[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] EXAMINING CYBERSECURITY RESPONSIBILITIES AT HHS ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON HEALTH OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ MAY 25, 2016 __________ Serial No. 114-150 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 21-352 PDF WASHINGTON : 2017 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Chairman Emeritus Ranking Member ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California JOSEPH R. PITTS, Pennsylvania ELIOT L. ENGEL, New York GREG WALDEN, Oregon GENE GREEN, Texas TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado MICHAEL C. BURGESS, Texas LOIS CAPPS, California MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania Vice Chairman JANICE D. SCHAKOWSKY, Illinois STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio DORIS O. MATSUI, California CATHY McMORRIS RODGERS, Washington KATHY CASTOR, Florida GREGG HARPER, Mississippi JOHN P. SARBANES, Maryland LEONARD LANCE, New Jersey JERRY McNERNEY, California BRETT GUTHRIE, Kentucky PETER WELCH, Vermont PETE OLSON, Texas BEN RAY LUJAN, New Mexico DAVID B. McKINLEY, West Virginia PAUL TONKO, New York MIKE POMPEO, Kansas JOHN A. YARMUTH, Kentucky ADAM KINZINGER, Illinois YVETTE D. CLARKE, New York H. MORGAN GRIFFITH, Virginia DAVID LOEBSACK, Iowa GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon BILL JOHNSON, Ohio JOSEPH P. KENNEDY, III, BILLY LONG, Missouri Massachusetts RENEE L. ELLMERS, North Carolina TONY CARDENAS, California7 LARRY BUCSHON, Indiana BILL FLORES, Texas SUSAN W. BROOKS, Indiana MARKWAYNE MULLIN, Oklahoma RICHARD HUDSON, North Carolina CHRIS COLLINS, New York KEVIN CRAMER, North Dakota Subcommittee on Health JOSEPH R. PITTS, Pennsylvania Chairman BRETT GUTHRIE, Kentucky GENE GREEN, Texas Vice Chairman Ranking Member ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois LOIS CAPPS, California TIM MURPHY, Pennsylvania JANICE D. SCHAKOWSKY, Illinois MICHAEL C. BURGESS, Texas G.K. BUTTERFIELD, North Carolina MARSHA BLACKBURN, Tennessee KATHY CASTOR, Florida CATHY McMORRIS RODGERS, Washington JOHN P. SARBANES, Maryland LEONARD LANCE, New Jersey DORIS O. MATSUI, California H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon BILLY LONG, Missouri JOSEPH P. KENNEDY, III, RENEE L. ELLMERS, North Carolina Massachusetts LARRY BUCSHON, Indiana TONY CARDENAS, California SUSAN W. BROOKS, Indiana FRANK PALLONE, Jr., New Jersey (ex CHRIS COLLINS, New York officio) JOE BARTON, Texas FRED UPTON, Michigan (ex officio) (ii) C O N T E N T S ---------- Page Hon. Joseph R. Pitts, a Representative in Congress from the Commonwealth of Pennsylvania, opening statement................ 1 Prepared statement........................................... 2 Hon. Gene Green, a Representative in Congress from the State of Texas, opening statement....................................... 4 Prepared statement........................................... 5 Hon. Michael C. Burgess, a Representative in Congress from the State of Texas, opening statement.............................. 6 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, opening statement......................... 7 Hon. Fred Upton, a Representative in Congress from the State of Michigan, prepared statement................................... 73 Witnesses Joshua Corman, Director, Cyber Statecraft Initiative, Atlantic Council........................................................ 9 Prepared statement........................................... 12 Answers to submitted questions............................... 84 Samantha Burch, Senior Director, Congressional Affairs, Healthcare Information and Management Systems Society.......... 19 Prepared statement........................................... 21 Answers to submitted questions............................... 88 Marc Probst, Vice President and Chief Information Officer, Intermountain Healthcare, on Behalf of the College of Healthcare Information Management Executives................... 28 Prepared statement........................................... 30 Answers to submitted questions............................... 94 Michael H. (Mac) McMillan, Chairman and Chief Executive Officer, CynergisTek, Inc............................................... 39 Prepared statement........................................... 42 Answers to submitted questions............................... 100 Submitted Material H.R. 5068, the HHS Data Protection Act, submitted by Mr. Pitts... 74 Article of May 25, 2016, ``Cyber ransom attacks panic hospitals, alarm Congress,'' by Arthur Allen, Politico, submitted by Mrs. Blackburn...................................................... 78 EXAMINING CYBERSECURITY RESPONSIBILITIES AT HHS ---------- WEDNESDAY, MAY 25, 2016 House of Representatives, Subcommittee on Health, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 10:00 a.m., in Room 2123, Rayburn House Office Building, Hon. Joseph R. Pitts (chairman of the subcommittee) presiding. Members present: Representatives Pitts, Guthrie, Shimkus, Burgess, Blackburn, McMorris Rodgers, Lance, Griffith, Bilirakis, Long, Ellmers, Bucshon, Brooks, Collins, Green, Engel, Schakowsky, Castor, Matsui, Schrader, Kennedy, and Pallone (ex officio). Staff present: Rebecca Card, Assistant Press Secretary; Paul Edattel, Chief Counsel, Health; Charles Ingebretson, Chief Counsel, Oversight and Investigations; James Paluskiewicz, Professional Staff Member, Health; Graham Pittman, Legislative Clerk, Health; Jennifer Sherman, Press Secretary; Alan Slobodin, Chief Investigative Counsel, Oversight and Investigations; Heidi Stirrup, Policy Coordinator, Health; Sophie Trainor, Policy Advisor, Health; Josh Trent, Deputy Chief Health Counsel; Jessica Wilkerson, Professional Staff Member, Oversight and Investigations; Kyle Fischer, Democratic Health Fellow; Timothy Robinson, Democratic Chief Counsel; Samantha Satchell, Democratic Policy Analyst; Andrew Souvall, Democratic Director of Communications, Outreach, and Member Services; and Arielle Woronoff, Democratic Health Counsel. Mr. Pitts. The subcommittee will come to order. The Chair recognizes himself for an opening statement. OPENING STATEMENT OF HON. JOSEPH R. PITTS, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA In today's digital connected world cybersecurity is one of the most important, most urgent problems that we as a society face. Indeed, a great deal of sensitive information has been entrusted to the Federal Government. And as the recent breach at the Office of Personnel Management showed, we are not always the most sophisticated at protecting that information. We, therefore, must always be on the lookout for opportunities to improve and adapt to changing cybersecurity threats and realities. As a result of an investigation conducted by the Energy and Commerce Subcommittee on Oversight and Investigations to examine information security at the U.S. Food and Drug Administration, it was determined that serious weaknesses existed in the overall information security programs at the U.S. Department of Health and Human Services, HHS. It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations. This stems from the fact that right now the top official responsible for information operations at HHS is the Chief Information Officer, or CIO, and the official responsible for information security, the Chief Information Security Officer, or CISO, reports to him. In other words, the official in charge of building complex information technology systems is also the official in charge of ultimately declaring those systems secure. This is an obvious conflict of interest. Today's hearing will take a closer look at bipartisan legislation designed to address these organizational issues. H.R. 5068, recently introduced by our Energy and Commerce Committee colleagues, Representatives Long and Matsui, is known as the HHS Data Protection Act. This bipartisan bill elevates and empowers the current HHS CISO with the creation of the Office of the Chief Information Security Officer within the Department of Health and Human Services, which will be an organizational peer to the current Office of the Chief Information Officer. This type of structure is not novel or untested. A branch of the Department of Defense has already implemented a similar structure. Many industry experts such as PricewaterhouseCoopers now recommend that CIOs and CISOs be separated, quote, ``to better allow for internal checks and balances,'' end quote. We are very lucky today to have expert witnesses who can talk to us about not only the bill itself, but help us understand more about the CIO/CISO relationship and why the structure currently in place at HHS could benefit from an update. In particular, I would like to highlight that one of our witnesses, Mr. Mac McMillan, experienced the very structure that H.R. 5068 seeks to create at HHS during his time working for the Department of Defense and will be able to provide valuable perspective on how HHS might implement this reform. Today's hearing provides members an important opportunity to examine cybersecurity responsibilities at HHS and discuss a bill that will help raise the visibility and priority of information security across the Department. [The prepared statement of Mr. Pitts follows:] Prepared statement of Hon. Joseph R. Pitts In today's digital, connected world, cybersecurity is one of the most important, most urgent problems that we as a society face. Indeed, a great deal of sensitive information has been entrusted to the Federal Government, and as the recent breach at the Office of Personnel Management showed, we are not always the most sophisticated at protecting that information. We therefore must always be on the lookogut for opportunities to improve and adapt to changing cybersecurity threats and realities. As a result of an investigation conducted by the Energy and Commerce Subcommittee on Oversight and Investigations to examine information security at the U.S. Food and Drug Administration, it was determined that serious weaknesses existed in the overall information security programs at the U.S. Department of Health and Human Services (HHS). It seems a major part of the problem is the organizational structure in place at HHS that puts information security second to information operations. This stems from the fact that, right now, the top official responsible for information operations at HHS is the Chief Information Officer, or CIO, and the official responsible for information security, the Chief Information Security Officer, or CISO reports to him. In other words, the official in charge of building complex information technology systems is also the official in charge of ultimately declaring those sySSstems secure. This is an obvious conflict of interest. Today's hearing will take a closer look at bipartisan legislation designed to address these organizational issues. H.R. 5068, recently introduced by our Energy and Commerce Committee colleagues, Reps. Long and Matsui, is known as the HHS Data Protection Act. This bipartisan bill elevates and empowers the current HHS CISO with the creation of the Office of the Chief Information Security Officer within the Department of Health and Human Services, which will be an organizational peer to the current Office of the Chief Information Officer. This type of structure is not novel or untested: a branch of the Department of Defense has already implemented a similar structure, and many industry experts such as PricewaterhouseCoopers now recommend that CIOs and CISOs be separated ``to better allow for internal checks and balances.'' We are very lucky today to have expert witnesses who can talk to us about not only the bill itself, but help us understand more about the CIO-CISO relationship and why the structure currently in place at HHS could benefit from an update. In particular, I'd like to highlight that one of our witnesses, Mr. Mac McMillan, experienced the very structure that H.R. 5068 seeks to create at HHS during his time working for the Department of Defense, and will be able to provide valuable perspective on how HHS might implement this reform. Today's hearing provides Members an important opportunity to examine cybersecurity responsibilities at HHS, and to discuss a bill that will help raise the visibility and