Inside CHIME: CHIME Chairman Testifies Before House Committee on Cybersecurity

Inside CHIME - header

Weinstock 70x70 5.26.16 by Matthew Weinstock
Director of Communications and Public Relations, CHIME

CHIME Board Chair Marc Probst yesterday urged lawmakers to consider ways of improving coordination and alignment of federal cybersecurity programs.

Coordination across federal programs is essential for defending against cyber criminals, CHIME Board Chair Marc Probst told lawmakers yesterday.

“Just as healthcare institutions must coordinate efforts to thwart cyber threats, it is vital that the Department of Health and Humans Services have a coordinated plan to address threats to the data and systems used and housed by the department,” said Probst, who testified on behalf of CHIME before the House Energy and Commerce Subcommittee on Health.

The hearing was principally intended to get industry feedback on the HHS Data Protection Act (H.R. 5068). Among other things, the legislation would change the reporting structure at HHS by making the department’s chief information security officer (CISO) a presidential appointee and removing security responsibilities from HHS’ chief information officer (CIO). CHIME remained neutral on the merits of the legislation. However, Probst cautioned lawmakers on the potential danger of politicizing security by making the CISO a presidential appointee. He also suggested that lawmakers consider work being done at HHS under the Cybersecurity Act of 2015, which charges the department to develop a coordination plan by year’s end.

Ultimately, Probst said, the most important thing is coordination and instituting a system of checks and balances. He pointed out that reporting structures vary greatly across the industry.

“It really comes down to how you define the roles of the CIO and the CISO and what their priorities are,” Probst said, noting that the CISO at Intermountain Healthcare reports directly to him, the CIO. “If you’re a 20-bed hospital in the middle of Indiana, you’re the CIO, you’re the CISO and you’re the guy that changes the ink in the printers.”

Mac McMillan, CEO of CynergisTek, who testified in support of the bill, agreed with Probst that coordination and having the right structures in place are critical to developing a successful cybersecurity strategy. McMillan is a member of the Association for Executives in Healthcare Information Security (AEHIS) board. He did not, however, testify in that capacity.

Responding to questions on ways that the government – and industry – can improve cybersecurity generally, Probst highlighted the need for a national patient identifier. Having an accurate way to identify patients across care settings, he said, would minimize the need for providers to collect such data as Social Security numbers. Members of the subcommittee took note that current law prohibits HHS from spending any resources on a national patient identifier. Probst also mentioned the challenges hospitals face ensuring that medical devices don’t present an inherent risk to their networks. CHIME and AEHIS recently submitted comments on this topic to the FDA.

You can watch an archived version of the hearing here (it starts at the 39 minute mark).

More Inside CHIME Volume 1, No. 18: