result from making the HHS CISO a presidential appointment. Politicizing HIT policy can hamper the department's ability to influence change. A former member of the Health IT Policy Committee, a federal advisory committee created under HITECH, Probst witnessed how important initiatives for improving care delivery got bogged down in politics and bureaucracy.
"As a health care CIO, I again echo the importance of coordination," Probst said. "What's central to this conversation is meaningful coordination, avoiding any unintended consequences of complex reporting that instead may impede the coordination and flow of information necessary to thwart cyber threats."
Source: College of Healthcare Information Management Executives