priority of information security across the Department. [H.R. 5068 appears at the conclusion of the hearing.] Mr. Pitts. I now yield the remainder of my time to Mr. Long from Missouri. Mr. Long. Thank you, Mr. Chairman, for holding this hearing, and thank you to my colleague, Ms. Matsui, for her fine work and cooperation in working with me on this important issue. Today we live in an age of the internet. While that has spurred faster and more efficient communication between the American people and their Federal Government, it has also meant having to confront the threat of cybercriminals. Last year this committee released a study with alarming results which included proof that five HHS operating divisions had been breached using very unsophisticated means, and nonpublic HHS Office of the Inspector General reports detailing 7 years of deficiency across HHS' information security programs. It is impossible to completely eradicate the threat of cyberattacks, but the American people deserve to know that their sensitive information is being safeguarded with the utmost security. Mr. Chairman, ensuring the safety of Americans' data is a vital necessity for Government agencies to operate efficiently. The legislation we are examining today, which I introduced along with Ms. Matsui, would restructure HHS' positions so that prioritization will be given to meeting the critical data security needs expressed by their Chief Information Security Officer. With that in mind, I look forward to the testimony of our witnesses today. Mr. Chairman, I yield back. Mr. Pitts. The Chair thanks the gentleman. Now I recognize the ranking member, Mr. Green, 5 minutes for an opening statement. OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Green. Thank you, Mr. Chairman, and welcome to our panel to our subcommittee today. Cybersecurity represents a current and growing threat to our economy as our everyday lives become more digitized. From the 2014 breach at the Office of Personnel Management and the high-profile private sector breaches of companies like Target, JPMorgan Chase, Anthem, we are too frequently reminded of how vulnerable we are to security incidents involving personally identifiable information. An unauthorized breach of personal information is particularly concerning when it is sensitive information about our health. As with the private sector, information and technology security management remains a challenge for all Federal agencies. The principal law concerning the Federal Government's information security program is the Federal Information Security Management Act, FISMA. The 2002 law requires agencies to provide information security protections for IT systems and information collected or maintained by agencies, quote, ``commensurate with the risk and magnitude of harm that could result from unauthorized access or disruption''. Recognizing the importance of cybersecurity and vulnerabilities of HHS, Congress enacted the Cybersecurity Information Sharing Act as part of the Consolidated Appropriations Act in December 2015. CISA requires the Secretary of Health and Human Services to review and report a plan for addressing cyber threats and designate a clear official who is responsible for leading and coordinating efforts within HHS and the healthcare industry. That law has established the Health Care Industry Cybersecurity Task Force. Members were recently appointed to the task force and will deliver the final report by March of 2017. We should let HHS carry out the provisions outlined in CISA, and I am a bit surprised by my colleague's decision to have a hearing today on H.R. 5068, the HHS Data Protection Act, the legislation that was recently introduced by Representatives Billy Long and Doris Matsui. And I thank them for their leadership on this issue. Unfortunately, with the last-minute timing of the hearing, it is impossible for the administration to testify. Having HHS' perspective would have greatly enhanced our evaluation of the current cybersecurity improvement efforts and this legislation, since HHS will be carrying out the organizational reform proposed in H.R. 5068. Again, cybersecurity remains an issue, and today is an opportunity to further the conversation. I look forward to hearing from our witnesses about what the private sector is doing to enhance cybersecurity, including both defensive and offensive capabilities. [The prepared statement of Mr. Green follows:] Prepared statement of Hon. Gene Green Cybersecurity represents a current and growing threat as our economy and everyday lives become more digitized. From the 2014 breach of the Office of Personnel Management and high-profile private sector breaches of companies like Target, JP Morgan Chase, and Anthem, we are too frequently reminded of how vulnerable we are to security incidents involving personally identifiable information. An unauthorized breach of personal information is particularly concerning when it is sensitive information about our health. As with the private sector, information technology security management remains a challenge for all Federal agencies. The principle law concerning the Federal Government's information security program is the Federal Information Security Management Act (FISMA) The 2002 law requires agencies to provide information security protections for IT systems and information collected or maintained by agencies ``consummate with the risk and magnitude of harm'' that could result from unauthorized access or disruption. Recognizing the importance of cybersecurity and vulnerabilities of HHS, Congress enacted the Cybersecurity Information Sharing Act (CISA) as part of the Consolidated Appropriations Act in December 2015. CISA required the Secretary of HHS to review and report a plan for addressing cybersecurity threats and designate a clear official who is responsible for leading and coordinating efforts within HHS and the health care industry. The law also established the Health Care Industry Cybersecurity Task Force. Members were recently appointed to the task force and will deliver the finalized report by March of 2017. We should let HHS carry out the provisions outlined in CISA. I am a bit surprised by my colleagues' decision to have a hearing today on H.R. 5068, the HHS Data Protection Act. This legislation was recently introduced by Representatives Billy Long and Doris Matsui, and I thank them for their leadership on this issue. Unfortunately, the last-minute timing of this hearing made it impossible for the administration to testify. Having HHS' perspective would have greatly enhanced our evaluation of current cybersecurity improvement efforts and of the legislation, since HHS would be the carrying out the organizational reform proposed in H.R. 5068. Again, cybersecurity remains an issue, and today is an opportunity to further the conversation. I look forward to hearing from our witnesses about what the private sector is doing to enhance Thank you, and I yield 2 minutes to my colleague from California, Congresswoman Doris Matsui. Mr. Green. I would like to thank you, and I yield the remaining of my time to my colleague from California, Congresswoman Doris Matsui. Ms. Matsui. Thank you, Mr. Green, for your opening, and, Mr. Chairman, for holding this important hearing. The intersection between technology and our health is impacting nearly every aspect of our daily lives. As we move toward a more connected system of care, we need to make sure our security practices are nimble and forward-thinking to meet this new, exciting health IT landscape. Making technological investments in our cyberdefense systems is absolutely critical, but it is also just as important that our organizational structures are set up for success. The HHS Data Protection Act that I introduced with my good friend Billy Long would elevate the Office of Chief Information Security Officer within HHS. The privacy of our health data is of critical importance, and this legislation would establish HHS as a model and leader across the Federal Government. It builds on the Obama administration's Cybersecurity National Action Plan, which created the first ever Federal Chief Information Security Officer, a dedicated senior official in the administration focused exclusively on coordinating cybersecurity operations across the entire Federal domain. We are already seeing the shift happen in the private sector, and I look forward to hearing more about this from the witnesses today. We must also include the important perspective of HHS as the committee continues our consideration of this legislation. A securely connected healthcare ecosystem is better for everyone. This health IT transformation requires a solid regulatory and legislative foundation to work from. I will continue to work with my colleagues in Congress on forward-thinking solutions to combat cyber threats across both the public and the private sector, and I do appreciate the witnesses being here today. I look forward to your testimonies. Thank you, Mr. Chairman. I yield back. Mr. Pitts. The Chair thanks the gentlelady, and now recognizes the gentleman, Dr. Burgess, 5 minutes for an opening statement. OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Burgess. Thank you, Chairman Pitts, and thank you for holding this hearing. There are certainly more and more reasons every day to be concerned about our health data security. Digitization of health information has accelerated in all sectors of medicine, and electronic data is taking the place of paper files everywhere from research labs to hospitals, to public health departments. I am fully committed to advancing progress towards an interoperable universe of health information because I am confident it will offer benefits for medical information and for healthcare delivery. However, this progress has brought with it threats to patient privacy, threats to patient security, and even threats to safety, unlike anything we have ever faced before. We have seen hospitals that rely on electronic health records be held ransom by hackers, demanding a fee payable in bitcoins, before they can regain access to patient records. This is no small victimless crime. This could be a matter of life and death, particularly when you consider the care of a critical-needs patient or a critical-care patient in an intensive care setting. This is something that is being perpetrated by sophisticated criminals who I don't think understand the seriousness of the illness of the patients that they are dealing with. We have learned that there are fundamental weaknesses in the foundation of data security at every major division of HHS, and that hardly inspires confidence. Although the breaches and vulnerabilities at HHS have not been as serious in nature as ransomware attacks in the private sector, there is no reason in the world to just sit back and wait for that disaster to happen and, then, be tasked with examining the smoking ruins. Data held by the divisions at Health and Human Services seriously affect every single American. Just a few ``what ifs'': What if our enemies could hack into the CDC's systems? What is to stop them from using our own biodefense plans against us? If the FDA's data on clinical trials is vulnerable to hackers, how can companies be confident that their proprietary trade secrets and intellectual property will not be stolen? There is no limit to the cavalcade of harsh headlines if we don't get serious about data security at the Department of Health and Human Services before it is too late. Mr. Long and Ms. Matsui have taken an important first step in making data security a priority, and I am certainly grateful that we have our witnesses here today. I look forward to hearing from them. And I will yield to the vice chair of the full committee, Ms. Blackburn. Mrs. Blackburn. Thank you, Mr. Chairman. And we appreciate our witnesses being here. This is something that I think many of us recognize is truly a problem. In 2003, when we did the Medicare Modernization Act, I recommended that we put in process an orderly process and incentives for the healthcare provider system to move to electronic records. Well, the hospitals did not want that. So now, what you have is kind of a mixed bag of different systems and people that are in different places along this transition to electronic records. What