The board chair of the College of Healthcare Information Management Executives also cautioned against making the HHS chief information security officer a presidential appointment.
Coordination, not organizational reporting structure, should be the focus of federal efforts to defend against cyber criminals, College of Healthcare Information Management Executives (CHIME) Board Chair Marc Probst told a congressional panel on Wednesday.
"Just as healthcare institutions must coordinate efforts to thwart cyber threats, it is vital that the Department of Health and Humans Services have a coordinated plan to address threats to the data and systems used and housed by the department," said Probst, vice president and chief information officer at Intermountain Healthcare in Salt Lake City, UT.
Probst was part of a panel testifying before the House Energy and Commerce Subcommittee on Health, which is examining how HHS aligns its cybersecurity programs and is soliciting comments on the HHS Data Protection Act (H.R. 5068).
Among other things, the legislation would change the reporting structure at HHS by making the department's chief information security officer (CISO) a presidential appointee and removing security responsibilities from HHS' chief information officer (CIO).
CISO Reporting Structures Vary in Healthcare
By way of comparison, Probst noted that CISO reporting structures vary greatly across the healthcare industry.
At Intermountain Healthcare, for instance, the CISO reports directly to Probst, the CIO. A similar reporting structure exists at Penn State Hershey Medical Center.
But at a multi-state health system, the CISO reports the chief technology officer. At many smaller hospitals, CHIME members often fill the dual role of CIO and CISO.
Ultimately, Probst said, it depends on how the organization defines security and the role of the CISO. What's most important, he told subcommittee members, is that there is coordination across the enterprise and a series of checks and balances.
In the past two years, 81% of hospitals and health insurance companies have had a data breach, according to a 2015 study by KPMG.
Commenting specifically on the HHS Data Protection Act, Probst said that legislation should account for ongoing efforts at HHS to coordinate cybersecurity programs.
He noted that the Cybersecurity Act of 2015 calls on the department to issue a report to Congress by the end of this year identifying the individual who will be responsible for coordinating and leading efforts to combat cybersecurity threats.
HHS is also required to present a plan from each relevant operating division detailing how each will address cybersecurity threats in the healthcare industry.
Probst cautioned subcommittee members to fully evaluate the potential negative consequences that could result from making the HHS CISO a presidential appointment.
Politicizing health IT policy can hamper the department's ability to influence change. As a former member of the Health IT Policy Committee, a federal advisory committee created under Health Information Technology for Economic and Clinical Health Act (HITECH), Probst witnessed how important initiatives for improving care delivery got bogged down in politics and bureaucracy.
"As a healthcare CIO, I again echo the importance of coordination," Probst told the subcommittee.
"What's central to this conversation is meaningful coordination, avoiding any unintended consequences of complex reporting that instead may impede the coordination and flow of information necessary to thwart cyber threats."