[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
EXAMINING CYBERSECURITY RESPONSIBILITIES AT HHS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON HEALTH
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
MAY 25, 2016
__________
Serial No. 114-150
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
21-352 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Chairman Emeritus Ranking Member
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
JOSEPH R. PITTS, Pennsylvania ELIOT L. ENGEL, New York
GREG WALDEN, Oregon GENE GREEN, Texas
TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania
Vice Chairman JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington KATHY CASTOR, Florida
GREGG HARPER, Mississippi JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky PETER WELCH, Vermont
PETE OLSON, Texas BEN RAY LUJAN, New Mexico
DAVID B. McKINLEY, West Virginia PAUL TONKO, New York
MIKE POMPEO, Kansas JOHN A. YARMUTH, Kentucky
ADAM KINZINGER, Illinois YVETTE D. CLARKE, New York
H. MORGAN GRIFFITH, Virginia DAVID LOEBSACK, Iowa
GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon
BILL JOHNSON, Ohio JOSEPH P. KENNEDY, III,
BILLY LONG, Missouri Massachusetts
RENEE L. ELLMERS, North Carolina TONY CARDENAS, California7
LARRY BUCSHON, Indiana
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota
Subcommittee on Health
JOSEPH R. PITTS, Pennsylvania
Chairman
BRETT GUTHRIE, Kentucky GENE GREEN, Texas
Vice Chairman Ranking Member
ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois LOIS CAPPS, California
TIM MURPHY, Pennsylvania JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas G.K. BUTTERFIELD, North Carolina
MARSHA BLACKBURN, Tennessee KATHY CASTOR, Florida
CATHY McMORRIS RODGERS, Washington JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon
BILLY LONG, Missouri JOSEPH P. KENNEDY, III,
RENEE L. ELLMERS, North Carolina Massachusetts
LARRY BUCSHON, Indiana TONY CARDENAS, California
SUSAN W. BROOKS, Indiana FRANK PALLONE, Jr., New Jersey (ex
CHRIS COLLINS, New York officio)
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Joseph R. Pitts, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 1
Prepared statement........................................... 2
Hon. Gene Green, a Representative in Congress from the State of
Texas, opening statement....................................... 4
Prepared statement........................................... 5
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 6
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 7
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, prepared statement................................... 73
Witnesses
Joshua Corman, Director, Cyber Statecraft Initiative, Atlantic
Council........................................................ 9
Prepared statement........................................... 12
Answers to submitted questions............................... 84
Samantha Burch, Senior Director, Congressional Affairs,
Healthcare Information and Management Systems Society.......... 19
Prepared statement........................................... 21
Answers to submitted questions............................... 88
Marc Probst, Vice President and Chief Information Officer,
Intermountain Healthcare, on Behalf of the College of
Healthcare Information Management Executives................... 28
Prepared statement........................................... 30
Answers to submitted questions............................... 94
Michael H. (Mac) McMillan, Chairman and Chief Executive Officer,
CynergisTek, Inc............................................... 39
Prepared statement........................................... 42
Answers to submitted questions............................... 100
Submitted Material
H.R. 5068, the HHS Data Protection Act, submitted by Mr. Pitts... 74
Article of May 25, 2016, ``Cyber ransom attacks panic hospitals,
alarm Congress,'' by Arthur Allen, Politico, submitted by Mrs.
Blackburn...................................................... 78
EXAMINING CYBERSECURITY RESPONSIBILITIES AT HHS
----------
WEDNESDAY, MAY 25, 2016
House of Representatives,
Subcommittee on Health,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:00 a.m., in
Room 2123, Rayburn House Office Building, Hon. Joseph R. Pitts
(chairman of the subcommittee) presiding.
Members present: Representatives Pitts, Guthrie, Shimkus,
Burgess, Blackburn, McMorris Rodgers, Lance, Griffith,
Bilirakis, Long, Ellmers, Bucshon, Brooks, Collins, Green,
Engel, Schakowsky, Castor, Matsui, Schrader, Kennedy, and
Pallone (ex officio).
Staff present: Rebecca Card, Assistant Press Secretary;
Paul Edattel, Chief Counsel, Health; Charles Ingebretson, Chief
Counsel, Oversight and Investigations; James Paluskiewicz,
Professional Staff Member, Health; Graham Pittman, Legislative
Clerk, Health; Jennifer Sherman, Press Secretary; Alan
Slobodin, Chief Investigative Counsel, Oversight and
Investigations; Heidi Stirrup, Policy Coordinator, Health;
Sophie Trainor, Policy Advisor, Health; Josh Trent, Deputy
Chief Health Counsel; Jessica Wilkerson, Professional Staff
Member, Oversight and Investigations; Kyle Fischer, Democratic
Health Fellow; Timothy Robinson, Democratic Chief Counsel;
Samantha Satchell, Democratic Policy Analyst; Andrew Souvall,
Democratic Director of Communications, Outreach, and Member
Services; and Arielle Woronoff, Democratic Health Counsel.
Mr. Pitts. The subcommittee will come to order.
The Chair recognizes himself for an opening statement.
OPENING STATEMENT OF HON. JOSEPH R. PITTS, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
In today's digital connected world cybersecurity is one of
the most important, most urgent problems that we as a society
face. Indeed, a great deal of sensitive information has been
entrusted to the Federal Government. And as the recent breach
at the Office of Personnel Management showed, we are not always
the most sophisticated at protecting that information. We,
therefore, must always be on the lookout for opportunities to
improve and adapt to changing cybersecurity threats and
realities.
As a result of an investigation conducted by the Energy and
Commerce Subcommittee on Oversight and Investigations to
examine information security at the U.S. Food and Drug
Administration, it was determined that serious weaknesses
existed in the overall information security programs at the
U.S. Department of Health and Human Services, HHS. It seems a
major part of the problem is the organizational structure in
place at HHS that puts information security second to
information operations. This stems from the fact that right now
the top official responsible for information operations at HHS
is the Chief Information Officer, or CIO, and the official
responsible for information security, the Chief Information
Security Officer, or CISO, reports to him. In other words, the
official in charge of building complex information technology
systems is also the official in charge of ultimately declaring
those systems secure. This is an obvious conflict of interest.
Today's hearing will take a closer look at bipartisan
legislation designed to address these organizational issues.
H.R. 5068, recently introduced by our Energy and Commerce
Committee colleagues, Representatives Long and Matsui, is known
as the HHS Data Protection Act. This bipartisan bill elevates
and empowers the current HHS CISO with the creation of the
Office of the Chief Information Security Officer within the
Department of Health and Human Services, which will be an
organizational peer to the current Office of the Chief
Information Officer.
This type of structure is not novel or untested. A branch
of the Department of Defense has already implemented a similar
structure. Many industry experts such as PricewaterhouseCoopers
now recommend that CIOs and CISOs be separated, quote, ``to
better allow for internal checks and balances,'' end quote.
We are very lucky today to have expert witnesses who can
talk to us about not only the bill itself, but help us
understand more about the CIO/CISO relationship and why the
structure currently in place at HHS could benefit from an
update. In particular, I would like to highlight that one of
our witnesses, Mr. Mac McMillan, experienced the very structure
that H.R. 5068 seeks to create at HHS during his time working
for the Department of Defense and will be able to provide
valuable perspective on how HHS might implement this reform.
Today's hearing provides members an important opportunity
to examine cybersecurity responsibilities at HHS and discuss a
bill that will help raise the visibility and priority of
information security across the Department.
[The prepared statement of Mr. Pitts follows:]
Prepared statement of Hon. Joseph R. Pitts
In today's digital, connected world, cybersecurity is one
of the most important, most urgent problems that we as a
society face. Indeed, a great deal of sensitive information has
been entrusted to the Federal Government, and as the recent
breach at the Office of Personnel Management showed, we are not
always the most sophisticated at protecting that information.
We therefore must always be on the lookogut for opportunities
to improve and adapt to changing cybersecurity threats and
realities.
As a result of an investigation conducted by the Energy and
Commerce Subcommittee on Oversight and Investigations to
examine information security at the U.S. Food and Drug
Administration, it was determined that serious weaknesses
existed in the overall information security programs at the
U.S. Department of Health and Human Services (HHS). It seems a
major part of the problem is the organizational structure in
place at HHS that puts information security second to
information operations.
This stems from the fact that, right now, the top official
responsible for information operations at HHS is the Chief
Information Officer, or CIO, and the official responsible for
information security, the Chief Information Security Officer,
or CISO reports to him. In other words, the official in charge
of building complex information technology systems is also the
official in charge of ultimately declaring those sySSstems
secure. This is an obvious conflict of interest.
Today's hearing will take a closer look at bipartisan
legislation designed to address these organizational issues.
H.R. 5068, recently introduced by our Energy and Commerce
Committee colleagues, Reps. Long and Matsui, is known as the
HHS Data Protection Act. This bipartisan bill elevates and
empowers the current HHS CISO with the creation of the Office
of the Chief Information Security Officer within the Department
of Health and Human Services, which will be an organizational
peer to the current Office of the Chief Information Officer.
This type of structure is not novel or untested: a branch
of the Department of Defense has already implemented a similar
structure, and many industry experts such as
PricewaterhouseCoopers now recommend that CIOs and CISOs be
separated ``to better allow for internal checks and balances.''
We are very lucky today to have expert witnesses who can
talk to us about not only the bill itself, but help us
understand more about the CIO-CISO relationship and why the
structure currently in place at HHS could benefit from an
update. In particular, I'd like to highlight that one of our
witnesses, Mr. Mac McMillan, experienced the very structure
that H.R. 5068 seeks to create at HHS during his time working
for the Department of Defense, and will be able to provide
valuable perspective on how HHS might implement this reform.
Today's hearing provides Members an important opportunity
to examine cybersecurity responsibilities at HHS, and to
discuss a bill that will help raise the visibility and priority
of information security across the Department.
[H.R. 5068 appears at the conclusion of the hearing.]
Mr. Pitts. I now yield the remainder of my time to Mr. Long
from Missouri.
Mr. Long. Thank you, Mr. Chairman, for holding this
hearing, and thank you to my colleague, Ms. Matsui, for her
fine work and cooperation in working with me on this important
issue.
Today we live in an age of the internet. While that has
spurred faster and more efficient communication between the
American people and their Federal Government, it has also meant
having to confront the threat of cybercriminals. Last year this
committee released a study with alarming results which included
proof that five HHS operating divisions had been breached using
very unsophisticated means, and nonpublic HHS Office of the
Inspector General reports detailing 7 years of deficiency
across HHS' information security programs.
It is impossible to completely eradicate the threat of
cyberattacks, but the American people deserve to know that
their sensitive information is being safeguarded with the
utmost security.
Mr. Chairman, ensuring the safety of Americans' data is a
vital necessity for Government agencies to operate efficiently.
The legislation we are examining today, which I introduced
along with Ms. Matsui, would restructure HHS' positions so that
prioritization will be given to meeting the critical data
security needs expressed by their Chief Information Security
Officer.
With that in mind, I look forward to the testimony of our
witnesses today.
Mr. Chairman, I yield back.
Mr. Pitts. The Chair thanks the gentleman.
Now I recognize the ranking member, Mr. Green, 5 minutes
for an opening statement.
OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Green. Thank you, Mr. Chairman, and welcome to our
panel to our subcommittee today.
Cybersecurity represents a current and growing threat to
our economy as our everyday lives become more digitized. From
the 2014 breach at the Office of Personnel Management and the
high-profile private sector breaches of companies like Target,
JPMorgan Chase, Anthem, we are too frequently reminded of how
vulnerable we are to security incidents involving personally
identifiable information.
An unauthorized breach of personal information is
particularly concerning when it is sensitive information about
our health. As with the private sector, information and
technology security management remains a challenge for all
Federal agencies.
The principal law concerning the Federal Government's
information security program is the Federal Information
Security Management Act, FISMA. The 2002 law requires agencies
to provide information security protections for IT systems and
information collected or maintained by agencies, quote,
``commensurate with the risk and magnitude of harm that could
result from unauthorized access or disruption''.
Recognizing the importance of cybersecurity and
vulnerabilities of HHS, Congress enacted the Cybersecurity
Information Sharing Act as part of the Consolidated
Appropriations Act in December 2015. CISA requires the
Secretary of Health and Human Services to review and report a
plan for addressing cyber threats and designate a clear
official who is responsible for leading and coordinating
efforts within HHS and the healthcare industry.
That law has established the Health Care Industry
Cybersecurity Task Force. Members were recently appointed to
the task force and will deliver the final report by March of
2017. We should let HHS carry out the provisions outlined in
CISA, and I am a bit surprised by my colleague's decision to
have a hearing today on H.R. 5068, the HHS Data Protection Act,
the legislation that was recently introduced by Representatives
Billy Long and Doris Matsui. And I thank them for their
leadership on this issue.
Unfortunately, with the last-minute timing of the hearing,
it is impossible for the administration to testify. Having HHS'
perspective would have greatly enhanced our evaluation of the
current cybersecurity improvement efforts and this legislation,
since HHS will be carrying out the organizational reform
proposed in H.R. 5068.
Again, cybersecurity remains an issue, and today is an
opportunity to further the conversation. I look forward to
hearing from our witnesses about what the private sector is
doing to enhance cybersecurity, including both defensive and
offensive capabilities.
[The prepared statement of Mr. Green follows:]
Prepared statement of Hon. Gene Green
Cybersecurity represents a current and growing threat as
our economy and everyday lives become more digitized.
From the 2014 breach of the Office of Personnel Management
and high-profile private sector breaches of companies like
Target, JP Morgan Chase, and Anthem, we are too frequently
reminded of how vulnerable we are to security incidents
involving personally identifiable information.
An unauthorized breach of personal information is
particularly concerning when it is sensitive information about
our health.
As with the private sector, information technology security
management remains a challenge for all Federal agencies.
The principle law concerning the Federal Government's
information security program is the Federal Information
Security Management Act (FISMA)
The 2002 law requires agencies to provide information
security protections for IT systems and information collected
or maintained by agencies ``consummate with the risk and
magnitude of harm'' that could result from unauthorized access
or disruption.
Recognizing the importance of cybersecurity and
vulnerabilities of HHS, Congress enacted the Cybersecurity
Information Sharing Act (CISA) as part of the Consolidated
Appropriations Act in December 2015.
CISA required the Secretary of HHS to review and report a
plan for addressing cybersecurity threats and designate a clear
official who is responsible for leading and coordinating
efforts within HHS and the health care industry.
The law also established the Health Care Industry
Cybersecurity Task Force.
Members were recently appointed to the task force and will
deliver the finalized report by March of 2017.
We should let HHS carry out the provisions outlined in
CISA.
I am a bit surprised by my colleagues' decision to have a
hearing today on H.R. 5068, the HHS Data Protection Act.
This legislation was recently introduced by Representatives
Billy Long and Doris Matsui, and I thank them for their
leadership on this issue.
Unfortunately, the last-minute timing of this hearing made
it impossible for the administration to testify.
Having HHS' perspective would have greatly enhanced our
evaluation of current cybersecurity improvement efforts and of
the legislation, since HHS would be the carrying out the
organizational reform proposed in H.R. 5068.
Again, cybersecurity remains an issue, and today is an
opportunity to further the conversation.
I look forward to hearing from our witnesses about what the
private sector is doing to enhance
Thank you, and I yield 2 minutes to my colleague from
California, Congresswoman Doris Matsui.
Mr. Green. I would like to thank you, and I yield the
remaining of my time to my colleague from California,
Congresswoman Doris Matsui.
Ms. Matsui. Thank you, Mr. Green, for your opening, and,
Mr. Chairman, for holding this important hearing.
The intersection between technology and our health is
impacting nearly every aspect of our daily lives. As we move
toward a more connected system of care, we need to make sure
our security practices are nimble and forward-thinking to meet
this new, exciting health IT landscape.
Making technological investments in our cyberdefense
systems is absolutely critical, but it is also just as
important that our organizational structures are set up for
success. The HHS Data Protection Act that I introduced with my
good friend Billy Long would elevate the Office of Chief
Information Security Officer within HHS.
The privacy of our health data is of critical importance,
and this legislation would establish HHS as a model and leader
across the Federal Government. It builds on the Obama
administration's Cybersecurity National Action Plan, which
created the first ever Federal Chief Information Security
Officer, a dedicated senior official in the administration
focused exclusively on coordinating cybersecurity operations
across the entire Federal domain.
We are already seeing the shift happen in the private
sector, and I look forward to hearing more about this from the
witnesses today.
We must also include the important perspective of HHS as
the committee continues our consideration of this legislation.
A securely connected healthcare ecosystem is better for
everyone. This health IT transformation requires a solid
regulatory and legislative foundation to work from.
I will continue to work with my colleagues in Congress on
forward-thinking solutions to combat cyber threats across both
the public and the private sector, and I do appreciate the
witnesses being here today. I look forward to your testimonies.
Thank you, Mr. Chairman. I yield back.
Mr. Pitts. The Chair thanks the gentlelady, and now
recognizes the gentleman, Dr. Burgess, 5 minutes for an opening
statement.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
Mr. Burgess. Thank you, Chairman Pitts, and thank you for
holding this hearing.
There are certainly more and more reasons every day to be
concerned about our health data security. Digitization of
health information has accelerated in all sectors of medicine,
and electronic data is taking the place of paper files
everywhere from research labs to hospitals, to public health
departments.
I am fully committed to advancing progress towards an
interoperable universe of health information because I am
confident it will offer benefits for medical information and
for healthcare delivery.
However, this progress has brought with it threats to
patient privacy, threats to patient security, and even threats
to safety, unlike anything we have ever faced before. We have
seen hospitals that rely on electronic health records be held
ransom by hackers, demanding a fee payable in bitcoins, before
they can regain access to patient records.
This is no small victimless crime. This could be a matter
of life and death, particularly when you consider the care of a
critical-needs patient or a critical-care patient in an
intensive care setting. This is something that is being
perpetrated by sophisticated criminals who I don't think
understand the seriousness of the illness of the patients that
they are dealing with.
We have learned that there are fundamental weaknesses in
the foundation of data security at every major division of HHS,
and that hardly inspires confidence. Although the breaches and
vulnerabilities at HHS have not been as serious in nature as
ransomware attacks in the private sector, there is no reason in
the world to just sit back and wait for that disaster to happen
and, then, be tasked with examining the smoking ruins.
Data held by the divisions at Health and Human Services
seriously affect every single American. Just a few ``what
ifs'':
What if our enemies could hack into the CDC's systems? What
is to stop them from using our own biodefense plans against us?
If the FDA's data on clinical trials is vulnerable to
hackers, how can companies be confident that their proprietary
trade secrets and intellectual property will not be stolen?
There is no limit to the cavalcade of harsh headlines if we
don't get serious about data security at the Department of
Health and Human Services before it is too late. Mr. Long and
Ms. Matsui have taken an important first step in making data
security a priority, and I am certainly grateful that we have
our witnesses here today. I look forward to hearing from them.
And I will yield to the vice chair of the full committee,
Ms. Blackburn.
Mrs. Blackburn. Thank you, Mr. Chairman.
And we appreciate our witnesses being here.
This is something that I think many of us recognize is
truly a problem. In 2003, when we did the Medicare
Modernization Act, I recommended that we put in process an
orderly process and incentives for the healthcare provider
system to move to electronic records. Well, the hospitals did
not want that. So now, what you have is kind of a mixed bag of
different systems and people that are in different places along
this transition to electronic records. What you also see--and
Politico has a great article in today.
Mr. Chairman, we should put this article in the record
because it points out why we need this legislation.
Mr. Pitts. Without objection, so ordered.
Mrs. Blackburn. Thank you.
[The information appears at the conclusion of the hearing.]
Mrs. Blackburn. As Chairman Burgess said, interoperability
is an issue, data security protections. We still have not
passed data security or privacy legislation, breach
notification, things of that nature, out of this committee, and
we should do so.
And also, going back and revisiting HIPAA, which would help
us to put in place some protections. We have seen, the hospital
industry that is in my district, they have seen some hacks,
millions of records, patient records, that have been taken and
have been exposed. This is the type of crime that happens to
you. You do not know that it is coming. You are not aware many
times until months after it has occurred. And that entire time,
you have patients that are vulnerable.
So, we thank you for helping turn the attention to
cybersecurity, and I yield back the balance of my time.
Mr. Pitts. The Chair thanks the gentlelady.
I now recognize the ranking member of the full committee,
Mr. Pallone, 5 minutes for an opening statement.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Mr. Chairman.
I appreciate today's hearing topic on cybersecurity and
examining the cybersecurity responsibilities within HHS. I
think we would all agree that cybersecurity is a critical issue
facing us in our ever-evolving 21st century world. Everything
we do on a daily basis is more and more connected through the
internet. And when it comes to our health information, just
like our personal information, we must find ways to improve our
systems, so that they are secure and protected.
I have said before that this committee has a long history
on cybersecurity issues. We also recently held a hearing in the
Oversight and Investigations Subcommittee in which we heard
firsthand how difficult and complicated this problem is.
Unfortunately, our ability to protect against cyberattacks
while improving still appears to lack what is needed to prevent
these intrusions. And what we have discovered is that, while
the Federal Government has had their share of breaches, the
private sector is also battling these attacks.
Today we are going to examine one solution to this problem,
how an agency should be organized to encourage efficiencies and
best practices within the Federal Government. This legislation,
introduced by Representatives Matsui and Long, would move the
Chief Information Security Officer, CISO, to the same level as
the Chief Information Officer, CIO. Currently, the CISO is
located within the same office as the CIO and reports to the
CIO.
I look forward to hearing about what this can accomplish,
but, also, if there are any shortfalls to such reorganization.
For example, would moving the system out of the Office of the
CIO create silos? Should information security considerations be
integrated into the information technology planning process
instead of in parallel, as this bill would suggest? Would this
bill create inefficiencies by removing responsibility for the
CIO to take into account cybersecurity? Are there major
differences between HHS and the private sector that should be
taken into account?
So, let me just say that I am disappointed we couldn't
ensure that HHS had an opportunity to be here today to express
their own views. HHS should be able to testify to whether this
organizational change makes sense from their perspective and
whether it could potentially exacerbate the problem it is
trying to solve. And this is why I wish the majority had not
rushed this hearing.
While this bill may, in fact, be a good approach and I
appreciate the efforts of our committee colleagues, the timing
of this hearing means that the committee, stakeholders, and HHS
itself have not had a chance to fully vet the bill.
Finally, Congress passed a bill at the end of last year
that requires HHS to do a thorough cybersecurity report and
plan, and I am concerned that we would move forward on these
changes before we are able to hear the outcome of this report.
We may never be able to completely eradicate the threat of
cybersecurity, but we have to take comprehensive action, and I
am glad to see this committee is exploring ways to do that.
I yield back, Mr. Chairman.
Mr. Pitts. The Chair thanks the gentleman.
Although both sides tried to get a witness from HHS, they
were unable to produce a witness today. But we will get their
consultation, work with them, before moving on this issue.
That completes the opening statements. As usual, the
written opening statements of Members will be included in the
record.
We will now go to our panel. Thank you for your attendance
today, and I will introduce you in the order of your
presentation. Your written testimony will be made part of the
record. You will each have 5 minutes to summarize your
testimony.
And in the order of your presentation, Mr. Joshua Corman,
Director of Cyber Statecraft Initiative, Atlantic Council; Ms.
Samantha Burch, Senior Director, Congressional Affairs,
Healthcare Information and Management Systems Society North
America; Mr. Marc Probst, Vice President and Chief Information
Officer, Intermountain Healthcare, on behalf of the College of
Healthcare Information Management Executives, and, finally, Mr.
Mac McMillan, Chief Executive Officer, CynergisTek, Inc.
Again, thank you for coming.
Mr. Corman, you are recognized for 5 minutes for your
summary.
STATEMENTS OF JOSHUA CORMAN, DIRECTOR, CYBER STATECRAFT
INITIATIVE, ATLANTIC COUNCIL; SAMANTHA BURCH, SENIOR DIRECTOR,
CONGRESSIONAL AFFAIRS, HEALTHCARE INFORMATION AND MANAGEMENT
SYSTEMS SOCIETY; MARC PROBST, VICE PRESIDENT AND CHIEF
INFORMATION OFFICER, INTERMOUNTAIN HEALTHCARE, ON BEHALF OF THE
COLLEGE OF HEALTHCARE INFORMATION MANAGEMENT EXECUTIVES; AND
MICHAEL H. (MAC) McMILLAN, CHAIRMAN AND CHIEF EXECUTIVE
OFFICER, CYNERGISTEK, INC.
STATEMENT OF JOSHUA CORMAN
Mr. Corman. Chairman Pitts, Ranking Member Green, and
distinguished members of the Subcommittee on Health, thank you
for the opportunity to testify today.
My name is Joshua Corman. I am the Director of the Cyber
Statecraft Initiative at the Brent Scowcroft Center for
International Security at the Atlantic Council, a nonpartisan
international policy think tank.
I am also a founder of a grassroots volunteer organization
focused on cybersafety in the Internet of Things called I Am
The Cavalry, and an adjunct faculty for the CISO Certificate
Program at Carnegie Mellon University's Heinz College. And
lastly of note is I am one of the delegates serving on the HHS
Cybersecurity Task Force that came out of the Cybersecurity Act
of 2015.
Over the past 15 years, I have been a stanch advocate of
the CISO and the emerging challenges that confront that role,
and tried to focus on the vanguard of emerging issues, whether
it be the rise of hacktivism, the rise of nation-state
espionage, or the increase to cybersafety and cyberphysical
systems threats that face medical devices, automobiles, and the
like. It is an increasingly challenging role, and I work deeply
with the Fortune 50 and the Fortune 100.
I say all of this because I have had a front-row seat at
the turbulent evolutions that confront this role of the Chief
Information Security Officer and have seen the healthy and
unhealthy adaptations that the profession has taken in the
private sector and the public sector, often through business
relationships or my students at Carnegie Mellon University.
What I hope to do here is frame a few of the factors that
contribute to a successful CISO and a CISO cybersecurity
program; also, speak to some of the costs and benefits and
tradeoffs of alternative reporting structures that have been
tried in the private sector and elsewhere; also, to answer any
questions as you consider your choices.
A brief comment on the current state of cybersecurity which
I think is becoming clearer and clearer to this body. Our
dependence on connected technology is growing much faster than
our ability to secure it, and now it is affecting public safety
and human life. The breaches are getting bigger, as we have
seen with Target and Ashley Madison. The breaches are affecting
Federal agencies, as we have seen with OPM, the Pentagon, and
now HHS. And the breaches are getting more dangerous, as we are
seeing with power outages in the Ukraine or denial of patient
care at Hollywood Presbyterian Hospital due to an accidental
impact of ransomware.
I am more deeply concerned, less about the ransomware
itself with a financial-motivated adversary, but more concerned
at what this has revealed to ideological adversaries who may
wish to cause physical harm and a sustained denial of service
to patient delivery. And for these reasons, it is important
that we avail ourselves of the best practices that are emerging
at the vanguard of how we organize cybersecurity programs.
Some factors which I have noticed contribute to the success
of a CISO, a CSO, or a cybersecurity program:
No. 1, the individual qualifications of the CISO in
question.
No. 2, at topic today, the reporting structure to the CIO,
CFO, general counsel, CEO, board of directors, or alternatives.
No. 3, the relationship the CISO maintains, regardless of
reporting structure, to key stakeholders throughout the
organization.
No. 4, CEO and board-level visibility and prioritization to
be supported in the execution of the mission.
No. 5 is the application of risk management principles
versus minimum compliance standards, which you often hear a
quote of, ``We can spend only on compliance mandatory spending
and not one penny more,'' often truncating true risk management
or defensive countermeasures that are required to fend off
these modern adversaries.
And lastly, ability for the CISO to both influence IT and
business choices, not simply IT or CIO choices. So, the scope
is expanding as well.
In general, as an observation, there is a migration away
from reporting to the CIO as an inherent conflict of interest
for a bevy of reasons which I can get into during your Q&A. And
with each of the alternative structures, you see better aspects
of the program manifest. For example, a CIO is typically
concerned about availability and uptime of IT as opposed to
privacy or sensitive information or trade secrets.
Moving simply to a general counsel, for example, typically
expresses greater focus on risk management principles on
harder-to-replace information like trade secrets, sensitive
organizational data, intellectual property, and the like.
Reporting to the CIO allows true tensions and natural conflicts
which emerge to get top full visibility on how to resolve those
differences. And reporting to the CFO often brings to bear very
rigorous accounting and audit principles, as have been
introduced by the rigor of things like Sarbanes-Oxley on the
financial services sector.
Lastly, for 10 seconds here, essentially, there is a
tremendous value in experimentation, and I really applaud the
spirit of this bill to try an alternative reporting structure
in one agency and, if successful, it could be replicated across
other agencies to rise to these growing challenges.
I thank you for your time.
[The prepared statement of Mr. Corman follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Pitts. The Chair thanks the gentleman.
I now recognize Ms. Burch, 5 minutes for your summary.
STATEMENT OF SAMANTHA BURCH
Ms. Burch. Chairman Pitts, Ranking Member Green, members of
the subcommittee, thank you for the opportunity to testify
today on behalf of the Healthcare Information and Management
Systems Society in support of H.R. 5068, the HHS Data
Protection Act.
HIMSS is a global, cause-based, not-for-profit organization
focused on better health through information technology. HIMSS
North America encompasses more than 64,000 individuals plus
hundreds of corporations and not-for-profit partner
organizations that share this cause. Our organization has spent
more than a decade working to support the healthcare sector in
improving its cybersecurity posture through thought leadership,
proactive policy development, surveys, toolkits, and other
resources.
Today's hearing begins a critical conversation that mirrors
conversations occurring in healthcare organizations across the
country regarding the most appropriate approach to governance
to ensure effective data protection and incident response.
Cybersecurity has been a growing area of focus for
healthcare organizations in recent years. Highly publicized,
large-scale breaches of patient and consumer information and
other high-profile security incidents have resulted in the
increased hiring of Chief Information Security Officers to
serve as the lead executive responsible for safeguarding an
organization's data and IT assets. Further, the trend towards
elevating the CISO to be a peer of the CIO reflects the
recognition that information security has evolved into risk
management activity historically within the purview of other
executives.
This recognition requires a reporting structure that
creates a direct channel to the CEO, CFO, general counsel, and
board of directors to facilitate management of security risk in
the context of business risk, operational, legal, financial,
reputational.
For healthcare providers, a significant security incident
or breach may lead to a disruption in patient care, the primary
business mission of the organization. As such, it is clear that
healthcare organizations need a cybersecurity leader to manage
as well as mitigate security risk.
However, it is important to note that it is not simply the
organizational change of the CISO which will dramatically
improve the security posture of an organization. The right
people, processes, and technology must also be in place.
The August 2015 Report on Information Security at HHS
raised several important points related to the impact of the
current HHS CISO reporting structure and detailed the resulting
internal security challenges faced by the Department. This
report reflects the criticality of the discussion we are having
today.
Like the private sector, HHS needs programs in place that
support the specific business missions of its various operating
divisions such as CMS as the largest healthcare payer or NIH as
the Government health research agency. Breaking down silos will
better position the Department to move from an audit-driven
approach to a proactive, ongoing business risk management
approach to cybersecurity that encourages information-sharing
within the Department.
Additionally, we believe that external threat information-
sharing is essential for HHS with other Federal agencies such
as DHS and FBI and, also, with private sector healthcare
organizations. We see an important external-facing role for the
Office of the CISO as well. I direct the subcommittee to my
written statement for additional details on that point.
Healthcare organizations have come a long way in building
the IT capabilities to make the goals of 21st Century Cures a
reality. Over the past 5 years, rates of adoption of advanced
EHR capabilities have increased significantly. The health
information now contained in these systems hold great
lifesaving potential.
These goals are particularly meaningful to me, as a 5-year
survivor of a rare brain tumor, and to the HIMSS organization
after our colleague tragically lost her 22-year-old son to
cancer and other complications last week.
We see clearly that it is trust that will enable these
efforts to succeed, trust in the system that will house and
control access to the patient's data and trust in the public/
private collaborative effort. The HHS CISO, appropriately
positioned within the Department, will be uniquely qualified to
lead this important mission.
In closing, I would like to thank Congressman Long and
Congresswoman Matsui for their leadership on this legislation
and the subcommittee for prioritizing this issue. I look
forward to your questions.
[The prepared statement of Ms. Burch follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Pitts. The Chair thanks the gentlelady.
Now I recognize Mr. Probst, 5 minutes for your summary.
STATEMENT OF MARC PROBST
Mr. Probst. Thank you, Chairman Pitts, Ranking Member
Green, and members of the subcommittee. It is an honor to be
here today to testify on behalf of the College of Healthcare
Information Management Executives, or CHIME, concerning the
relationship of Chief Information Officer and Chief Information
Security Officer at the Department of Health and Human
Services.
CHIME is an executive organization serving nearly 1900 CIOs
and other health information technology leaders at hospitals,
health systems, and clinics across the Nation. In addition to
serving as chairman of the CHIME board of trustees, I am the
CIO and President of Information Systems at Intermountain
Healthcare in Salt Lake City, Utah. Intermountain is a
nonprofit, integrated health system that operates 22 hospitals
in Utah and Idaho and approximately 200 clinics as well as an
insurance plan. Intermountain also has over 36,000 employees.
Nationally, Intermountain is known for providing high-
quality care at sustainable costs. Essential to our ability to
deliver high-value, coordinated patient care is the proper and
effective use of health information technology. CHIME members
take very seriously their responsibility to protect the
security of patient data and devices networked to the systems
they manage.
We appreciate the committee's interest in health
cybersecurity and the role that the Department of Health and
Human Services plays in helping to combat cybercriminals. We
completely agree that cybersecurity must be a priority for HHS,
just as it is for the Nation's healthcare CIOs.
While this hearing is largely focused on organizational and
reporting structures for the CIO and CISO at HHS, CHIME
believes that the subcommittee must also look closely at how
the Department coordinates cybersecurity across its divisions.
In the private sector, reporting structures vary based on how
organizations define the role of CISO. At Intermountain
Healthcare, where the CISO reports to me, the CIO, we have made
cybersecurity and privacy a major priority and focus.
As an example, I have instructed my team, as they
prioritize their efforts each day, I would rather have our data
center go completely dark, meaning a complete loss of all of
our information systems, than to have a major breach of our
data and systems. Losing our information systems would be
horrible and highly disruptive, but our patients, members,
employees, clinicians, and others have entrusted us with their
most personal data, and we need to do all we can to protect it.
Security is not an afterthought. Everyone across the
organization needs to make it a priority. Even then, no system
is perfectly secure.
As I mentioned, at Intermountain the CISO reports directly
to me, as CIO. In our organization, the CISO is focused on
developing and overseeing the implementation of the technical
strategy to achieve our security posture as well as managing
our security team. Working across information systems/
operations ensures that the technical components and processes
required for cybersecurity are in place and are managed. The
interpretation of regulations, rules, corporate policy,
procedure, and development of our strategy to achieve our
security posture, what we need to secure and how to set
priorities is the role of our Compliance and Privacy Office,
which reports to the board of directors.
While these responsibilities are organizationally separate,
our management structure helps us achieve a high level of
cooperation. My peer in Compliance and Privacy is aligned with
me; the Chief Privacy Officer is aligned with the CISO.
Together, we develop the plans and manage execution.
We have architected a cooperative model for cybersecurity
that ensures appropriate checks and balances, that facilitates
high levels of cooperation in achieving a more secure
environment. This works at Intermountain. The focus isn't on
the CIO's reporting structure. Rather, what is important is
that there is an appropriate focus and appropriate checks and
balances on both security plan development and execution.
A similar structure is employed at Penn State Hershey
Medical Center, where the CISO reports to the CIO. According to
the CIO, this partnership ensures tight integration and solid
support for the cybersecurity program across the entire team.
Where the CISO should report is highly dependent on how the
various roles accountable for cybersecurity are defined by the
organization. Consider some other examples from CHIME members.
At a large children's hospital, the CISO reports to the
Data Security Officer. They want to look at analytics. The CIO
for a multi-State provider reports to the Chief Technology
Officer, who, then, reports to the enterprise CIO. CHIME
members at several smaller organizations across the Nation
report that they have the dual role of CISO and CIO.
There is no question that the committee's interest in this
topic is timely and efforts in the healthcare sector to improve
the industry's cyberhygiene must be met with similar efforts
within HHS.
On behalf of CHIME and my colleague healthcare CIOs, I
sincerely thank the committee for allowing me to speak to the
evolving role of the healthcare CIO, particularly as it relates
to IT security. Thank you.
[The prepared statement of Mr. Probst follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Pitts. The Chair thanks the gentleman and now
recognizes Mr. McMillan, 5 minutes for your summary.
STATEMENT OF MICHAEL H. (MAC) McMILLAN
Mr. McMillan. Thank you, sir. Chairman Pitts, Vice Chairman
Guthrie, Ranking Member Green, and members of the Health
Subcommittee, thank you for this opportunity to testify today
on this important initiative.
I am Mac McMillan, CEO of CynergisTek, a firm that
specializes in providing privacy and security services to the
healthcare industry since its inception in 2004. I am pleased
to be able to offer testimony in support of H.R. 5068, the HHS
Data Protection Act. I believe my experiences as former head of
security for the On-Site Inspection Agency and the Defense
Threat Reduction Agency, as well as my experiences from the
past 15 years providing security services to the healthcare
industry after leaving Government, have provided me with some
unique and valuable insights on this matter.
I have served in information security roles of one type or
another since 1982, when I first became an intelligence officer
in the United States Marine Corps and was given responsibility
for managing the battalion's classified information. In every
role I have had since, the protection of information systems
and data has been a core component of my responsibilities.
I sincerely support the elevation of the Chief Information
Security Officer role to a position equivalent to other senior
leaders within the Department of Health and Human Services and,
in particular, the Chief Information Officer. When these two
positions have equal authority, are both focused on a common
mission, and work collaboratively, the CIO and the CISO form a
complementary and effective team to ensure the protection of
information assets for an organization. When there is disparity
in these relationships, there is opportunity for conflicts of
interest to arise, stifled or abbreviated discussion of risk,
and an imbalance of priorities.
One of the most often questions I get asked by healthcare
leaders today and boards is, where should the CISO report?
Cybersecurity is far and away one of the most critical issues
for our industry today, but, in particular, for healthcare,
which has emerged as a popular target for cybercriminals,
hacktivists, and state actors engaged in cybertheft, extortion,
and high-stakes espionage.
Since 2009 when the HITECH Act was passed and healthcare
embarked on a wide-scale digitization of patient information,
there has been an associated and steady increase in the number
of cyber incidents in healthcare. The criminal community has
perfected its ability to monetize stolen information and has
created an elaborate dark-net marketplace for buying and
selling hacking services, techniques, knowledge, tools, and the
information itself.
Healthcare is particularly lucrative to attack because,
unlike other industries, it represents a rare opportunity to
steal all forms of personal information, medical, personal
information, financial information, all in a single attack.
At the same time, the healthcare computing environment
represents one of the most complex and difficult to secure
today. Multiple initiatives that seek to improve healthcare,
such as Health Information Exchanges, Accountable Care
Organizations, population health, telehealth, network medical
devices, cloud services, big data, et cetera, also introduce
greater challenges in securing information because it seeks to
share it more broadly than ever before.
Add to this the sheer number of individuals accessing and
handling health information, and it is easy to see that a CISO,
let alone one in an organization as complex as HHS, has a full-
time job attempting to stay abreast of the many cyber
challenges that leadership needs to be aware of.
Security is best achieved as a top-down priority with
strong visible leadership, disciplined practices, and constant
reevaluation. What most healthcare organizations suffer from
today in this area is lack of leadership. This resolution seeks
to address the situation by creating a cybersecurity leadership
post within HHS by elevating the CISO.
Security programs are most successful when they are
articulated from the top as an organizational or core mission
priority, when there is visibility to the program, when risk is
openly communicated and debated, and when every member of the
organization intuitively understands that security is a part of
his or her role.
In the Department of Defense, where I had the honor to
serve for more than 20 years, security is second nature and
understood from one of the most junior service member or civil
servant to the generals and senior executives who lead our
military services and agencies. In each service and agency
there is a senior security official who is a full member of the
executive staff with responsibility for ensuring the protection
of organizational personnel, assets, information, and
operations. That individual, like his or her counterparts, has
a responsibility to the director or service chief of staff and
to the broader protection of our national security.
From my earliest assignment as a Marine Battalion S-2 and
Information Security Officer to my position as the Chief of
Security for both OSIA and DTRA, I understood and had
responsibility to ensure the protection of information assets,
to constantly assess the risk and advise leadership on the
right course of action to mitigate the threat. At both OSIA and
DTRA, we had formal accreditation standards for information
systems and sensitive information.
The CIO was primarily responsible for procuring,
developing, implementing, and managing information networks and
systems in support of the agency's mission. My responsibility
was to test, accredit, and monitor those information networks
and systems to ensure they adequately protected the sensitive
information they processed, stored, or transmitted. Both the
CIO and I were peers, and we worked collaboratively to meet the
agency's mission as well as the mandates from national
security. The Director communicated that information security
was a priority, and for every member of the agency, we had
well-defined policies, procedures, and processes that both
governed and guided our decisions and actions. When new systems
and services were contemplated or introduced, it was necessary
for security to accredit those before they could be made
operational.
This leveling of the playing field between the CIO and
myself resulted in a very collaborative environment, because
neither one of us wanted to see something held up unnecessarily
and both of us had a vested interest in deploying secure
systems. So, early on in projects, our teams collaborated. This
effectively streamlined review and testing times down the line
and identified issues early, so that they could be resolved
before they impacted accreditation.
When I had a concern, I could address it to senior staff
and the Director. Likewise, my counterpart, the CIO, could also
make his argument when he felt security was too restrictive or
impacting productivity. Leadership then had the ability to make
informed decisions based on the merits of both of our
arguments.
Mr. Pitts. Could you wrap it up?
Mr. McMillan. In conclusion, sir, I believe that this is a
very necessary act for HHS to take.
[The prepared statement of Mr. McMillan follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Pitts. The Chair thanks the gentleman, and thanks to
each of the witnesses for your testimony.
I will begin the questioning and recognize myself for 5
minutes for that purpose.
We will start with you, Mr. McMillan. One of the concerns
we have heard with this proposal is that, because the roles of
CIOs and CISOs are well-established throughout the Federal
Government and many Federal Government mechanisms rely on those
roles being the same across departments, that any change at HHS
will disrupt HHS' ability to coordinate cybersecurity
activities with the rest of the Government.
How did you coordinate with other Federal departments and
agencies when you were Director of Security with the Defense
Threat Reduction Agency?
Mr. McMillan. Thank you, sir.
We actually had a very formal process for doing that. The
accreditation process for all of our systems within the
Department of Defense depended on everybody in the Department
following that accreditation process. So, all of the Directors
of Security across the defense agencies and across the military
services were essentially all marching to the same drum, if you
will, in terms of how we managed our environments and how we
accredited our systems.
We did that so that we could create a trusted environment
between all of us to facilitate the sharing of information. We
did that, also, with other departments and other agencies
throughout the Government in order to share information there,
because, as you know, the military services and DoD share
information with the intelligence community, with Justice, and
many other departments, as we work in interagency operations.
So, we had to have a structure. So, that structure actually
facilitated the ability for that communication to happen in a
very effective way, in a very smooth way.
Mr. Pitts. Did the fact that you were ultimately
responsible for cybersecurity and not your CIO counterpart
impact the ability for you or the CIO to participate in
intergovernmental forums and working groups focused on
cybersecurity?
Mr. McMillan. Not at all. In fact, if I may, I would say
that we actually shared that responsibility. I had
responsibility for implementing the information security
program or the computer security programs, but the CIO and I
together shared responsibility for implementing the
cybersecurity program or secure systems. And he had his
committees and working groups, and whatnot, that he worked in;
I had ones that I worked in. But, ultimately, we worked
together very collaboratively up and down the line.
Mr. Pitts. Do you have any suggestions for how HHS might
harmonize this reorganization with their participation
responsibilities in Federal initiatives, in forums, or programs
focused on cybersecurity, where the CIO is usually the agency's
representative?
Mr. McMillan. Unfortunately, I am not completely familiar
with how they are organized today within the Federal Government
in terms of how that all occurs. But I would say that the CISO
in this arena should interact with their counterparts across
the Government.
We had interagency committees on information security, on
computer security that all of the Directors of Security
participated in. And even for those agencies where there wasn't
a Senior Director of Security who had responsibility like some
of us did, those individuals still participated in those forums
at that time. I am assuming they still do. I would just suggest
that in this arena that what we are really talking about is
leveling the playing field within HHS itself in terms of how it
makes decisions.
Mr. Pitts. Mr. Corman, do you have any thoughts or
suggestions in this regard?
Mr. Corman. The relationship has to be incredibly strong
between the CISO and the CIO. It is just one of many
stakeholders that has to have a strong relationship. So, the
communication cannot be replaced. It is more a matter of when a
conflict arises--and I have outlined several in my written
testimony--they can now have an equal footing to resolve those.
So, it is not about eliminating communication or siloing
information. A CISO cannot succeed without successfully working
with its executive stakeholders, and the CIO being a key one.
So, I don't think this should be looked at as a siloing effort;
more of a balancing of raising visibility and tension decision
to a higher level.
Mr. Pitts. Ms. Burch, do you have any thoughts or
suggestions?
Ms. Burch. I would agree with what has been said by the
other panelists. I think this move of elevating the CISO, what
it really does is it allows two complementary skill sets to
come together. I think, as Mr. Probst mentioned, there is no
necessarily one right way to do this, but ensuring that those
direct channels to the executive leadership exist, to ensure
that that risk management approach is there, and is factored
into the decisions being made. I think we see them really as
collaborative and the need for collaboration.
Mr. Pitts. My time has expired. The Chair recognizes the
ranking member, Mr. Green, 5 minutes for questions.
Mr. Green. Thank you, Mr. Chairman.
From what I understand, the bill before us today relates to
another piece of legislation passed late last year, the
Cybersecurity Information Sharing Act of 2015. Since it
required the Secretary of the Department of Health and Human
Services to take certain steps to address cybersecurity, Mr.
Probst, can you describe for the committee some of the steps
that the Department is currently taking as a result of this?
Mr. Probst. Well, the fact that an individual is to be put
in charge to look at the issue of cybersecurity, that it can be
focused on someone to actually come up with a plan, CISA does a
pretty good job of facilitating that effort, as well as the
Task Force that supports some of the decisionmaking. So, I
think it is incredibly important, CISA, that it is getting a
good focus within Health and Human Services, as well as looking
across the various areas of HHS and making sure there is strong
coordination.
And let me just emphasize that, as we have been talking
about the role of the CISO and the CIO. You know, I think,
well, coordination is the key and cooperation. And architecting
how you are going to do security is probably the most important
aspect, I think, of cybersecurity, not necessarily where an
individual reports.
I think if the strategy is, by raising a particular
position, and that somehow is going to raise cybersecurity, I
don't think that is the case. I think the case is, if it
doesn't permeate the organization in all aspects--I mean, a
CISO, it really depends on the role. Like I said, at
Intermountain that is a technical role to work and implement a
plan. Most of that plan gets developed by compliance people, by
legal people, by internal audits, and it requires the
cooperation of all these pieces.
So, I am less about where that role resides, and I think
there are good arguments for the CISO to report other than the
CIO. But the fact that what the CISO does, it impacts
everything within our environment. It impacts our networks, our
servers, our physical security, everything within the purview
of the CIO. I think it is very difficult to make those too much
at a peer level because there is a lot of coordination that has
to happen at the technical level.
Mr. Green. How do you see the provisions in CISA working
with the legislation we are considering in today's hearing?
Mr. Probst. Well, again, it goes back down to the
coordination. Now it is not due until the end of the year. So,
HHS has a lot of time still to focus on it, and we will see
what comes out of that, the efforts of CISA.
But I would, again, go back to it is coordination and
cooperation across the areas and really getting a focused plan
for how cybersecurity is going to happen within HHS. Then, I
think I would make the decisions where the specific roles
report.
Mr. Green. OK. Ms. Burch, in your testimony you note that
``it is not simply the organizational change of the CISO which
would dramatically improve the security posture of the
organization. The right people, process, and technology must be
in place.'' Can you elaborate on what you meant by that point?
Ms. Burch. Sure. I think that point was meant to underscore
the need for collaboration. So, it is not simply, again,
changing the reporting structure and you automatically have a
culture that elevates cybersecurity. It is about whether all
the pieces are in place and whether decisions are being made
across the organization to support security as a priority.
Mr. Green. In the short time that we have had the current
law in effect, do you see that happening at HHS? And this is
for our other witnesses, too. The coordination, the right
people, process, and technology in place?
Ms. Burch. We believe that there is certainly room for
improvement.
Mr. Green. OK. Mr. Corman?
Mr. Corman. At our public meeting last month for the HHS
Task Force we had NIST come in and give a readout on the
voluntary surveys they are doing. Again, it is adoption of the
voluntary cybersecurity framework. And they did point out that,
while the adoption is comparable in certain aspects of the
cybersecurity framework, some of things like asset and
inventory management were deficient, which is essentially a
linchpin. If you don't know what you have and you don't know
when it changes, it is difficult to do successful vulnerability
management and good hygiene to avoid some of these attacks.
And if you look at the broad swath of attacks, one of the
most common elements is they are attacking known
vulnerabilities that were avoidable and patchable with good
hygiene. So, across the Government and the private sector there
is certainly room for improvement. A hundred of the Fortune 100
have had a breach of intellectual property/trade secrets. No
one can be heralded as doing an excellent job, but I believe
giving increased focus and priority to this may encourage them
to meet and exceed best practices.
Mr. Green. OK. Mr. Probst or Mr. McMillan, do you all have
a comment on it, in my last second?
Mr. McMillan. I do not, sir.
Mr. Green. No? OK.
Thank you, Mr. Chairman.
Mr. Pitts. The Chair now recognizes the Vice Chairman of
the subcommittee, Mr. Guthrie, 5 minutes for questions.
Mr. Guthrie. Thank you, Mr. Chairman.
And thanks to the panel for being here.
My first question, actually, I would like all of you to
address a little bit, but start with Ms. Burch. In your
testimony you cited two statistics, and I think it is the heart
of why we are here today. It is from the
PricewaterhouseCoopers' study.
One, you said that organizations that have the same
reporting structure with the CIOs/CISO reporting structure as
HHS has have 14 percent more downtime due to cybersecurity
incidents and, also that they have 46 percent higher financial
losses in organizations with the same reporting structure.
Would you elaborate or tell us why you think that is?
And, Mr. Corman, I think you cited the same statistics. So,
I will let Ms. Burch and, then, Mr. Corman go second.
Ms. Burch. Mr. Corman may be able to better answer that
question.
Mr. Guthrie. OK.
Mr. Corman. This is one study; it is a popular study. There
is a lot of anecdotal evidence of things like this. One of the
reasons, for example, just to give you a concrete, is a CIO is
often responsible for and measured by uptime and availability
of services. And oftentimes, it is required and necessary for
security teams to interrupt uptime to do security assessments
or to do healthy security patching to maintain hygiene and
reduce risks and exposure. So, that natural tension usually
leads to the CIO winning. And if you put off the hygiene and
the remediation to enclose exposures for a long enough time
period, it can exacerbate the magnitude and the duration of a
breach or an outage.
Mr. Guthrie. OK. So, Mr. Probst and Mr. McMillan, would you
like to address that? Why do you think this structure leads to
higher downtime and higher financial losses?
Mr. Probst. Again, I think it really comes down to how you
define the roles of the CIO and the CISO and what their
priorities are. As I mentioned in my testimony--and this is
serious--when I talk to my team, I would rather lose all of our
systems than have a serious breach. Now I don't know if that is
common across every CIO in the industry and it may be unique to
just Intermountain Healthcare and the focus our board and our
leadership has put on it. But, because of that, I wouldn't have
the tension that Mr. Corman mentioned about. We would do the
things we need to do to do the best job we can to secure our
systems.
Again, the role of CIO in healthcare varies dramatically.
If you are a small, 20-bed hospital in the middle of Indiana,
you are the CIO, you are the CISO, and you are the guy that
changes the ink in the printers because that is what you have
to do because of the nature of our business.
So, I think because the roles are so different based on the
organizations, and even the emphasis they have placed on
security, it is going to be different. I think it goes back to
what Ms. Burch said. She talked about how you have to architect
this, how it is a holistic approach, and if you have a plan,
then you can put the pieces in place to make that plan work.
So, thank you.
Mr. Guthrie. Mr. McMillan?
Mr. McMillan. I would like to answer that question with
three things: one, some anecdotal information, and the second
one, some of my own personal experience, and, then, why I think
it is important.
The first one on the anecdotal side is my company works for
hundreds of hospitals across the Nation. And I can tell you
that not every hospital shares Mr. Probst's philosophy on how
to manage security. Marc has been one of the most outspoken
proponents of security that I have worked with over the last 15
years in the healthcare industry, and his organization is
probably one of the best out there, bar none.
But, unfortunately, that is not the norm. If you look at
the breaches that we have had in recent time and you look at my
testimony, I think I put one telling tale in there that goes to
what was commented on earlier. That is, over 90 percent of the
breaches that occurred last year occurred with a vulnerability
that was more than a year old, and more than 50 percent of
those occurred with a vulnerability that was 5 or 6 years old,
meaning there was a fix; there was a patch that somebody could
have applied. There was a configuration that somebody could
have made. There was a port that somebody could have closed.
There was a policy that somebody could have pushed out. And
those things weren't done. Unfortunately, that gave the bad
guys an opportunity to get a foothold and, then, do harm in our
environments.
So, I have seen organizations where they have put off what
I call the blocking and tackling or the housecleaning, the
hygiene, because they are too operationally focused on the
number of projects they have. Some of our hospitals have
literally hundreds of projects on their project board that
their IT teams are trying to get done. And then, somebody says,
``Oh, by the way, you also have to do this patching and fixing
and hardening,'' and all these other things that take care of
systems day-in and day-out.
Unfortunately, what happens is the pressure is on them so
intensely to roll systems out, to roll services out, to roll
productivity out, that, unfortunately, it does create conflicts
and they do make choices. Sometimes those choices are not the
best ones from a security perspective.
Mr. Guthrie. Thank you. I am about out of time. Actually, I
have run out of time. So, I yield back.
Thank you for the answer. I appreciate it.
Mr. Pitts. The Chair thanks the gentleman.
I now recognize the gentlelady from California, Ms. Matsui,
5 minutes for questions.
Ms. Matsui. Thank you, Mr. Chairman.
Mr. Corman, I understand you are serving on the HHS
Cybersecurity Task Force which was created by Congress in the
Cybersecurity Information Sharing Act at the end of last year.
Can you elaborate on the work that the Task Force is doing and
what types of industry best practices you are reviewing?
Mr. Corman. So, we are very early in the stages. We have
had three meetings to date of the 12 that were prescribed. What
we have been doing is inviting exemplars from adjacent agencies
which may have instructive lessons for us. For example, we
brought in the financial services ISAC and the Financial
Services Sector Coordinating Council to explain, as they are
the tip of the spear for innovating new ideas and more
effective ideas that threaten information-sharing, risk
reduction.
One thing the FS-ISAC introduced that is very attractive,
for example, is the idea of requiring a software bill of
materials from their third-party IT providers through their
contract language. What this allows them to do is understand
the known vulnerabilities they are inheriting at procurement
time to make more informed free market choices. And No. 2, it
allows them to do an impact analysis of am I affected and where
am I affected when there is a new attack like this ransomware
with JBoss, for example.
So, we are trying to bring them in. We have brought in the
energy sector as well. While they are not as mature as the
financial services sector, they do share similar consequences
of failure to the medical field, where it could be measured in
life and limb, where bits and bytes meet flesh and blood.
And on the docket, we have more testimonies coming in from
adjacent sectors. So, we are trying to grab the best from each,
recognizing fully that medical and healthcare do have some
unique challenges that won't be represented by others.
Ms. Matsui. OK. Now you also in your testimony outlined six
factors that contribute to the success of a cybersecurity
program, including the reporting structure, which our bill
would address. You also cite several metrics that demonstrate
the improvements that organizations see when the CISO does not
report to the CIO. Would you expect those factors and
improvements to hold true across both the public and the
private sector?
Mr. Corman. Many of them do. This is a nascent field, and I
encourage the parallel experimentation. So, for example, none
of us expected it was a good idea for a CISO to report to a
general counsel. It didn't make sense. It turns out it is one
of the best reporting structures for protecting intellectual
property and trade secrets and anything material to the
business.
So, it is through that experimentation and comparatives
that people make these decisions. I have seen excellent
relationships where the CISO does report to a CIO, much like
Mr. Probst has indicated. It is just not universally the case.
In general, depending on the most acute needs of the
organization, you may orient differently.
Ms. Matsui. Right. OK.
Ms. Burch, in your testimony you quoted a study that found
that reporting to the CEO or the board of directors rather than
the CIO significantly reduces downtime and financial losses
resulting from cybersecurity incidents. Can you talk a little
bit about how that idea of reworking organizational structure
would translate to an agency like HHS?
Ms. Burch. Absolutely. I think, again, it gets to the
prioritization of security concerns. Where does security exist
in the culture of the organization? Is it a top-down or is it
sort of bottom-up with a lot of roadblocks in between?
So, I think it is very likely, and I think the hope would
be, that that would translate. But, again, I think we need to
see how a different reporting structure would play out.
Obviously, Mr. McMillan has some experience with that to be
able to say, you know, were there equal experiences and can
they translate? We think that they can, and we think that,
whether the reporting structure is to the general counsel or
to, in this bill, the Assistant Secretary for Administration,
that an alternate reporting structure that elevates security in
the case of HHS would be positive.
Ms. Matsui. Right, and I know that we are focusing on HHS
here, trying to develop a model here, and knowing that each of
the departments/agencies are not similar. However, having said
that, I think that there is a lot of focus on this because I
think we all believe, based on what has been happening, that
health data is especially sensitive or vulnerable to attack.
And if you think about HHS today, how would you suggest HHS
build on the current efforts to take the lead on protecting our
health data?
Ms. Burch. From the HIMSS perspective, we think that the
Cybersecurity Act of 2015 started us down that path. I think it
forced HHS to elevate its role in working with the private
sector. I think more and more it is not just internal to HHS,
but it is how the information is flowing through the
Department. It is coming in many forms. It is coming from many
different places. As it comes and goes, there needs to be
strong collaboration with the private sector as well. So, I
think it is not possible to talk about this issue just in a
silo.
Ms. Matsui. Right.
Yes? Quickly.
Mr. Corman. I think that what is often lost is that it is
not simply patient information. There are billions of dollars
of intellectual property from the private sector contained
within the remit of this agency. That is a very attractive
target to nation-states or adversaries.
Ms. Matsui. Right, and I see the small discussion we are
having here is a very complicated thing moving forward. So,
this is really the first step. So, thank you.
And I yield back.
Mr. Pitts. The Chair thanks the gentlelady, and now
recognizes the gentleman from Illinois, Mr. Shimkus, 5 minutes
for questions.
Mr. Shimkus. Thank you, Mr. Chairman.
My colleague Jan Schakowsky is over there. Tomorrow is her
birthday. And even though she did not vote for my bill, I want
to wish her a happy birthday.
[Laughter.]
One of the few in the whole country, but I didn't want to
call you out.
[Laughter.]
Mr. Green. Mr. Chairman, you only had 12 votes against you,
is that correct?
Mr. Shimkus. I wasn't really counting.
[Laughter.]
So, welcome.
And, Mr. McMillan, Brett Guthrie is also an Army guy; I am
an Army guy. So, Marine intelligence is kind of an oxymoron,
isn't it?
[Laughter.]
So, we are going to take your testimony with a grain of
salt here.
[Laughter.]
No, it is great. This is great because this is really about
organizational structure. As a military guy, someone has to be
in charge. I mean, that is really the basic debate.
And you can have good people come in, in Mr. Probst's
testimony, but when I was watching you all in the testimony
shaking your head or nodding yes, it is my view, watching the
body language, that Mr. Probst's story is more unique than the
norm. Is that true to the rest of the table?
Mr. Corman, go ahead.
Mr. Corman. As I said earlier, I have seen excellent
relationships when the CISO does report to the CIO. It is the
historical orientation. And when you have two excellent
individuals who have excellent collaboration and they unify
their goals and measurements, you can have success, but that is
often in spite of the reporting structure, not because of it.
And that is why I can acknowledge the truth of his experience
and know that it may not be as universally repeatable.
Mr. Shimkus. OK. In common language, you are saying that is
unique, not the norm, from your observation? Go ahead, you can
say it. It is all right.
Mr. Corman. Yes. Yes, it can succeed; it can often fail----
Mr. Shimkus. OK.
Mr. Corman [continuing]. More often fail.
Mr. Shimkus. Ms. Burch?
Ms. Burch. I would agree. I think in what we have seen
across the sector, it can certainly work, but, again, it is
about the culture of the organization.
Mr. Shimkus. Right, right.
And, Mr. McMillan, obviously.
Mr. McMillan. So, first of all, I would like to say that
there are some excellent CIOs out there who do care very much
about security and they do an excellent job in supporting their
CISO and supporting the program and their organizations.
The problem I have with leaving it up to personalities is
that I don't trust personalities. I want structure, so that
there are reporting responsibilities, so that there is, as you
say, a responsible individual, regardless of what the
personalities are involved, that says in the morning, ``It is
my responsibility to secure this organization and this
organization's assets, and it is my responsibility to raise the
alarm when I see something that is risky,'' regardless of
whether it is popular, regardless of whether it is going to get
in the way of progress at the moment, regardless of what the
issues are.
Any good CISO, any good Director of Security understands
that they don't drive the train; they are there to support. And
they understand that they have a responsibility to raise the
alarm with respect to risk and to identify what those risks are
and to understand what they are in a balanced way with respect
to what the organization is trying to accomplish. But you don't
shy away from doing it. My concern is that, when you leave it
to personalities, that may not happen.
Mr. Shimkus. And that is your experience, I mean when you
did the DoD stuff?
Mr. McMillan. It has been my experience working with
organizations in healthcare. It has been my experience in the
Government as a Director of Security.
Mr. Shimkus. And I think we are talking on the same issue,
and I am going to stop real quick. But just my point of
contention will be the same. You have to have someone in
charge, and people are going to be moving in and out,
especially at the Federal agency in this line of work. And one
good working relationship, one movement could just change that.
Anybody else want to add anything? Go ahead, Mr. Probst. We
were picking on you.
Mr. Probst. Well, yes, thanks for picking on me. It is good
to be unique, I think.
I would say, on a bed basis across the country, if you
talked to the CIOs that manage the largest numbers of beds
across the country, you are going to see their structure very
similar to the structure that Intermountain Healthcare has,
where the CISO is reporting up to the CIO. Now that can be
changing, and I am sure of that, but, again, you are talking
about more sophisticated organizations. And it has worked
incredibly well.
And I go back to what you said, sir, which is, who is
accountable? And we make really important decisions. I have
told you what I feel about the security of the data and the
systems, but our systems also save lives on a daily basis. We
have to make decisions that are critical. We may have someone
sitting on a table where now the technology is providing----
Mr. Shimkus. Yes, my time is almost done, and I appreciate
that. The hostage-taking that has occurred on major hospital
systems and when people have to go to paperwork transactions,
it just really risks people's lives, and we have got to get on
top of this. I think that is the same thing with Federal
agencies.
I thank you for your testimony.
I yield back, Chairman.
Mr. Pitts. And the gentleman yields back.
At this time, we will go to the president of the John
Shimkus Fan Club and the birthday girl, Ms. Schakowsky.
[Laughter.]
Ms. Schakowsky. I thank you for pointing out my aging.
[Laughter.]
No, thank you very much.
I wanted to ask Marc Probst a question, but I wanted to
start first by just thanking all of you for joining us today on
this very, very important issue.
I mean, how common data breaches are is just incredible.
There have been more than 112 million healthcare records that
were breached last year. It sounds like just about everyone. I
understand that these records are rich with personal
information, which usually includes a patient's Social Security
number, which is used as an identifier with a bevy of other
personal information, as the patient moves through the
treatment continuum. Access to such information, then, enables
all those bad actors out there to execute identity theft and
fraud, which we have had hearings on that, too, as a growing
problem.
So, Mr. Probst, I know you talked about it, but if you
could just summarize, what can we do to make electronic
healthcare records less of a target for hackers?
Mr. Probst. Well, I don't know about making them less of a
target. I mean, one thing we could do is look at how the data
is being used within those records and try to stop any abuse
that might be coming.
Now, if they are going out and getting a new credit card,
that is going to be hard because we are going to have that kind
of information. There is just no way we are not going to have
it.
But I think one thing we could do and should do, and I
think we are beginning to focus on, is getting to a better
identification system, so that we can have a national patient
ID that actually is consistent across the industry. That really
helps us to not have to carry a lot of data that we otherwise
have to have to identify a patient in any kind of situation,
whether it is in a hospital or a clinic or elsewhere. So, I do
think there are things we can do like those types of standards
that will help us to protect the data.
Ms. Schakowsky. Would this be instead of--give us an
opportunity to remove, for example, Social Security numbers and
substitute something else? Is that what you are saying?
Mr. Probst. I am saying that, yes, if we didn't want to
have the Social Security number out there--we use that as an
identification tool, as we use address, as we use age, as we
use all these different data items. If we could come with a
very unique way of identifying the patient, there are certain
pieces of data that we wouldn't need that, clearly, the bad
guys are looking for.
Ms. Schakowsky. And what do you think that Congress can do
to aid healthcare organizations, especially small and rural
providers, for them to be able to better protect their patient
data?
Mr. Probst. Well, again, going back to some standards on
how we are going to--even things like HIE, and Mac brought that
up earlier, Health Information Exchange, we don't have good
standards right now to do that. And so, you have all different
kinds of technology out there trying to do things within
healthcare to make it better.
If we could get better standards on how we interchange
data, on how we store data, what the data looks like, like I
said, identifiers, that is going to help everyone because, if
we can figure it out in a large organization, we can then share
those capabilities with smaller organizations. But, right now,
they are kind of on their own.
Ms. Schakowsky. Let me just ask everyone, is there any hope
that we could establish a zero-tolerance standard, given it
seems like we make a change and, then, the hackers improve on
it?
Yes, Mr. McMillan?
Mr. McMillan. Yes, ma'am. That would be, in my opinion, a
very unwise thing for anybody to try to do in the security
realm. Security is such a dynamic phenomena in that everything
about security as it relates to systems is changing as we sit,
as we sit here talking. I mean, the environment changes; the
threat changes; the systems change; operations change; the
network changes. The number of changes that an organization has
to manage that can affect the security or the risk of a system
is incredible, and it is constantly changing. There are things
that we don't know yet.
For instance, right now, this whole focus on ransomware, in
my opinion, is focused on the wrong thing. Ransomware is not
what we should be focusing on. That is just one form of malware
that is affecting systems. There are hundreds of forms of
malware that affect systems.
What we ought to be focusing on is the impact of that
particular malware or malware in general, which means we should
be focusing on things that take systems down and make them
unavailable to health systems to serve patients. If we want to
make a change, increase the penalties that people stand to face
if you do something that interferes or disrupts a hospital's
ability to deliver care, regardless of the way you do it,
whether you drive a truck through the door into the data center
or whether you send some sophisticated ransomware in there. At
the end of the day what is important is that the data is not
available to take care of the patient, not how it happened.
Ms. Schakowsky. Thank you. Thank you very much. I yield
back.
Mr. Pitts. The gentlelady yields back.
At this time, we recognize the gentleman from New Jersey
for 5 minutes, Mr. Lance.
Mr. Lance. Thank you, Mr. Chairman.
Good morning to the panel.
Mr. Corman, in your testimony you spoke briefly about some
of the reasons that the current CIO/CISO reporting structure at
HHS might create conflicts of interest. Could you provide us
with some examples from your professional experience in this
regard?
Mr. Corman. I did put a few in the written testimony. But,
verbally, often there is a project to roll out a new service,
and the time to do so involves software development,
procurement, a number of things. In that long relay race, one
of the stages needs to be security. That is usually the one cut
to make sure that you deliver on time and on budget. So, you
can often have a CIO deploy the service before it is seaworthy,
before it has been properly assessed, before the
vulnerabilities have been enumerated. So, that is one of the
areas where it is a conflict of interest to try to tack it onto
the end and usually run out of time and budget.
Another one is a zero-sum budget where you can either buy a
new server or a new security appliance. If the CIO is more
measured on supporting business intent as opposed to being
compliant or reducing risk, they tend to buy the things that
are more familiar to their schooling, their experience, et
cetera. And these don't always have to occur, but there will be
natural tensions like that.
Mr. Lance. And how do you think we should address this
issue, working with experts like yourself?
Mr. Corman. Well, it is a tough problem. That is why we
have the Task Force. And we are quite overwhelmed by it,
especially because they environments are target-rich but
resource-poor.
Mr. Lance. That is an interesting way to sum it up, target-
rich but resource-poor. I think that is critical to an
understanding of this.
Mr. Corman. Yes. I think one of the things that we did not
say yet, but is worth noting, is when a security person is
inheriting IT choices made without them, there is only so much
they can do to secure them. If you flip the relationship and
they are more peers, a security person can help make the more
defensible and securable IT choices. So, there are certain
things you could buy in your life that are harder to maintain,
for example. One of the benefits of having these relationships
be peers is they both have criteria for which cloud service to
choose, which servers, which laptops. And if it has more
informed criteria out front, the total cost of ownership later
from a security perspective goes way down.
Mr. Lance. Is there anyone else on the panel who would like
to comment? Perhaps Mr. McMillan?
Mr. McMillan. Yes, sir, and I think I alluded to this in my
testimony. When there is a balance between those two roles and
the security person owns the process for evaluating the
technology before it is deployed or as it is being deployed or
as it is being developed, what you end up with is the shortcuts
that were just alluded to don't happen because, when I see that
shortcut not happening, I say, wait a minute, we have to do the
testing; it is time for testing, or it is time for doing
whatever.
When the IT organization owns the process from soup to nuts
and security only comes in at the end, there is opportunity for
things to get missed as it relates to staying on track or on
schedule. Now, again, that doesn't mean that everybody is
skipping steps or everybody is not doing things, but there have
been instances where we have deployed systems or organizations
have deployed systems, clearly, that everything wasn't taken
into consideration that should have been. And primarily, it was
because security wasn't addressed at the beginning of the
project; it wasn't until the end.
As the gentleman on the end said, once you select a product
and you implement that product and deploy it, if things have
been missed that are critical, it is very difficult to bring
that back in.
Mr. Lance. Ms. Burch or Mr. Probst?
Mr. Probst. Well, I hate to keep coming back to roles. But,
listen, if the CIO is cutting corners around security in
healthcare, you have the wrong CIO. And I believe that is
starting to be seen more and more within organizations in
healthcare. It is relatively new. Six years ago, information
security in Intermountain Healthcare was two people, and they
mostly worried about passwords. It is now 50. So, it is
different.
Mr. Lance. And this, of course, is the wave of the future,
and we all have to be concerned, so that security is protected.
Mr. Chairman, I yield back half a minute. Thank you.
Mr. Long [presiding]. The gentleman yields back.
At this time, we will recognize the gentleman from New
York, Mr. Engel, for 5 minutes.
Mr. Engel. Thank you, Mr. Chairman. Thank you for convening
today's hearing.
Mr. McMillan, you mentioned in your testimony that
healthcare has been characterized as being a soft target for
cybercriminals, an idea that I think we can all agree is quite
unsettling. Has healthcare always fallen into this category
and, if not, how did it come to be a soft target?
Mr. McMillan. So, I think, sir, that healthcare has always
been in this category, and I think it is just of late, as the
threat has focused more and more on healthcare, that it has
become so apparent. I mean, if you look at the evolution of the
incidents that we have had in healthcare, they closely track
the evolution of how we have evolved in healthcare as well with
respect to our systems and our data.
I mean, you can actually go back to before 2009, before
meaningful use and before electronic health records and before
we started digitizing most of our patient information, and you
can see a marked difference between the kinds of issues that we
had or incidents that we had back then and the types of
incidents that we have had from 2009 on. Those incidents have
done nothing but increase as time has gone by and as
cybercriminals have figured out that, one, they can monetize
this information and they can make a business out of it. That
is really what it is.
I mean, I saw a study just this past week that said we are
looking at $6 billion in revenue in cybercrime this year. That
is not crime anymore; that is an industry. And that is the way
we need to look at it.
You can go out there today and it is very simple for just
about anybody to get involved in this industry. You go out
there to the dark-net and buy services, buy techniques, buy
tools, buy exploits, buy information, and it is all readily
available. And that is why it is growing so exponentially.
And healthcare, up until just recently, had not really
been focused on security. As Marc said, a few years ago he had
two folks in that department; today he has 50. An organization
his size, I would never have imagined that they only had two
people.
But I can tell you, when I left the Government in 2000 and
came out into the private sector and started working with
healthcare, I was absolutely appalled at the state of security
at most of the hospitals that I went into at that time.
Mr. Engel. Yes, Mr. Corman, you wanted to comment on it?
Mr. Corman. Yes. I sometimes think it is in terms of just
normal police work. It is motive, means, and opportunity. And I
think it is undeniable that, as we connect more medical
technology and meaningful use--I posed a question to the Task
Force. I said, ``Is meaningful use our original sin? Did we
basically throw gasoline on the fire by essentially encouraging
that we connect everything to everything else before we had
done proper design and threat modeling, and whatnot?''
Of course, there are benefits to that and, of course, we
are about to do the same thing again with precision medicine
and machine learning and big data. We have to understand the
tradeoffs between those.
So, I would say I just saw a chart yesterday from IBM, Pete
Aller, showing that the top five data records stolen in the
prior year didn't have healthcare on them, and last year, the
most recent data had it No. 1.
So, I think one of the reasons you have seen more records
isn't that they weren't vulnerable before. It is that, as we
have more opportunity and more connectivity and we now have the
motive to go with it, this is going to accelerate, I believe.
Mr. Engel. Thank you.
Mr. Probst?
Mr. Probst. Yes, I think one other issue to think about is
in healthcare our systems weren't built to be protected. We
weren't the NSA figuring out how are we going to build a system
that no one else can externally get into. We built systems so
that people could have immediate access across lots of
different platforms and places, so they could save someone's
life in the time that it was needed. And that is how our
systems were built. And now, we are going back and saying we
have to architect these a little bit different; we have to
change them because we have a lot of important data to protect.
I think we are soft for a number of reasons, but that would be
one of them.
Mr. Engel. Thank you.
Ms. Burch, let me ask you a question. You noted that a
significant security incident might not only endanger patient
privacy, but could also disrupt patient care. Can you provide
any examples in which a disruption like this took place? And I
ask this because I would like to understand how severe this
kind of disruption might be. Have treatment plans, for
instance, been interrupted? What kinds of effects have these
disruptions had on patient outcomes?
Ms. Burch. In our experience in talking to our members,
certainly, when you don't have access to information and you
have a patient you need to treat, more and more as we are
automated and that information is included in the electronic
health record, you can't just pull a paper chart and, all of a
sudden, you have got all the information there. So, I think the
concern is whether it is an attack that prevents access to
information, or whatever it might be, that there are real
potential negative patient outcomes here.
And that goes with the privacy side, that you have both
internal and external risks that you are facing. Certainly,
many privacy issues stem from security issues. So, was there an
inappropriate disclosure by a staff member because access was
granted when it shouldn't be, or something like that?
So, I think it is possible that Mr. Probst might be able to
provide experience that he has had personally. But I think,
generally, that is what we have heard from our members in terms
of, yes, I mean, they think about this in terms of potentially
lives lost. It is that serious.
Mr. Engel. Well, thank you. Thank you all very much. I very
much appreciate your testimony.
Thank you, Mr. Chairman.
Mr. Long. The gentleman yields back.
And at this time, I will recognize the gentleman from
Virginia, Mr. Griffith, for 5 minutes.
Mr. Griffith. Thank you very much. I want to make a couple
of comments before I ask a couple of questions.
First, this is one of those hearings that we won't see
extensive coverage on CNN or the nightly news, but we
appreciate your being here. One of the reasons that you won't
see it is that it is a bipartisan bill trying to solve problems
for Americans where nobody is shouting at anybody or making any
accusations against the folks who are here, and both sides of
the aisle are generally in agreement.