you also see--and Politico has a great article in today. Mr. Chairman, we should put this article in the record because it points out why we need this legislation. Mr. Pitts. Without objection, so ordered. Mrs. Blackburn. Thank you. [The information appears at the conclusion of the hearing.] Mrs. Blackburn. As Chairman Burgess said, interoperability is an issue, data security protections. We still have not passed data security or privacy legislation, breach notification, things of that nature, out of this committee, and we should do so. And also, going back and revisiting HIPAA, which would help us to put in place some protections. We have seen, the hospital industry that is in my district, they have seen some hacks, millions of records, patient records, that have been taken and have been exposed. This is the type of crime that happens to you. You do not know that it is coming. You are not aware many times until months after it has occurred. And that entire time, you have patients that are vulnerable. So, we thank you for helping turn the attention to cybersecurity, and I yield back the balance of my time. Mr. Pitts. The Chair thanks the gentlelady. I now recognize the ranking member of the full committee, Mr. Pallone, 5 minutes for an opening statement. OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY Mr. Pallone. Thank you, Mr. Chairman. I appreciate today's hearing topic on cybersecurity and examining the cybersecurity responsibilities within HHS. I think we would all agree that cybersecurity is a critical issue facing us in our ever-evolving 21st century world. Everything we do on a daily basis is more and more connected through the internet. And when it comes to our health information, just like our personal information, we must find ways to improve our systems, so that they are secure and protected. I have said before that this committee has a long history on cybersecurity issues. We also recently held a hearing in the Oversight and Investigations Subcommittee in which we heard firsthand how difficult and complicated this problem is. Unfortunately, our ability to protect against cyberattacks while improving still appears to lack what is needed to prevent these intrusions. And what we have discovered is that, while the Federal Government has had their share of breaches, the private sector is also battling these attacks. Today we are going to examine one solution to this problem, how an agency should be organized to encourage efficiencies and best practices within the Federal Government. This legislation, introduced by Representatives Matsui and Long, would move the Chief Information Security Officer, CISO, to the same level as the Chief Information Officer, CIO. Currently, the CISO is located within the same office as the CIO and reports to the CIO. I look forward to hearing about what this can accomplish, but, also, if there are any shortfalls to such reorganization. For example, would moving the system out of the Office of the CIO create silos? Should information security considerations be integrated into the information technology planning process instead of in parallel, as this bill would suggest? Would this bill create inefficiencies by removing responsibility for the CIO to take into account cybersecurity? Are there major differences between HHS and the private sector that should be taken into account? So, let me just say that I am disappointed we couldn't ensure that HHS had an opportunity to be here today to express their own views. HHS should be able to testify to whether this organizational change makes sense from their perspective and whether it could potentially exacerbate the problem it is trying to solve. And this is why I wish the majority had not rushed this hearing. While this bill may, in fact, be a good approach and I appreciate the efforts of our committee colleagues, the timing of this hearing means that the committee, stakeholders, and HHS itself have not had a chance to fully vet the bill. Finally, Congress passed a bill at the end of last year that requires HHS to do a thorough cybersecurity report and plan, and I am concerned that we would move forward on these changes before we are able to hear the outcome of this report. We may never be able to completely eradicate the threat of cybersecurity, but we have to take comprehensive action, and I am glad to see this committee is exploring ways to do that. I yield back, Mr. Chairman. Mr. Pitts. The Chair thanks the gentleman. Although both sides tried to get a witness from HHS, they were unable to produce a witness today. But we will get their consultation, work with them, before moving on this issue. That completes the opening statements. As usual, the written opening statements of Members will be included in the record. We will now go to our panel. Thank you for your attendance today, and I will introduce you in the order of your presentation. Your written testimony will be made part of the record. You will each have 5 minutes to summarize your testimony. And in the order of your presentation, Mr. Joshua Corman, Director of Cyber Statecraft Initiative, Atlantic Council; Ms. Samantha Burch, Senior Director, Congressional Affairs, Healthcare Information and Management Systems Society North America; Mr. Marc Probst, Vice President and Chief Information Officer, Intermountain Healthcare, on behalf of the College of Healthcare Information Management Executives, and, finally, Mr. Mac McMillan, Chief Executive Officer, CynergisTek, Inc. Again, thank you for coming. Mr. Corman, you are recognized for 5 minutes for your summary. STATEMENTS OF JOSHUA CORMAN, DIRECTOR, CYBER STATECRAFT INITIATIVE, ATLANTIC COUNCIL; SAMANTHA BURCH, SENIOR DIRECTOR, CONGRESSIONAL AFFAIRS, HEALTHCARE INFORMATION AND MANAGEMENT SYSTEMS SOCIETY; MARC PROBST, VICE PRESIDENT AND CHIEF INFORMATION OFFICER, INTERMOUNTAIN HEALTHCARE, ON BEHALF OF THE COLLEGE OF HEALTHCARE INFORMATION MANAGEMENT EXECUTIVES; AND MICHAEL H. (MAC) McMILLAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, CYNERGISTEK, INC. STATEMENT OF JOSHUA CORMAN Mr. Corman. Chairman Pitts, Ranking Member Green, and distinguished members of the Subcommittee on Health, thank you for the opportunity to testify today. My name is Joshua Corman. I am the Director of the Cyber Statecraft Initiative at the Brent Scowcroft Center for International Security at the Atlantic Council, a nonpartisan international policy think tank. I am also a founder of a grassroots volunteer organization focused on cybersafety in the Internet of Things called I Am The Cavalry, and an adjunct faculty for the CISO Certificate Program at Carnegie Mellon University's Heinz College. And lastly of note is I am one of the delegates serving on the HHS Cybersecurity Task Force that came out of the Cybersecurity Act of 2015. Over the past 15 years, I have been a stanch advocate of the CISO and the emerging challenges that confront that role, and tried to focus on the vanguard of emerging issues, whether it be the rise of hacktivism, the rise of nation-state espionage, or the increase to cybersafety and cyberphysical systems threats that face medical devices, automobiles, and the like. It is an increasingly challenging role, and I work deeply with the Fortune 50 and the Fortune 100. I say all of this because I have had a front-row seat at the turbulent evolutions that confront this role of the Chief Information Security Officer and have seen the healthy and unhealthy adaptations that the profession has taken in the private sector and the public sector, often through business relationships or my students at Carnegie Mellon University. What I hope to do here is frame a few of the factors that contribute to a successful CISO and a CISO cybersecurity program; also, speak to some of the costs and benefits and tradeoffs of alternative reporting structures that have been tried in the private sector and elsewhere; also, to answer any questions as you consider your choices. A brief comment on the current state of cybersecurity which I think is becoming clearer and clearer to this body. Our dependence on connected technology is growing much faster than our ability to secure it, and now it is affecting public safety and human life. The breaches are getting bigger, as we have seen with Target and Ashley Madison. The breaches are affecting Federal agencies, as we have seen with OPM, the Pentagon, and now HHS. And the breaches are getting more dangerous, as we are seeing with power outages in the Ukraine or denial of patient care at Hollywood Presbyterian Hospital due to an accidental impact of ransomware. I am more deeply concerned, less about the ransomware itself with a financial-motivated adversary, but more concerned at what this has revealed to ideological adversaries who may wish to cause physical harm and a sustained denial of service to patient delivery. And for these reasons, it is important that we avail ourselves of the best practices that are emerging at the vanguard of how we organize cybersecurity programs. Some factors which I have noticed contribute to the success of a CISO, a CSO, or a cybersecurity program: No. 1, the individual qualifications of the CISO in question. No. 2, at topic today, the reporting structure to the CIO, CFO, general counsel, CEO, board of directors, or alternatives. No. 3, the relationship the CISO maintains, regardless of reporting structure, to key stakeholders throughout the organization. No. 4, CEO and board-level visibility and prioritization to be supported in the execution of the mission. No. 5 is the application of risk management principles versus minimum compliance standards, which you often hear a quote of, ``We can spend only on compliance mandatory spending and not one penny more,'' often truncating true risk management or defensive countermeasures that are required to fend off these modern adversaries. And lastly, ability for the CISO to both influence IT and business choices, not simply IT or CIO choices. So, the scope is expanding as well. In general, as an observation, there is a migration away from reporting to the CIO as an inherent conflict of interest for a bevy of reasons which I can get into during your Q&A. And with each of the alternative structures, you see better aspects of the program manifest. For example, a CIO is typically concerned about availability and uptime of IT as opposed to privacy or sensitive information or trade secrets. Moving simply to a general counsel, for example, typically expresses greater focus on risk management principles on harder-to-replace information like trade secrets, sensitive organizational data, intellectual property, and the like. Reporting to the CIO allows true tensions and natural conflicts which emerge to get top full visibility on how to resolve those differences. And reporting to the CFO often brings to bear very rigorous accounting and audit principles, as have been introduced by the rigor of things like Sarbanes-Oxley on the financial services sector. Lastly, for 10 seconds here, essentially, there is a tremendous value in experimentation, and I really applaud the spirit of this bill to try an alternative reporting structure in one agency and, if successful, it could be replicated across other agencies to rise to these growing challenges. I thank you for your time. [The prepared statement of Mr. Corman follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Pitts. The Chair thanks the gentleman. I now recognize Ms. Burch, 5 minutes for your summary. STATEMENT OF SAMANTHA BURCH Ms. Burch. Chairman Pitts, Ranking Member Green, members of the subcommittee, thank you for the opportunity to testify today on behalf of the Healthcare Information and Management Systems Society in support of H.R. 5068, the HHS Data Protection Act. HIMSS is a global, cause-based, not-for-profit organization focused on better health through information technology. HIMSS North America encompasses more than 64,000 individuals plus hundreds of corporations and not-for-profit partner organizations that share this cause. Our organization has spent more than a decade working to support the healthcare sector in improving its cybersecurity posture through thought leadership, proactive policy development, surveys, toolkits, and other resources. Today's hearing begins a critical conversation that mirrors conversations occurring in healthcare organizations across the country regarding the most appropriate approach to governance to ensure effective data protection and incident response. Cybersecurity has been a growing area of focus for healthcare organizations in recent years. Highly publicized, large-scale breaches of patient and consumer information and other high-profile security incidents have resulted in the increased hiring of Chief Information Security Officers to serve as the lead executive responsible for safeguarding an organization's data and IT assets. Further, the trend towards elevating the CISO to be a peer of the CIO reflects the recognition that information security has evolved into risk management activity historically within the purview of other executives. This recognition requires a reporting structure that creates a direct channel to the CEO, CFO, general counsel, and board of directors to facilitate management of security risk in the context of business risk, operational, legal, financial, reputational. For healthcare providers, a significant security incident or breach may lead to a disruption in patient care, the primary business mission of the organization. As such, it is clear that healthcare organizations need a cybersecurity leader to manage as well as mitigate security risk. However, it is important to note that it is not simply the organizational change of the CISO which will dramatically improve the security posture of an organization. The right people, processes, and technology must also be in place. The August 2015 Report on Information Security at HHS raised several important points related to the impact of the current HHS CISO reporting structure and detailed the resulting internal security challenges faced by the Department. This report reflects the criticality of the discussion we are having today. Like the private sector, HHS needs programs in place that support the specific business missions of its various operating divisions such as CMS as the largest healthcare payer or NIH as the Government health research agency. Breaking down silos will better position the Department to move from an audit-driven approach to a proactive, ongoing business risk management approach to cybersecurity that encourages information-sharing within the Department. Additionally, we believe that external threat information- sharing is essential for HHS with other Federal agencies such as DHS and FBI and, also, with private sector healthcare organizations. We see an important external-facing role for the Office of the CISO as well. I direct the subcommittee to my written statement for additional details on that point. Healthcare organizations have come a long way in building the IT capabilities to make the goals of 21st Century Cures a reality. Over the past 5 years, rates of adoption of advanced EHR capabilities have increased significantly. The health information now contained in these systems hold great lifesaving potential. These goals are particularly meaningful to me, as a 5-year survivor of a rare brain tumor, and to the HIMSS organization after our colleague tragically lost her 22-year-old son to cancer and other complications last week. We see clearly that it is trust that will enable these efforts to succeed, trust in the system that will house and control access to the patient's data and trust in the public/ private collaborative effort. The HHS CISO, appropriately positioned within the Department, will be uniquely qualified to lead this important mission. In closing, I would like to thank Congressman Long and Congresswoman Matsui for their leadership on this legislation and the subcommittee for prioritizing this issue. I look forward to your questions. [The prepared statement of Ms. Burch follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Pitts. The Chair thanks the gentlelady. Now I recognize Mr. Probst, 5 minutes for your summary. STATEMENT OF MARC PROBST Mr. Probst. Thank you, Chairman Pitts, Ranking Member Green, and members of the subcommittee. It is an honor to be here today to testify on behalf of the College of Healthcare Information Management Executives, or CHIME, concerning the relationship of Chief Information Officer and Chief Information Security Officer at the Department of Health and Human Services. CHIME is an executive organization serving nearly 1900 CIOs and other health information technology leaders at hospitals, health systems, and clinics across the Nation. In addition to serving as chairman of the CHIME board of trustees, I am the CIO and President of Information Systems at Intermountain Healthcare in Salt Lake City, Utah. Intermountain is a nonprofit, integrated health system that operates 22 hospitals in Utah and Idaho and approximately 200 clinics as well as an insurance plan. Intermountain also has over 36,000 employees. Nationally, Intermountain is known for providing high- quality care at sustainable costs. Essential to our ability to deliver high-value, coordinated patient care is the proper and effective use of health information technology. CHIME members take very seriously their responsibility to protect the security of patient data and devices networked to the systems they manage. We appreciate the committee's interest in health cybersecurity and the role that the Department of Health and Human Services plays in helping to combat cybercriminals. We completely agree that cybersecurity must be a priority for HHS, just as it is for the Nation's healthcare CIOs. While this hearing is largely focused on organizational and reporting structures for the CIO and CISO at HHS, CHIME believes that the subcommittee must also look closely at how the Department coordinates cybersecurity across its divisions. In the private sector, reporting structures vary based on how organizations define the role of CISO. At Intermountain Healthcare, where the CISO reports to me, the CIO, we have made cybersecurity and privacy a major priority and focus. As an example, I have instructed my team, as they prioritize their efforts each day, I would rather have our data center go completely dark, meaning a complete loss of all of our information systems, than to have a major breach of our data and systems. Losing our information systems would be horrible and highly disruptive, but our patients, members, employees, clinicians, and others have entrusted us with their most personal data, and we need to do all we can to protect it. Security is not an afterthought. Everyone across the organization needs to make it a priority. Even then, no system is perfectly secure. As I mentioned, at Intermountain the CISO reports directly to me, as CIO. In our organization, the CISO is focused on developing and overseeing the implementation of the technical strategy to achieve our security posture as well as managing our security team. Working across information systems/ operations ensures that the technical components and processes required for cybersecurity are in place and are managed. The interpretation of regulations, rules, corporate policy, procedure, and development of our strategy to achieve our security posture, what we need to secure and how to set priorities is the role of our Compliance and Privacy Office, which reports to the board of directors. While these responsibilities are organizationally separate, our management structure helps us achieve a high level of cooperation. My peer in Compliance and Privacy is aligned with me; the Chief Privacy Officer is aligned with the CISO. Together, we develop the plans and manage execution. We have architected a cooperative model for cybersecurity that ensures appropriate checks and balances, that facilitates high levels of cooperation in achieving a more secure environment. This works at Intermountain. The focus isn't on the CIO's reporting structure. Rather, what is important is that there is an appropriate focus and appropriate checks and balances on both security plan development and execution. A similar structure is employed at Penn State Hershey Medical Center, where the CISO reports to the CIO. According to the CIO, this partnership ensures tight integration and solid support for the cybersecurity program across the entire team. Where the CISO should report is highly dependent on how the various roles accountable for cybersecurity are defined by the organization. Consider some other examples from CHIME members. At a large children's hospital, the CISO reports to the Data Security Officer. They want to look at analytics. The CIO for a multi-State provider reports to the Chief Technology Officer, who, then, reports to the enterprise CIO. CHIME members at several smaller organizations across the Nation report that they have the dual role of CISO and CIO. There is no question that the committee's interest in this topic is timely and efforts in the healthcare sector to improve the industry's cyberhygiene must be met with similar efforts within HHS. On behalf of CHIME and my colleague healthcare CIOs, I sincerely thank the committee for allowing me to speak to the evolving role of the healthcare CIO, particularly as it relates to IT security. Thank you. [The prepared statement of Mr. Probst follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Pitts. The Chair thanks the gentleman and now recognizes Mr. McMillan, 5 minutes for your summary. STATEMENT OF MICHAEL H. (MAC) McMILLAN Mr. McMillan. Thank you, sir. Chairman Pitts, Vice Chairman Guthrie, Ranking Member Green, and members of the Health Subcommittee, thank you for this opportunity to testify today on this important initiative. I am Mac McMillan, CEO of CynergisTek, a firm that specializes in providing privacy and security services to the healthcare industry since its inception in 2004. I am pleased to be able to offer testimony in support of H.R. 5068, the HHS Data Protection Act. I believe my experiences as former head of security for the On-Site Inspection Agency and the Defense Threat Reduction Agency, as well as my experiences from the past 15 years providing security services to the healthcare industry after leaving Government, have provided me with some unique and valuable insights on this matter. I have served in information security roles of one type or another since 1982, when I first became an intelligence officer in the United States Marine Corps and was given responsibility for managing the battalion's classified information. In every role I have had since, the protection of information systems and data has been a core component of my responsibilities. I sincerely support the elevation of the Chief Information Security Officer role to a position equivalent to other senior leaders within the Department of Health and Human Services and, in particular, the Chief Information Officer. When these two positions have equal authority, are both focused on a common mission, and work collaboratively, the CIO and the CISO form a complementary and effective team to ensure the protection of information assets for an organization. When there is disparity in these relationships, there is opportunity for conflicts of interest to arise, stifled or abbreviated discussion of risk, and an imbalance of priorities. One of the most often questions I get asked by healthcare leaders today and boards is, where should the CISO report? Cybersecurity is far and away one of the most critical issues for our industry today, but, in particular, for healthcare, which has emerged as a popular target for cybercriminals, hacktivists, and state actors engaged in cybertheft, extortion, and high-stakes espionage. Since 2009 when the HITECH Act was passed and healthcare embarked on a wide-scale digitization of patient information, there has been an associated and steady increase in the number of cyber incidents in healthcare. The criminal community has perfected its ability to monetize stolen information and has created an elaborate dark-net marketplace for buying and selling hacking services, techniques, knowledge, tools, and the information itself. Healthcare is particularly lucrative to attack because, unlike other industries, it represents a rare opportunity to steal all forms of personal information, medical, personal information, financial information, all in a single attack. At the same time, the healthcare computing environment represents one of the most complex and difficult to secure today. Multiple initiatives that seek to improve healthcare, such as Health Information Exchanges, Accountable Care Organizations, population health, telehealth, network medical devices, cloud services, big data, et cetera, also introduce greater challenges in securing information because it seeks to share it more broadly than ever before. Add to this the sheer number of individuals accessing and handling health information, and it is easy to see that a CISO, let alone one in an organization as complex as HHS, has a full- time job attempting to stay abreast of the many cyber challenges that leadership needs to be aware of. Security is best achieved as a top-down priority with strong visible leadership, disciplined practices, and constant reevaluation. What most healthcare organizations suffer from today in this area is lack of leadership. This resolution seeks to address the situation by creating a cybersecurity leadership post within HHS by elevating the CISO. Security programs are most successful when they are articulated from the top as an organizational or core mission priority, when there is visibility to the program, when risk is openly communicated and debated, and when every member of the organization intuitively understands that security is a part of his or her role. In the Department of Defense, where I had the honor to serve for more than 20 years, security is second nature and understood from one of the most junior service member or civil servant to the generals and senior executives who lead our military services and agencies. In each service and agency there is a senior security official who is a full member of the executive staff with responsibility for ensuring the protection of organizational personnel, assets, information, and operations. That individual, like his or her counterparts, has a responsibility to the director or service chief of staff and to the broader protection of our national security. From my earliest assignment as a Marine Battalion S-2 and Information Security Officer to my position as the Chief of Security for both OSIA and DTRA, I understood and had responsibility to ensure the protection of information assets, to constantly assess the risk and advise leadership on the right course of action to mitigate the threat. At both OSIA and DTRA, we had formal accreditation standards for information systems and sensitive information. The CIO was primarily responsible for procuring, developing, implementing, and managing information networks and systems in support of the agency's mission. My responsibility was to test, accredit, and monitor those information networks and systems to ensure they adequately protected the sensitive information they processed, stored, or transmitted. Both the CIO and I were peers, and we worked collaboratively to meet the agency's mission as well as the mandates from national security. The Director communicated that information security was a priority, and for every member of the agency, we had well-defined policies, procedures, and processes that both governed and guided our decisions and actions. When new systems and services were contemplated or introduced, it was necessary for security to accredit those before they could be made operational. This leveling of the playing field between the CIO and myself resulted in a very collaborative environment, because neither one of us wanted to see something held up unnecessarily and both of us had a vested interest in deploying secure systems. So, early on in projects, our teams collaborated. This effectively streamlined review and testing times down the line and identified issues early, so that they could be resolved before they impacted accreditation. When I had a concern, I could address it to senior staff and the Director. Likewise, my counterpart, the CIO, could also make his argument when he felt security was too restrictive or impacting productivity. Leadership then had the ability to make informed decisions based on the merits of both of our arguments. Mr. Pitts. Could you wrap it up? Mr. McMillan. In conclusion, sir, I believe that this is a very necessary act for HHS to take. [The prepared statement of Mr. McMillan follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Pitts. The Chair thanks the gentleman, and thanks to each of the witnesses for your testimony. I will begin the questioning and recognize myself for 5 minutes for that purpose. We will start with you, Mr. McMillan. One of the concerns we have heard with this proposal is that, because the roles of CIOs and CISOs are well-established throughout the Federal Government and many Federal Government mechanisms rely on those roles being the same across departments, that any change at HHS will disrupt HHS' ability to coordinate cybersecurity activities with the rest of the Government. How did you coordinate with other Federal departments and agencies when you were Director of Security with the Defense Threat Reduction Agency? Mr. McMillan. Thank you, sir. We actually had a very formal process for doing that. The accreditation process for all of our systems within the Department of Defense depended on everybody in the Department following that accreditation process. So, all of the Directors of Security across the defense agencies and across the military services were essentially all marching to the same drum, if you will, in terms of how we managed our environments and how we accredited our systems. We did that so that we could create a trusted environment between all of us to facilitate the sharing of information. We did that, also, with other departments and other agencies throughout the Government in order to share information there, because, as you know, the military services and DoD share information with the intelligence community, with Justice, and many other departments, as we work in interagency operations. So, we had to have a structure. So, that structure actually facilitated the ability for that communication to happen in a very effective way, in a very smooth way. Mr. Pitts. Did the fact that you were ultimately responsible for cybersecurity and not your CIO counterpart impact the ability for you or the CIO to participate in intergovernmental forums and working groups focused on cybersecurity? Mr. McMillan. Not at all. In fact, if I may, I would say that we actually shared that responsibility. I had responsibility for implementing the information security program or the computer security programs, but the CIO and I together shared responsibility for implementing the cybersecurity program or secure systems. And he had his committees and working groups, and whatnot, that he worked in; I had ones that I worked in. But, ultimately, we worked together very collaboratively up and down the line. Mr. Pitts. Do you have any suggestions for how HHS might harmonize this reorganization with their participation responsibilities in Federal initiatives, in forums, or programs focused on cybersecurity, where the CIO is usually the agency's representative? Mr. McMillan. Unfortunately, I am not completely familiar with how they are organized today within the Federal Government in terms of how that all occurs. But I would say that the CISO in this arena should interact with their counterparts across the Government. We had interagency committees on information security, on computer security that all of the Directors of Security participated in. And even for those agencies where there wasn't a Senior Director of Security who had responsibility like some of us did, those individuals still participated in those forums at that time. I am assuming they still do. I would just suggest that in this arena that what we are really talking about is leveling the playing field within HHS itself in terms of how it makes decisions. Mr. Pitts. Mr. Corman, do you have any thoughts or suggestions in this regard? Mr. Corman. The relationship has to be incredibly strong between the CISO and the CIO. It is just one of many stakeholders that has to have a strong relationship. So, the communication cannot be replaced. It is more a matter of when a conflict arises--and I have outlined several in my written testimony--they can now have an equal footing to resolve those. So, it is not about eliminating communication or siloing information. A CISO cannot succeed without successfully working with its executive stakeholders, and the CIO being a key one. So, I don't think this should be looked at as a siloing effort; more of a balancing of raising visibility and tension decision to a higher level. Mr. Pitts. Ms. Burch, do you have any thoughts or suggestions? Ms. Burch. I would agree with what has been said by the other panelists. I think this move of elevating the CISO, what it really does is it allows two complementary skill sets to come together. I think, as Mr. Probst mentioned, there is no necessarily one right way to do this, but ensuring that those direct channels to the executive leadership exist, to ensure that that risk management approach is there, and is factored into the decisions being made. I think we see them really as collaborative and the need for collaboration. Mr. Pitts. My time has expired. The Chair recognizes the ranking member, Mr. Green, 5 minutes for questions. Mr. Green. Thank you, Mr. Chairman. From what I understand, the bill before us today relates to another piece of legislation passed late last year, the Cybersecurity Information Sharing Act of 2015. Since it required the Secretary of the Department of Health and Human Services to take certain steps to address cybersecurity, Mr. Probst, can you describe for the committee some of the steps that the Department is currently taking as a result of this? Mr. Probst. Well, the fact that an individual is to be put in charge to look at the issue of cybersecurity, that it can be focused on someone to actually come up with a plan, CISA does a pretty good job of facilitating that effort, as well as the Task Force that supports some of the decisionmaking. So, I think it is incredibly important, CISA, that it is getting a good focus within Health and Human Services, as well as looking across the various areas of HHS and making sure there is strong coordination. And let me just emphasize that, as we have been talking about the role of the CISO and the CIO. You know, I think, well, coordination is the key and cooperation. And architecting how you are going to do security is probably the most important aspect, I think, of cybersecurity, not necessarily where an individual reports. I think if the strategy is, by raising a particular position, and that somehow is going to raise cybersecurity, I don't think that is the case. I think the case is, if it doesn't permeate the organization in all aspects--I mean, a CISO, it really depends on the role. Like I said, at Intermountain that is a technical role to work and implement a plan. Most of that plan gets developed by compliance people, by legal people, by internal audits, and it requires the cooperation of all these pieces. So, I am less about where that role resides, and I think there are good arguments for the CISO to report other than the CIO. But the fact that what the CISO does, it impacts everything within our environment. It impacts our networks, our servers, our physical security, everything within the purview of the CIO. I think it is very difficult to make those too much at a peer level because there is a lot of coordination that has to happen at the technical level. Mr. Green. How do you see the provisions in CISA working with the legislation we are considering in today's hearing? Mr. Probst. Well, again, it goes back down to the coordination. Now it is not due until the end of the year. So, HHS has a lot of time still to focus on it, and we will see what comes out of that, the efforts of CISA. But I would, again, go back to it is coordination and cooperation across the areas and really getting a focused plan for how cybersecurity is going to happen within HHS. Then, I think I would make the decisions where the specific roles report. Mr. Green. OK. Ms. Burch, in your testimony you note that ``it is not simply the organizational change of the CISO which would dramatically improve the security posture of the organization. The right people, process, and technology must be in place.'' Can you elaborate on what you meant by that point? Ms. Burch. Sure. I think that point was meant to underscore the need for collaboration. So, it is not simply, again, changing the reporting structure and you automatically have a culture that elevates cybersecurity. It is about whether all the pieces are in place and whether decisions are being made across the organization to support security as a priority. Mr. Green. In the short time that we have had the current law in effect, do you see that happening at HHS? And this is for our other witnesses, too. The coordination, the right people, process, and technology in place? Ms. Burch. We believe that there is certainly room for improvement. Mr. Green. OK. Mr. Corman? Mr. Corman. At our public meeting last month for the HHS Task Force we had NIST come in and give a readout on the voluntary surveys they are doing. Again, it is adoption of the voluntary cybersecurity framework. And they did point out that, while the adoption is comparable in certain aspects of the cybersecurity framework, some of things like asset and inventory management were deficient, which is essentially a linchpin. If you don't know what you have and you don't know when it changes, it is difficult to do successful vulnerability management and good hygiene to avoid some of these attacks. And if you look at the broad swath of attacks, one of the most common elements is they are attacking known vulnerabilities that were avoidable and patchable with good hygiene. So, across the Government and the private sector there is certainly room for improvement. A hundred of the Fortune 100 have had a breach of intellectual property/trade secrets. No one can be heralded as doing an excellent job, but I believe giving increased focus and priority to this may encourage them to meet and exceed best practices. Mr. Green. OK. Mr. Probst or Mr. McMillan, do you all have a comment on it, in my last second? Mr. McMillan. I do not, sir. Mr. Green. No? OK. Thank you, Mr. Chairman. Mr. Pitts. The Chair now recognizes the Vice Chairman of the subcommittee, Mr. Guthrie, 5 minutes for questions. Mr. Guthrie. Thank you, Mr. Chairman. And thanks to the panel for being here. My first question, actually, I would like all of you to address a little bit, but start with Ms. Burch. In your testimony you cited two statistics, and I think it is the heart of why we are here today. It is from the PricewaterhouseCoopers' study. One, you said that organizations that have the same reporting structure with the CIOs/CISO reporting structure as HHS has have 14 percent more downtime due to cybersecurity incidents and, also that they have 46 percent higher financial losses in organizations with the same reporting structure. Would you elaborate or tell us why you think that is? And, Mr. Corman, I think you cited the same statistics. So, I will let Ms. Burch and, then, Mr. Corman go second. Ms. Burch. Mr. Corman may be able to better answer that question. Mr. Guthrie. OK. Mr. Corman. This is one study; it is a popular study. There is a lot of anecdotal evidence of things like this. One of the reasons, for example, just to give you a concrete, is a CIO is often responsible for and measured by uptime and availability of services. And oftentimes, it is required and necessary for security teams to interrupt uptime to do security assessments or to do healthy security patching to maintain hygiene and reduce risks and exposure. So, that natural tension usually leads to the CIO winning. And if you put off the hygiene and the remediation to enclose exposures for a long enough time period, it can exacerbate the magnitude and the duration of a breach or an outage. Mr. Guthrie. OK. So, Mr. Probst and Mr. McMillan, would you like to address that? Why do you think this structure leads to higher downtime and higher financial losses? Mr. Probst. Again, I think it really comes down to how you define the roles of the CIO and the CISO and what their priorities are. As I mentioned in my testimony--and this is serious--when I talk to my team, I would rather lose all of our systems than have a serious breach. Now I don't know if that is common across every CIO in the industry and it may be unique to just Intermountain Healthcare and the focus our board and our leadership has put on it. But, because of that, I wouldn't have the tension that Mr. Corman mentioned about. We would do the things we need to do to do the best job we can to secure our systems. Again, the role of CIO in healthcare varies dramatically. If you are a small, 20-bed hospital in the middle of Indiana, you are the CIO, you are the CISO, and you are the guy that changes the ink in the printers because that is what you have to do because of the nature of our business. So, I think because the roles are so different based on the organizations, and even the emphasis they have placed on security, it is going to be different. I think it goes back to what Ms. Burch said. She talked about how you have to architect this, how it is a holistic approach, and if you have a plan, then you can put the pieces in place to make that plan work. So, thank you. Mr. Guthrie. Mr. McMillan? Mr. McMillan. I would like to answer that question with three things: one, some anecdotal information, and the second one, some of my own personal experience, and, then, why I think it is important. The first one on the anecdotal side is my company works for hundreds of hospitals across the Nation. And I can tell you that not every hospital shares Mr. Probst's philosophy on how to manage security. Marc has been one of the most outspoken proponents of security that I have worked with over the last 15 years in the healthcare industry, and his organization is probably one of the best out there, bar none. But, unfortunately, that is not the norm. If you look at the breaches that we have had in recent time and you look at my testimony, I think I put one telling tale in there that goes to what was commented on earlier. That is, over 90 percent of the breaches that occurred last year occurred with a vulnerability that was more than a year old, and more than 50 percent of those occurred with a vulnerability that was 5 or 6 years old, meaning there was a fix; there was a patch that somebody could have applied. There was a configuration that somebody could have made. There was a port that somebody could have closed. There was a policy that somebody could have pushed out. And those things weren't done. Unfortunately, that gave the bad guys an opportunity to get a foothold and, then, do harm in our environments. So, I have seen organizations where they have put off what I call the blocking and tackling or the housecleaning, the hygiene, because they are too operationally focused on the number of projects they have. Some of our hospitals have literally hundreds of projects on their project board that their IT teams are trying to get done. And then, somebody says, ``Oh, by the way, you also have to do this patching and fixing and hardening,'' and all these other things that take care of systems day-in and day-out. Unfortunately, what happens is the pressure is on them so intensely to roll systems out, to roll services out, to roll productivity out, that, unfortunately, it does create conflicts and they do make choices. Sometimes those choices are not the best ones from a security perspective. Mr. Guthrie. Thank you. I am about out of time. Actually, I have run out of time. So, I yield back. Thank you for the answer. I appreciate it. Mr. Pitts. The Chair thanks the gentleman. I now recognize the gentlelady from California, Ms. Matsui, 5 minutes for questions. Ms. Matsui. Thank you, Mr. Chairman. Mr. Corman, I understand you are serving on the HHS Cybersecurity Task Force which was created by Congress in the Cybersecurity Information Sharing Act at the end of last year. Can you elaborate on the work that the Task Force is doing and what types of industry best practices you are reviewing? Mr. Corman. So, we are very early in the stages. We have had three meetings to date of the 12 that were prescribed. What we have been doing is inviting exemplars from adjacent agencies which may have instructive lessons for us. For example, we brought in the financial services ISAC and the Financial Services Sector Coordinating Council to explain, as they are the tip of the spear for innovating new ideas and more effective ideas that threaten information-sharing, risk reduction. One thing the FS-ISAC introduced that is very attractive, for example, is the idea of requiring a software bill of materials from their third-party IT providers through their contract language. What this allows them to do is understand the known vulnerabilities they are inheriting at procurement time to make more informed free market choices. And No. 2, it allows them to do an impact analysis of am I affected and where am I affected when there is a new attack like this ransomware with JBoss, for example. So, we are trying to bring them in. We have brought in the energy sector as well. While they are not as mature as the financial services sector, they do share similar consequences of failure to the medical field, where it could be measured in life and limb, where bits and bytes meet flesh and blood. And on the docket, we have more testimonies coming in from adjacent sectors. So, we are trying to grab the best from each, recognizing fully that medical and healthcare do have some unique challenges that won't be represented by others. Ms. Matsui. OK. Now you also in your testimony outlined six factors that contribute to the success of a cybersecurity program, including the reporting structure, which our bill would address. You also cite several metrics that demonstrate the improvements that organizations see when the CISO does not report to the CIO. Would you expect those factors and improvements to hold true across both the public and the private sector? Mr. Corman. Many of them do. This is a nascent field, and I encourage the parallel experimentation. So, for example, none of us expected it was a good idea for a CISO to report to a general counsel. It didn't make sense. It turns out it is one of the best reporting structures for protecting intellectual property and trade secrets and anything material to the business. So, it is through that experimentation and comparatives that people make these decisions. I have seen excellent relationships where the CISO does report to a CIO, much like Mr. Probst has indicated. It is just not universally the case. In general, depending on the most acute needs of the organization, you may orient differently. Ms. Matsui. Right. OK. Ms. Burch, in your testimony you quoted a study that found that reporting to the CEO or the board of directors rather than the CIO significantly reduces downtime and financial losses resulting from cybersecurity incidents. Can you talk a little bit about how that idea of reworking organizational structure would translate to an agency like HHS? Ms. Burch. Absolutely. I think, again, it gets to the prioritization of security concerns. Where does security exist in the culture of the organization? Is it a top-down or is it sort of bottom-up with a lot of roadblocks in between? So, I think it is very likely, and I think the hope would be, that that would translate. But, again, I think we need to see how a different reporting structure would play out. Obviously, Mr. McMillan has some experience with that to be able to say, you know, were there equal experiences and can they translate? We think that they can, and we think that, whether the reporting structure is to the general counsel or to, in this bill, the Assistant Secretary for Administration, that an alternate reporting structure that elevates security in the case of HHS would be positive. Ms. Matsui. Right, and I know that we are focusing on HHS here, trying to develop a model here, and knowing that each of the departments/agencies are not similar. However, having said that, I think that there is a lot of focus on this because I think we all believe, based on what has been happening, that health data is especially sensitive or vulnerable to attack. And if you think about HHS today, how would you suggest HHS build on the current efforts to take the lead on protecting