On May 25, 2016, the House Energy and Commerce Subcommittee on Health held a hearing to examine the Department of Health and Human Services’ (“HHS”) cybersecurity responsibilities.  The hearing focused on legislation that would create a new office within HHS, the Office of the Chief Information Security Officer (“CISO”), consolidating information security within a single office at the agency. 

The HHS Data Protection Act (H.R. 5068) was introduced by Representatives Billy Long (R-MO) and Doris Matsui (D-CA) on April 26.  The legislation would implement one of the key recommendations of an August 2015 report issued by the Energy and Commerce Subcommittee on Oversight and Investigations.  The report was the result of a year-long investigation focused on an October 2013 breach at the Food and Drug Administration (“FDA”), and was expanded to include information regarding security incidents at other HHS divisions. Among the findings in the report was that the current organizational structure was at least partially responsible for information security incidents throughout HHS. 

The Subcommittee’s investigation determined that “serious weaknesses existed” in the overall security programs at HHS.  Subcommittee Chairman Joseph Pitts (R-PA) said in his opening statement. Chairman Pitts added, “It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations,” and he went on to say that the problem stems from the fact that the official in charge of building complex information technology systems is also the official in charge of declaring those systems secure—an obvious conflict of interest.

Witnesses at the hearing included representatives from private industry, healthcare non-profits, and a think tank who spoke about their experiences dealing with threats to healthcare data security and, for the most part, voiced support for the HHS Data Protection Act.  Samantha Burch from the Health Information and Management Systems Society stated her organization’s belief that the bill provides a “great opportunity to better position HHS to meet the growing challenges of securing health information.”  Marc Probst, Board of Trustees Chairman of the College of Healthcare Information Management Executives, cautioned the Subcommittee that they should beware of the unintended consequences of complex reporting mechanisms, and he encouraged Members to evaluate the potential negative consequences of making the HHS CISO a presidential appointment. 

Democrats on the Subcommittee, while in favor of the legislation, expressed disappointment that representatives from HHS were not included on the witness panel.  “Having HHS’ perspective would have greatly enhanced our evaluation of current cybersecurity improvement efforts and of the legislation, since HHS would be the carrying out the organizational reform proposed in H.R. 5068,” Ranking Member Gene Green (D-TX) said during his opening statement. Chairman Pitts responded that the Subcommittee was unable to get a witness from HHS, but that they would be consulting with them on the legislation.  The Subcommittee has yet to schedule a vote on H.R. 5068.

Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, ldonoghue@kslaw.com.