Mr. Long, you and Ms. Matsui have come up with a good idea,
and I commend you for that.
Mr. Probst, I like the way you look at this. This bill, of
course, deals with HHS that we are talking about today, but
there has been a lot of discussion about what hospitals should
be doing. One of my early concerns before you made your
comments was, OK, wait a minute, one-size-fits-all from
Washington doesn't usually work. You made that point very well
in a larger system like your own, talking about separating the
CIO and the CISO. You all have made a great case for that
today. But, in the 20-bed hospital where the CIO is also
changing, I think you said the photocopier toner or something
along those lines, it doesn't necessarily make sense, although
we have to be vigilant.
Also, in your testimony, Mr. Probst, I notices that you
touched on device manufacturers related to HIPAA. Because there
will be some folks, probably insomniacs, who will watch this,
could you explain that dilemma? I am very concerned about HIPAA
issues, and I thought it was a very salient point that you
made.
Mr. Probst. Well, HIPAA gives us good guidelines on the
privacy and security that we should apply to all of our
information. Specific issues around medical devices, they don't
have the same level of sophistication around cybersecurity, at
least historically they haven't. And we have a lot of old
medical devices. I think they are getting much more aware of it
today.
But today we have thousands of medical devices. They are
all connected to our networks. They are essentially computers.
They have personal health information on them, most of them,
and they become a pretty interesting entry point for the bad
actors to get into our networks. It doesn't take much of a
crack in the hull for the water to start pouring in. So, that
would be my major concern with medical devices, is just how we
have been able to treat them.
Because they are regulated by the FDA, most of them, I
assume all of them--I don't know--but because they are
regulated, many of their operating systems are decades old. So,
we don't have all the patches that Mr. McMillan talked about
that we can apply to it to get the security at a level that we
want. So, medical devices I think are something we are paying
attention to as an industry, but we are going to have to pay a
lot more attention to.
Mr. Griffith. And when you talk about they are regulated by
the FDA and, therefore, some of them have operating systems
that are decades old, that is because if there is any change,
it has to go back through the process----
Mr. Probst. Exactly right.
Mr. Griffith [continuing]. To be reapproved by the FDA? So,
what you are suggesting is that, maybe in the same bipartisan
spirit that this bill was put together, some of us might want
to be looking at a way that we could change at least for the
security side, say that if you do a patch on security issues,
it does not have to go through that FDA process? I know you
haven't had time to think about it, and maybe you want to
answer that question later.
Mr. Probst. Yes, maybe----
Mr. Griffith. That is a reasonable conclusion, is it not?
Maybe put it that way. Would that be a reasonable conclusion
for someone like myself to make?
Mr. Probst. I think that is a reasonable conclusion, that
it should be looked at. I don't know the exact answer----
Mr. Griffith. Sure.
Mr. Probst [continuing]. For the FDA, but it definitely
needs to be looked at.
Mr. Griffith. And I appreciate that, and that is why I love
coming to these hearings and listening, because there are often
things that you learn that you never thought you would. And
that sounds like a good suggestion.
I do appreciate it very much, all of you being here. You
have really opened a lot of our eyes and convinced me this is
(a) a good bill and that, in fairness, every healthcare
provider in the Nation ought to be reexamining what they are
doing and see what fits for them to try to give us some more
security in these areas.
With that, Mr. Chairman, I yield back.
Mr. Long. The gentleman yields back.
And I believe Mr. Corman wanted to add something.
Mr. Corman. On that point, the I Am The Cavalry group,
founded by volunteers, we are specifically focused on
cybersafety for connected medical devices. And many of them are
very hackable. There was a recent DHS ICS-CERT announcement on
a single device that had over 1400 known vulnerabilities in it.
But, to clarify, we have been working with the FDA, the
Food and Drug Administration, on their guidance for connected
cybersafety in medical devices. Their pre-market guidance has
clarified that you can, in fact, patch without going through
recertification. There has been poor education awareness that
that has been clarified, and some vendors claim that it can't
patch, even though it has been clarified repeatedly that they
can.
And, No. 2, this January the post-market guidance for
ongoing care, feeding, and hygiene for those devices has also
been published, and the 90-day comment period is closed.
So, the FDA is taking actions to modernize the very things
you are concerned about. I think there is a long way to go, but
they are on the right journey.
Mr. Griffith. Thank you.
I yield back again.
Mr. Long. Thank you.
And at this time, I will recognize myself for 5 minutes.
Ms. Burch, in your testimony you talked about the evolving
role of the Chief Information Security Officer and how
information security has evolved into a risk management
activity. I think most of us hear this job title and think
about firewalls, antivirus, not risk management. Can you
elaborate a little bit on what you mean by that?
Ms. Burch. Sure. So, we think it is important in this role
to be looking at the business risk that is faced by the
organization. So, we don't like to think of healthcare as
businesses, hospitals as businesses, but, you know, in
functioning in that way, they have to keep their doors open and
they have to treat patients, and they have certain business
missions that they are trying to work through.
So, for us, we think that it is really important to look at
the range of risk and the way that the CISO looks at the range
of risk in terms of working with the various other executives,
whether it be the general counsel on legal and compliance
risks, or whatever it happens to be. So, it is looking sort of
across the entire organization at why are we securing our
information and assets. What are we trying to prevent from
happening? First of all, being harm to patients, but there are
certainly other risk involved.
Mr. Long. OK. Thank you.
And you go on to state that, because the Chief Information
Security Officer is now a risk management position, that it
should be moved out of its traditional subordination to IT. Can
you connect the dots for us? Does the fact information security
is currently subordinated to IT mean that the risks aren't
always appropriately communicated to officials higher in the
organization?
Ms. Burch. That is what we have heard from our members in
certain situations. Again, every situation is unique and, as we
said from the beginning, it gets back to the organizational
culture. But we have certainly heard of instances where
operations has been prioritized over security.
One example that we have heard is you have a device, let's
say a bedside monitor that works really well in its base
function. You know, the medical staff is happy with it.
However, said device happens, also, to be operating on Windows
XP, which is obviously no longer supported. Therefore, it is
very vulnerable to attack that could result in substantial harm
to a patient.
So, I think that is sort of an example why we need to level
the playing field at least in terms of elevating security
within organizations.
Mr. Long. Mr. Corman, you had something?
Mr. Corman. Yes. One change in IT in business models, even
in the Federal Government, is the increased use of third
parties and supply chain partners and third-party services. And
the CIOs, traditionally, while they can inform and create
criteria for the selection of those third-party services, they
have less operational visibility and control over them. So, it
has been increasingly important for the CISO to provide upfront
guidance and ongoing audit against those third-party risks as
we become more dependent on third-party technology.
Mr. Long. I have a sign in my office that says, ``Bring
back common sense.'' And it is the most commented sign or
anything in my office. People always say, ``That is exactly
what we need to do.''
And I know that Mr. Probst, as the CIO of his organization,
is very much in tune with the CISO and gives that person
everything they need. But, for any of the panel, in my last
minute here does anyone care to comment? Doesn't it make common
sense that, if someone is charged with being a Chief
Information Security Officer and they want to implement new
systems, and then, the person above them has bigger fish to fry
and doesn't care about that right now, doesn't that lead to the
types of things we saw at HHS, Mr. McMillan?
Mr. McMillan. Yes, sir, it certainly can. But I will have
to go back to something that Marc said because I do absolutely
agree with him that it is not just about the position; it is
also about the processes and the structure within the
organization as a whole, and how the leadership of the
organization views security as well.
The reason Marc is able to do a lot of the things he does
and the support that he gives his CISO is because he also has
the support of the rest of the executive team for his model.
There are situations where that isn't necessarily the case.
Again, it gets back to what I said earlier, and this gets
back to your comment about common sense. Anytime we leave it up
to people, people will disappoint us, and that is one thing
that we have learned in security. They will make bad decisions.
They will make good decisions for the wrong reasons. I mean,
there are all kinds of things that can happen.
What I have come to understand over the years in doing this
is that, when there is a separation of duties and there is a
clear delineation of responsibilities, and both parties are
doing what they are supposed to be doing and communicating
openly, and the leadership has the ability to hear both those
arguments, they make much better decisions.
Mr. Long. Mr. Probst?
Mr. Probst. Yes, I mean, if the CIO at HHS' job is to be
the tech guy, to go install systems and monitor networks, and
those types of things, and it isn't around highest security,
then, by all means, the CISO should report somewhere else. If
the CIO's job is to protect the data and to do all those other
things that I mentioned, then, potentially, maybe the CISO
should report to the CIO. But it goes to what Mac just said:
what are the accountabilities? What are the responsibilities
you are putting on those roles? And then, see that they do it.
But this is a major issue, you know, security.
Mr. Long. But the person charged within it should be able
to make the final decision, should they not if----
Mr. Probst. They should.
Mr. Long [continuing]. They implement a security system?
Mr. Probst. They should.
Mr. Long. OK. Thank you all for your time.
And at this time, I am going to yield to the gentleman from
New York, Mr. Collins, for 5 minutes.
Mr. Collins. Thank you, Mr. Long.
I want to follow on that with Mr. Probst and Mr. McMillan
because I absolutely agree with the comments you just made. I
spent my life as a CEO in the private sector; in fact, was CEO
of the largest upstate county in New York.
And at some point, a person has to call the shot because
you are always going to have the potential--you are not going
to have perfection. We are saying there will always be some
differences between operational efficiencies and security,
always. I can make it 100 percent secure and we do nothing or I
can open it wide up and be as efficient as you could imagine
and have a lot of backdoors.
So, a person, an individual, a human being has to make a
judgment call, correct?
Mr. Probst. Yes.
Mr. Collins. All right. So, what you have to have in an
organization is a good, smart person with common sense to make
that judgment call, understanding the potential consequences,
which may be different with a medical health record than
something else. I mean, they have got to make a judgment call.
In hindsight, if something goes wrong, they are always going to
be attacked on that judgment call.
So, I guess I am somewhat ambivalent on this, only in
thinking, when there is a disagreement on security and
operations, it goes to someone else. Now, if it goes to the CEO
in a small company, the third time those two people walk in his
office will be the last time they walk in his office because he
has got too much going on, and he is going to say, ``You know
what, Joe? You are now in charge of both. Sam, you report to
Joe. You have security and other operations. You figure it out.
Your head is on the line. Get out of my office.'' That is how a
small company would work.
Now HHS is different. It is a huge organization. But, at
some point, these two concerns come together and somebody has
got to make the call.
I think, Mr. Probst, as you pointed out, the right
individual, given guidance by the person in charge and the
board of directors, or whatever, could be the CIO, and
everything would be fine. On the other hand, if the
organization is inept, then it would never be fine.
So, I am just sitting here--at some point, Congress has a
role to play. At some point, you have got to hope the President
appointed the right person to be the Secretary of HHS, who, in
turn, appointed the right person here and here. And I just have
to wonder sometimes, is it Congress' role to get into the
operational structure of an administrative department or do we
need to just trust that smart people are in Government? I mean,
what would you say to that, Mr. Probst? Should Congress be
micromanaging at a CIO/CISO level and writing job descriptions?
Mr. Probst. Well, I don't believe they should personally,
but that kind of just puts aside everything that we talked
about today. I mean, the things have to happen, right? You have
to have an architecture. You have to have an approach, and you
have policies.
Mr. Collins. Correct.
Mr. Probst. If you do, you can have smart people.
The one thing we didn't talk about while you were speaking,
sir, was the presidential appointment of the CISO. That
concerns me a little bit as well because now you are going to
politicize a really important role. If you have smart people as
the Secretary of HHS--by the way, I think we do, and there is
some very good leadership there--they ought to be able to find
the right person to do it.
Mr. Collins. Oh, no question. No question.
Mr. Probst. But that is part of this role.
Mr. Collins. Yes, Mr. McMillan, do you have a comment,
having come out of DoD?
Mr. McMillan. I agree with that as well. I think, again, it
gets back to having all the different components. And you are
right, if you have the right structure, if you have the right
expectations in terms of how we do things, then you are right,
smart people can make good decisions and they will do
responsible things.
I think it is a combination of all those things. But, even
so, my experience has been that there does need to be that open
communication with respect to managing risk. And there have
been countless situations where the IT organization, which
ultimately at the end of the day is responsible for delivering
services, has numerous pressures put on them to meet deadlines,
et cetera, things like developing software where we have to hit
a deadline to meet software. So, we get rid of the regression
testing or we get rid of the security testing. The next thing
you know, we have a piece of software out there that has got
bloated code in it or it has got insecure code. But we hit our
deadline, right? So, we didn't have any penalties.
We can't let those things happen when we are talking about
something as serious as this. When you are talking about
things, to get back to medical devices, what we haven't talked
about yet is why don't we have a solid standard for how a
medical device has to be engineered and architected from the
beginning. The FDA guidance is just that, guidance. The
manufacturers don't have to listen to it.