our health data? Ms. Burch. From the HIMSS perspective, we think that the Cybersecurity Act of 2015 started us down that path. I think it forced HHS to elevate its role in working with the private sector. I think more and more it is not just internal to HHS, but it is how the information is flowing through the Department. It is coming in many forms. It is coming from many different places. As it comes and goes, there needs to be strong collaboration with the private sector as well. So, I think it is not possible to talk about this issue just in a silo. Ms. Matsui. Right. Yes? Quickly. Mr. Corman. I think that what is often lost is that it is not simply patient information. There are billions of dollars of intellectual property from the private sector contained within the remit of this agency. That is a very attractive target to nation-states or adversaries. Ms. Matsui. Right, and I see the small discussion we are having here is a very complicated thing moving forward. So, this is really the first step. So, thank you. And I yield back. Mr. Pitts. The Chair thanks the gentlelady, and now recognizes the gentleman from Illinois, Mr. Shimkus, 5 minutes for questions. Mr. Shimkus. Thank you, Mr. Chairman. My colleague Jan Schakowsky is over there. Tomorrow is her birthday. And even though she did not vote for my bill, I want to wish her a happy birthday. [Laughter.] One of the few in the whole country, but I didn't want to call you out. [Laughter.] Mr. Green. Mr. Chairman, you only had 12 votes against you, is that correct? Mr. Shimkus. I wasn't really counting. [Laughter.] So, welcome. And, Mr. McMillan, Brett Guthrie is also an Army guy; I am an Army guy. So, Marine intelligence is kind of an oxymoron, isn't it? [Laughter.] So, we are going to take your testimony with a grain of salt here. [Laughter.] No, it is great. This is great because this is really about organizational structure. As a military guy, someone has to be in charge. I mean, that is really the basic debate. And you can have good people come in, in Mr. Probst's testimony, but when I was watching you all in the testimony shaking your head or nodding yes, it is my view, watching the body language, that Mr. Probst's story is more unique than the norm. Is that true to the rest of the table? Mr. Corman, go ahead. Mr. Corman. As I said earlier, I have seen excellent relationships when the CISO does report to the CIO. It is the historical orientation. And when you have two excellent individuals who have excellent collaboration and they unify their goals and measurements, you can have success, but that is often in spite of the reporting structure, not because of it. And that is why I can acknowledge the truth of his experience and know that it may not be as universally repeatable. Mr. Shimkus. OK. In common language, you are saying that is unique, not the norm, from your observation? Go ahead, you can say it. It is all right. Mr. Corman. Yes. Yes, it can succeed; it can often fail---- Mr. Shimkus. OK. Mr. Corman [continuing]. More often fail. Mr. Shimkus. Ms. Burch? Ms. Burch. I would agree. I think in what we have seen across the sector, it can certainly work, but, again, it is about the culture of the organization. Mr. Shimkus. Right, right. And, Mr. McMillan, obviously. Mr. McMillan. So, first of all, I would like to say that there are some excellent CIOs out there who do care very much about security and they do an excellent job in supporting their CISO and supporting the program and their organizations. The problem I have with leaving it up to personalities is that I don't trust personalities. I want structure, so that there are reporting responsibilities, so that there is, as you say, a responsible individual, regardless of what the personalities are involved, that says in the morning, ``It is my responsibility to secure this organization and this organization's assets, and it is my responsibility to raise the alarm when I see something that is risky,'' regardless of whether it is popular, regardless of whether it is going to get in the way of progress at the moment, regardless of what the issues are. Any good CISO, any good Director of Security understands that they don't drive the train; they are there to support. And they understand that they have a responsibility to raise the alarm with respect to risk and to identify what those risks are and to understand what they are in a balanced way with respect to what the organization is trying to accomplish. But you don't shy away from doing it. My concern is that, when you leave it to personalities, that may not happen. Mr. Shimkus. And that is your experience, I mean when you did the DoD stuff? Mr. McMillan. It has been my experience working with organizations in healthcare. It has been my experience in the Government as a Director of Security. Mr. Shimkus. And I think we are talking on the same issue, and I am going to stop real quick. But just my point of contention will be the same. You have to have someone in charge, and people are going to be moving in and out, especially at the Federal agency in this line of work. And one good working relationship, one movement could just change that. Anybody else want to add anything? Go ahead, Mr. Probst. We were picking on you. Mr. Probst. Well, yes, thanks for picking on me. It is good to be unique, I think. I would say, on a bed basis across the country, if you talked to the CIOs that manage the largest numbers of beds across the country, you are going to see their structure very similar to the structure that Intermountain Healthcare has, where the CISO is reporting up to the CIO. Now that can be changing, and I am sure of that, but, again, you are talking about more sophisticated organizations. And it has worked incredibly well. And I go back to what you said, sir, which is, who is accountable? And we make really important decisions. I have told you what I feel about the security of the data and the systems, but our systems also save lives on a daily basis. We have to make decisions that are critical. We may have someone sitting on a table where now the technology is providing---- Mr. Shimkus. Yes, my time is almost done, and I appreciate that. The hostage-taking that has occurred on major hospital systems and when people have to go to paperwork transactions, it just really risks people's lives, and we have got to get on top of this. I think that is the same thing with Federal agencies. I thank you for your testimony. I yield back, Chairman. Mr. Pitts. And the gentleman yields back. At this time, we will go to the president of the John Shimkus Fan Club and the birthday girl, Ms. Schakowsky. [Laughter.] Ms. Schakowsky. I thank you for pointing out my aging. [Laughter.] No, thank you very much. I wanted to ask Marc Probst a question, but I wanted to start first by just thanking all of you for joining us today on this very, very important issue. I mean, how common data breaches are is just incredible. There have been more than 112 million healthcare records that were breached last year. It sounds like just about everyone. I understand that these records are rich with personal information, which usually includes a patient's Social Security number, which is used as an identifier with a bevy of other personal information, as the patient moves through the treatment continuum. Access to such information, then, enables all those bad actors out there to execute identity theft and fraud, which we have had hearings on that, too, as a growing problem. So, Mr. Probst, I know you talked about it, but if you could just summarize, what can we do to make electronic healthcare records less of a target for hackers? Mr. Probst. Well, I don't know about making them less of a target. I mean, one thing we could do is look at how the data is being used within those records and try to stop any abuse that might be coming. Now, if they are going out and getting a new credit card, that is going to be hard because we are going to have that kind of information. There is just no way we are not going to have it. But I think one thing we could do and should do, and I think we are beginning to focus on, is getting to a better identification system, so that we can have a national patient ID that actually is consistent across the industry. That really helps us to not have to carry a lot of data that we otherwise have to have to identify a patient in any kind of situation, whether it is in a hospital or a clinic or elsewhere. So, I do think there are things we can do like those types of standards that will help us to protect the data. Ms. Schakowsky. Would this be instead of--give us an opportunity to remove, for example, Social Security numbers and substitute something else? Is that what you are saying? Mr. Probst. I am saying that, yes, if we didn't want to have the Social Security number out there--we use that as an identification tool, as we use address, as we use age, as we use all these different data items. If we could come with a very unique way of identifying the patient, there are certain pieces of data that we wouldn't need that, clearly, the bad guys are looking for. Ms. Schakowsky. And what do you think that Congress can do to aid healthcare organizations, especially small and rural providers, for them to be able to better protect their patient data? Mr. Probst. Well, again, going back to some standards on how we are going to--even things like HIE, and Mac brought that up earlier, Health Information Exchange, we don't have good standards right now to do that. And so, you have all different kinds of technology out there trying to do things within healthcare to make it better. If we could get better standards on how we interchange data, on how we store data, what the data looks like, like I said, identifiers, that is going to help everyone because, if we can figure it out in a large organization, we can then share those capabilities with smaller organizations. But, right now, they are kind of on their own. Ms. Schakowsky. Let me just ask everyone, is there any hope that we could establish a zero-tolerance standard, given it seems like we make a change and, then, the hackers improve on it? Yes, Mr. McMillan? Mr. McMillan. Yes, ma'am. That would be, in my opinion, a very unwise thing for anybody to try to do in the security realm. Security is such a dynamic phenomena in that everything about security as it relates to systems is changing as we sit, as we sit here talking. I mean, the environment changes; the threat changes; the systems change; operations change; the network changes. The number of changes that an organization has to manage that can affect the security or the risk of a system is incredible, and it is constantly changing. There are things that we don't know yet. For instance, right now, this whole focus on ransomware, in my opinion, is focused on the wrong thing. Ransomware is not what we should be focusing on. That is just one form of malware that is affecting systems. There are hundreds of forms of malware that affect systems. What we ought to be focusing on is the impact of that particular malware or malware in general, which means we should be focusing on things that take systems down and make them unavailable to health systems to serve patients. If we want to make a change, increase the penalties that people stand to face if you do something that interferes or disrupts a hospital's ability to deliver care, regardless of the way you do it, whether you drive a truck through the door into the data center or whether you send some sophisticated ransomware in there. At the end of the day what is important is that the data is not available to take care of the patient, not how it happened. Ms. Schakowsky. Thank you. Thank you very much. I yield back. Mr. Pitts. The gentlelady yields back. At this time, we recognize the gentleman from New Jersey for 5 minutes, Mr. Lance. Mr. Lance. Thank you, Mr. Chairman. Good morning to the panel. Mr. Corman, in your testimony you spoke briefly about some of the reasons that the current CIO/CISO reporting structure at HHS might create conflicts of interest. Could you provide us with some examples from your professional experience in this regard? Mr. Corman. I did put a few in the written testimony. But, verbally, often there is a project to roll out a new service, and