Intermountain CIO presses Congress for clear strategy on cybersecurity for HHS

Coordination is critical to successfully fending off cybercriminals, Intermountain Healthcare CIO and College of Healthcare Information Management Executives Board Chair Marc Probst told a congressional panel on Wednesday.

Strategy is the key to defending against cybercriminals, and it should be the focus of federal efforts rather than fiddling with the organizational reporting structure the Department of Health and Human Services has in place today, Probst said.

"Just as healthcare institutions must coordinate efforts to thwart cyber threats, it is vital that the Department of Health and Human Services have a coordinated plan to address threats to the data and systems used and housed by the department," said Probst, who was part of a panel testifying before the House Energy and Commerce Subcommittee on Health.

[Also: Cybersecurity insurance, business agreements among major healthcare privacy pitfalls]

The committee is examining how HHS aligns its cybersecurity programs, and it is soliciting comments on the HHS Data Protection Act.

Among other provisions, the proposed legislation would change the reporting structure at HHS by making the department's chief information security officer a presidential appointee and removing security responsibilities from HHS' chief information officer.

By way of comparison, Probst noted that CISO reporting structures vary greatly across the healthcare industry. At Intermountain, for instance, the CISO reports directly to Probst, the CIO. A similar reporting structure exists at Penn State Hershey Medical Center.

[Also: FTC, others call for action on ransomware in healthcare, improved cybersecurity preparedness]

But at a multi-state health system, the CISO reports to the chief technology officer. At many smaller hospitals, CHIME members often fill the dual role of CIO and CISO. Ultimately, Probst said, it depends on how the organization defines security and the role of the CISO. What's most important, he told subcommittee members, is coordination across the enterprise and a series of checks and balances.

Commenting specifically on the HHS Data Protection Act, Probst said legislation should account for continuing efforts at HHS to coordinate cybersecurity programs. He noted that the Cybersecurity Act of 2015 calls on the department to issue a report to Congress by the end of this year identifying the individual who will be responsible for coordinating and leading efforts to combat cybersecurity threats. HHS must also present a plan from each relevant operating division detailing how each will address cybersecurity threats in the healthcare industry.

Like Healthcare Finance on Facebook

Probst also cautioned subcommittee members to fully evaluate the potential negative consequences that could result from making the HHS CISO a presidential appointment. Politicizing health IT policy can hamper the department's ability to influence change, he noted.

A former member of the Health IT Policy Committee, a federal advisory committee created under Health Information Technology for Economic and Clinical Health Act, Probst witnessed how important initiatives for improving care delivery got bogged down in politics and bureaucracy.

"As a healthcare CIO, I again echo the importance of coordination," Probst said. "What's central to this conversation is meaningful coordination, avoiding any unintended consequences of complex reporting that instead may impede the coordination and flow of information necessary to thwart cyber threats."

Twitter: @Bernie_HITN