Mr. Collins. I think my time has expired. You know, I
appreciate that, and I just would conclude by saying we all, I
think, know a person is ultimately going to have to make the
call on the balance. It is a human being. Sometimes they make a
mistake. In hindsight, people would always say they made a
mistake. And we just need to recognize, whatever we do here, we
are not going to end up with perfection and it is going to be a
human being making that call between efficiency and security.
Thank you all very much. It has been very interesting.
Mr. Long. Thank you, Chairman.
Mr. Pitts [presiding]. The Chair thanks the gentleman and
now recognizes the gentleman from Indiana, Dr. Bucshon, 5
minutes for questions.
Mr. Bucshon. Thank you, Mr. Chairman.
I was a healthcare provider before I came to Congress. So,
this is a pretty interesting issue. And I will probably
diverge, go away from the pathway we have been on just a little
bit to talk more about why are people going after healthcare
information.
To start, what data is the most important that people can
get from an electronic medical record?
Mr. Corman. Well, some of this is just the natural
expansion of the dark markets and the criminal organizations.
The street price of a credit card has plummeted due to a
surplus from our rampant failures. It used to be over $100; now
it is under $1 in certain circles. So, they have migrated to
other forms of assets they can turn into currency.
A difference between a credit card and some of the
healthcare records is that I can get a new credit card; I can't
get a new body.
Mr. Bucshon. Right.
Mr. Corman. So, it is the durability of the information.
Mr. Bucshon. Say, for example, though, that you are a
patient.
Mr. Corman. Yes.
Mr. Bucshon. OK? And you have a specific disease. Why is
that marketable?
Mr. Corman. It is not as much the disease. A lot of the
information there can be used to perpetrate bank fraud, check
fraud, account takeover.
Mr. Bucshon. OK. So, it is not necessarily the health
information. Like say you have heart disease, or whatever. It
is everything that is in your record at the hospital, which
includes your Social Security number or your other financial
information, things like that?
Mr. Corman. Yes. If it is someone famous or if it is
someone important, that could be a high-value target.
Mr. Bucshon. Right, right. I understand. Then, you could
leverage----
Mr. Corman. Yes.
Mr. Bucshon. Say someone has a particular disease and they
don't want the public to know, for example.
Mr. Corman. Even employer discrimination. There is a bunch
of markets for that.
I just want to remind, part of the testimony is, you know,
we have a joke that we say we love our privacy; we want to be
alive to enjoy it. So, as we do tackle these, we want to make
sure we are looking at the privacy and the safety of this.
Mr. Bucshon. Anybody else have any brief comments on that
one?
Mr. McMillan. I agree with all of it. I would say the one
exception to that that I worry about is, when you start looking
at things like the OPM breach and the Anthem Blue Cross
breaches, et cetera, where enormous amounts of medical
information and background information on Government workers
was exposed, there are national or state actors out there who
absolutely would like to know if we have medical conditions
that are sensitive to certain individuals in our Government and
certain positions in our military, et cetera.
So, there is time where medical information is valuable to
certain other individuals, and it is not necessarily the
cybercriminal who is looking to commit fraud or commit identity
theft or those types of things. I don't think we can discount
those things. They didn't steal 80 million records from Anthem
Blue Cross for nothing. They didn't steal 23 million records
from OPM for nothing. There was a purpose behind that. We
probably don't know what the purpose is yet.
Mr. Bucshon. Yes, I just wonder whether like, you know, I
mean, people can find out that I have high blood pressure,
which I do. Why do they care? Why would they care? Do you know
what I am saying?
So, that is the thing I was trying to get at. Is it the
other information? In certain circumstances I understand that
could be valuable information to people, right?
It seems to me that the reason--and I think, Mr. McMillan,
you pointed this out--that the focus is on now criminals going
after health information, it is not the health information per
se; it is the fact that now everything is being connected, and
it is a portal through which they can get other information
that in many other areas of our society, banking and other
areas, those portals have been closed, effectively closed. They
are never closed.
And we haven't gotten ahead of it on the health IT side,
Mr. Probst, as you pointed out. I mean, exactly, as a
physician, you know, it always drove me crazy if it took me
very much time to get into the health record or not. So, it is
going to be a real easy--you know, I put in my password, and
there it is, right? I can get into the entire system because
that was the focus, right?
So, I am just trying to get at, it is not necessarily that
this is healthcare IT; it is a portal into people's financial
lives and everything else. Is that true or not true?
Mr. Probst. I think that is part of it. I mean, we are
talking about people stealing data and using that data for
inappropriate things. But the whole concept of cyberterrorism
is very real. I mean, if you think about healthcare as an
infrastructure piece of our country, I mean very key component
of the infrastructure, cyberterrorism is very real and it
probably scares me more than even some of the data that is
being taken.
Mr. Bucshon. OK. I have got one more question. So, briefly?
Mr. Corman. Yes, real fast, on that point, none of us in
the room are really that concerned about the ransom aspect of
Hollywood Presbyterian. We were concerned of someone like
Trick, a former Anonymous hacker who radicalized into an ISIS.
Someone like that could do a sustained denial-of-service
attack----
Mr. Bucshon. OK.
Mr. Corman [continuing]. In any crisis. It is not even the
deaths per se; it is the crisis of confidence in the public to
trust these----
Mr. Bucshon. So, I guess the last question I have is,
briefly, creating a separate healthcare ID for all of us based
on either biometrics or based on a number or something versus
our Social Security number, for example, would that improve the
ability to protect non-medical information that is in our
health records from cyberattack? Mr. McMillan?
Mr. McMillan. No, sir. If that information is still in that
record and I can misappropriate those records, then I can still
use that information.
I think what Marc was referring to--and I will let him
answer that--but I think what he was referring to is that, if
we have that unique identifier, then we could remove a lot of
that personal information that today is in there just for the
purpose of identifying the patient. So, think of it as----
Mr. Bucshon. But that could be important.
Mr. McMillan. Think of it as the ID cards that veterans now
have, I, as a veteran, and other veterans have or as Medicare/
Medicaid now have. They have taken the Social Security number
off of those cards.
Mr. Bucshon. OK.
Mr. McMillan. Right? Why have they done that? Because it
put that number at risk.
Mr. Bucshon. OK.
Mr. McMillan. Why do we have it in the health record?
Mr. Bucshon. I am over time. So, I will yield back, Mr.
Chairman.
Mr. Pitts. The Chair thanks the gentleman.
I now recognize the gentlelady from Indiana, Ms. Brooks, 5
minutes for questions.
Mrs. Brooks. Thank you, Mr. Chairman.
I would like to build on my colleague from Indiana's
questions and allow each of you to answer and give your opinion
with respect to his proposal or idea that, Mr. Probst, you
talked about earlier, having a specific identifier for
healthcare records. Specifically, if you could each comment on
what your views are of the pros and cons of that?
Mr. Probst. Well, I actually completely agree with what Mr.
McMillan said. I mean, it is our opportunity to reduce the
amount of data that we have that, then, could be used for
nefarious purposes. So, by having that national patient ID,
that is going to help there.
From a clinical perspective, it is going to help massively
because we want to be able to align our clinical data with the
patients. And so, the national patient ID has huge benefit from
a clinical perspective. But, from a security, I think Mac hit
it perfectly.
Mr. McMillan. So, the other benefit that a unique
identifier for patients would provide is in the form of access
control. As we expand our sharing of information into things
like population health, where we are going to have disparate
physicians and other individuals touching a record for
different reasons at different times, the old role-based access
control rules that we have followed in the past are not going
to be adequate anymore. We are going to have to go to more
attribute-based access-control-type principles.
When we have everybody or everything uniquely identified in
the system, whether it is an individual, whether it is the
patient, whether it is the physician, whether it is
environmental factors, et cetera, I can now create rules that
actually facilitate access quicker for that gentleman to get
into the record that he needs to get into and assure the
patient that he is the right physician that is looking at that
information.
Mrs. Brooks. Thank you.
Mr. McMillan. So, unique identifiers are beneficial.
Mrs. Brooks. Thank you.
Any further comments, Ms. Burch or Mr. Corman?
Ms. Burch. Absolutely. The issue of patient matching and
patient identification is something that HIMSS has been working
on for a long time. We currently fund an innovator-in-residence
at HHS in the Chief Technology Officer's Office to look at
perfecting algorithms and other ways that you can identify
patients and match patient information.
From the HIMSS perspective, we absolutely think there needs
to be a national strategy for patient data matching. We don't
believe that a unique patient identifier is the panacea
solution for that problem.
Given the short amount of time, we can certainly share the
research that we have done and the arguments that we have that
may not support a unique patient identifier, but we do believe
that there needs to be a serious look taken at what are new and
emerging technologies around digital identity. What is right
for healthcare?
So, we have for a long time been a proponent of GAO or some
other group really looking at this issue from the standpoint of
what is the right solution of healthcare, and it may be multi-
solutions.
Mrs. Brooks. Thank you. We would be interested in receiving
that research and seeing what some of those ideas are.
Mr. Corman, anything you would like to add?
Mr. Corman. Yes. I would concur that it is not a panacea.
As someone representing the security research community, often
we place too many hopes in the efficacy of these things. I will
say it is important as a principle to reduce your attack
surface and reduce how many copies of these things you have and
how they are come as you are, do as you please. You know, the
less data you have, the less exposed you are. So, that is a
good principle.
But, typically, when you do something like this, you are
just simply moving the focal point of the adversary. So, you
would have to take a more strategic and holistic approach.
I also know there are some privacy concerns around the
downside or unintended consequences of such things.
Mrs. Brooks. Thank you. I would be interested in knowing
whether or not having what is proposed under this bill, 5068,
would that help the Federal Government become more innovative
with respect to security if we adopted this proposal for HHS to
create this new office specifically? Do you think that would
improve the innovation? I am all about innovation in
Government, and I am curious whether or not this could actually
help promote some more innovation in our systems.
Mr. Corman. My immediate instinct is no. I think it is a
very different role. It is going to be a more operational role
for the agency as opposed to the genesis of new and holistic
ideas for the industry.
Mrs. Brooks. But, with respect to security--and maybe I
should go to you, Ms. Burch. You were talking about innovation
research and work that is being done with respect to security.
Is that correct?
Ms. Burch. Yes, I was speaking to the importance of the
security aspect and being foundational to the innovation work
that is happening. So, if you don't have a strong security
architecture, patients won't trust sharing their information.
You don't have the information to feed the research pipeline,
and then, you ultimately don't get to cures.
So, we think a CISO position within HHS that is empowered
to work both internally and externally is critically important.
Mrs. Brooks. Thank you, and I am sorry my time--I yield
back my time. Thank you.
Mr. Pitts. The Chair thanks the gentlelady.
That concludes the questions of the Members present. We
will have further questions, follow-up, and other Members will
submit them to you in writing. We ask that you please respond
promptly. And that means Members have 10 business days to
submit questions for the record. So, they should submit their
questions by the close of business on Thursday, June the 9th.
We will also be consulting with HHS and work
collaboratively and bipartisanly.
And we thank you very much. This has been a very important
and complex, really, issue that we must deal with. Thank you
very much for your testimony.
Without objection, this hearing is adjourned.
[Whereupon, at 11:55 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Fred Upton
The House Energy and Commerce Committee knows, better than
I think just about any committee on the Hill, how important
cybersecurity is. We've examined issues surrounding encryption,
considered how best to address data breaches, and evendug deep
into the protocols that run our cell phones, studying the
vulnerabilities. We understand that our digital infrastructure
is under attack--every second of every day--from actors of all
motivations and levels of sophistication.
And that is why we are here today. Just like every other
Federal department and private organization, HHS' networks and
the information contained within them are under constant
threat. At first glance, some may assume that we're holding
today's hearing to chastise HHS for cybersecurity incidents
that have happened in the past. We are not.
We are holding this hearing because we are looking to the
future. We are holding this hearing to examine whether or not
HHS has the opportunity, by embracing the reforms suggested in
Mr. Long's and Ms. Matsui's bipartisan bill, not only to
improve its own internal cybersecurity, but to become a leader
in cybersecurity within the Federal Government and in the
health care industry.
Consider this: the current structure for cybersecurity
officials in place at HHS was originally mandated in 2003. The
Internet looked radically different 13 years ago; smartphones
were rare, cloud computing had yet to really take off, and the
biggest threats to our digital infrastructure were viruses and
worms, both of which could be stopped using standard firewalls
and anti-virus software.
But the cyberworld is constantly changing, and the threats
that we faced 10 years ago are not the threats that we face
today. Instead, we face a daunting array of cybersecurity
threats, from sophisticated thefts of personal information held
by health care providers, to the hostage-taking of hospital
networks and equipment by ransomware.
So I hope Members will take this opportunity to examine
closely the issue before us, and give careful consideration as
to whether or not an organizational structure established a
decade ago is as agile, versatile, and powerful as we need it
to be in order to combat the growing threats that we face.
Our oversight identified a problem. And we have a
thoughtful solution in the HHS SData Protection Act to address
it.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]