the time to do so involves software development, procurement, a number of things. In that long relay race, one of the stages needs to be security. That is usually the one cut to make sure that you deliver on time and on budget. So, you can often have a CIO deploy the service before it is seaworthy, before it has been properly assessed, before the vulnerabilities have been enumerated. So, that is one of the areas where it is a conflict of interest to try to tack it onto the end and usually run out of time and budget. Another one is a zero-sum budget where you can either buy a new server or a new security appliance. If the CIO is more measured on supporting business intent as opposed to being compliant or reducing risk, they tend to buy the things that are more familiar to their schooling, their experience, et cetera. And these don't always have to occur, but there will be natural tensions like that. Mr. Lance. And how do you think we should address this issue, working with experts like yourself? Mr. Corman. Well, it is a tough problem. That is why we have the Task Force. And we are quite overwhelmed by it, especially because they environments are target-rich but resource-poor. Mr. Lance. That is an interesting way to sum it up, target- rich but resource-poor. I think that is critical to an understanding of this. Mr. Corman. Yes. I think one of the things that we did not say yet, but is worth noting, is when a security person is inheriting IT choices made without them, there is only so much they can do to secure them. If you flip the relationship and they are more peers, a security person can help make the more defensible and securable IT choices. So, there are certain things you could buy in your life that are harder to maintain, for example. One of the benefits of having these relationships be peers is they both have criteria for which cloud service to choose, which servers, which laptops. And if it has more informed criteria out front, the total cost of ownership later from a security perspective goes way down. Mr. Lance. Is there anyone else on the panel who would like to comment? Perhaps Mr. McMillan? Mr. McMillan. Yes, sir, and I think I alluded to this in my testimony. When there is a balance between those two roles and the security person owns the process for evaluating the technology before it is deployed or as it is being deployed or as it is being developed, what you end up with is the shortcuts that were just alluded to don't happen because, when I see that shortcut not happening, I say, wait a minute, we have to do the testing; it is time for testing, or it is time for doing whatever. When the IT organization owns the process from soup to nuts and security only comes in at the end, there is opportunity for things to get missed as it relates to staying on track or on schedule. Now, again, that doesn't mean that everybody is skipping steps or everybody is not doing things, but there have been instances where we have deployed systems or organizations have deployed systems, clearly, that everything wasn't taken into consideration that should have been. And primarily, it was because security wasn't addressed at the beginning of the project; it wasn't until the end. As the gentleman on the end said, once you select a product and you implement that product and deploy it, if things have been missed that are critical, it is very difficult to bring that back in. Mr. Lance. Ms. Burch or Mr. Probst? Mr. Probst. Well, I hate to keep coming back to roles. But, listen, if the CIO is cutting corners around security in healthcare, you have the wrong CIO. And I believe that is starting to be seen more and more within organizations in healthcare. It is relatively new. Six years ago, information security in Intermountain Healthcare was two people, and they mostly worried about passwords. It is now 50. So, it is different. Mr. Lance. And this, of course, is the wave of the future, and we all have to be concerned, so that security is protected. Mr. Chairman, I yield back half a minute. Thank you. Mr. Long [presiding]. The gentleman yields back. At this time, we will recognize the gentleman from New York, Mr. Engel, for 5 minutes. Mr. Engel. Thank you, Mr. Chairman. Thank you for convening today's hearing. Mr. McMillan, you mentioned in your testimony that healthcare has been characterized as being a soft target for cybercriminals, an idea that I think we can all agree is quite unsettling. Has healthcare always fallen into this category and, if not, how did it come to be a soft target? Mr. McMillan. So, I think, sir, that healthcare has always been in this category, and I think it is just of late, as the threat has focused more and more on healthcare, that it has become so apparent. I mean, if you look at the evolution of the incidents that we have had in healthcare, they closely track the evolution of how we have evolved in healthcare as well with respect to our systems and our data. I mean, you can actually go back to before 2009, before meaningful use and before electronic health records and before we started digitizing most of our patient information, and you can see a marked difference between the kinds of issues that we had or incidents that we had back then and the types of incidents that we have had from 2009 on. Those incidents have done nothing but increase as time has gone by and as cybercriminals have figured out that, one, they can monetize this information and they can make a business out of it. That is really what it is. I mean, I saw a study just this past week that said we are looking at $6 billion in revenue in cybercrime this year. That is not crime anymore; that is an industry. And that is the way we need to look at it. You can go out there today and it is very simple for just about anybody to get involved in this industry. You go out there to the dark-net and buy services, buy techniques, buy tools, buy exploits, buy information, and it is all readily available. And that is why it is growing so exponentially. And healthcare, up until just recently, had not really been focused on security. As Marc said, a few years ago he had two folks in that department; today he has 50. An organization his size, I would never have imagined that they only had two people. But I can tell you, when I left the Government in 2000 and came out into the private sector and started working with healthcare, I was absolutely appalled at the state of security at most of the hospitals that I went into at that time. Mr. Engel. Yes, Mr. Corman, you wanted to comment on it? Mr. Corman. Yes. I sometimes think it is in terms of just normal police work. It is motive, means, and opportunity. And I think it is undeniable that, as we connect more medical technology and meaningful use--I posed a question to the Task Force. I said, ``Is meaningful use our original sin? Did we basically throw gasoline on the fire by essentially encouraging that we connect everything to everything else before we had done proper design and threat modeling, and whatnot?'' Of course, there are benefits to that and, of course, we are about to do the same thing again with precision medicine and machine learning and big data. We have to understand the tradeoffs between those. So, I would say I just saw a chart yesterday from IBM, Pete Aller, showing that the top five data records stolen in the prior year didn't have healthcare on them, and last year, the most recent data had it No. 1. So, I think one of the reasons you have seen more records isn't that they weren't vulnerable before. It is that, as we have more opportunity and more connectivity and we now have the motive to go with it, this is going to accelerate, I believe. Mr. Engel. Thank you. Mr. Probst? Mr. Probst. Yes, I think one other issue to think about is in healthcare our systems weren't built to be protected. We weren't the NSA figuring out how are we going to build a system that no one else can externally get into. We built systems so that people could have immediate access across lots of different platforms and places, so they could save someone's life in the time that it was needed. And that is how our systems were built. And now, we are going back and saying we have to architect these a little bit different; we have to change them because we have a lot of important data to protect. I think we are soft for a number of reasons, but that would be one of them. Mr. Engel. Thank you. Ms. Burch, let me ask you a question. You noted that a significant security incident might not only endanger patient privacy, but could also disrupt patient care. Can you provide any examples in which a disruption like this took place? And I ask this because I would like to understand how severe this kind of disruption might be. Have treatment plans, for instance, been interrupted? What kinds of effects have these disruptions had on patient outcomes? Ms. Burch. In our experience in talking to our members, certainly, when you don't have access to information and you have a patient you need to treat, more and more as we are automated and that information is included in the electronic health record, you can't just pull a paper chart and, all of a sudden, you have got all the information there. So, I think the concern is whether it is an attack that prevents access to information, or whatever it might be, that there are real potential negative patient outcomes here. And that goes with the privacy side, that you have both internal and external risks that you are facing. Certainly, many privacy issues stem from security issues. So, was there an inappropriate disclosure by a staff member because access was granted when it shouldn't be, or something like that? So, I think it is possible that Mr. Probst might be able to provide experience that he has had personally. But I think, generally, that is what we have heard from our members in terms of, yes, I mean, they think about this in terms of potentially lives lost. It is that serious. Mr. Engel. Well, thank you. Thank you all very much. I very much appreciate your testimony. Thank you, Mr. Chairman. Mr. Long. The gentleman yields back. And at this time, I will recognize the gentleman from Virginia, Mr. Griffith, for 5 minutes. Mr. Griffith. Thank you very much. I want to make a couple of comments before I ask a couple of questions. First, this is one of those hearings that we won't see extensive coverage on CNN or the nightly news, but we appreciate your being here. One of the reasons that you won't see it is that it is a bipartisan bill trying to solve problems for Americans where nobody is shouting at anybody or making any accusations against the folks who are here, and both sides of the aisle are generally in agreement. Mr. Long, you and Ms. Matsui have come up with a good idea, and I commend you for that. Mr. Probst, I like the way you look at this. This bill, of course, deals with HHS that we are talking about today, but there has been a lot of discussion about what hospitals should be doing. One of my early concerns before you made your comments was, OK, wait a minute, one-size-fits-all from Washington doesn't usually work. You made that point very well in a larger system like your own, talking about separating the CIO and the CISO. You all have made a great case for that today. But, in the 20-bed hospital where the CIO is also changing, I think you said the photocopier toner or something along those lines, it doesn't necessarily make sense, although we have to be vigilant. Also, in your testimony, Mr. Probst, I notices that you touched on device manufacturers related to HIPAA. Because there will be some folks, probably insomniacs, who will watch this, could you explain that dilemma? I am very concerned about HIPAA issues, and I thought it was a very salient point that you made. Mr. Probst. Well, HIPAA gives us good guidelines on the privacy and security that we should apply to all of our information. Specific issues around medical devices, they don't have the same level of sophistication around cybersecurity, at least historically they haven't. And we have a lot of old medical devices. I think they are getting much more aware of it today. But today we have thousands of medical devices. They are all connected to our networks. They are essentially computers. They have personal health information on them, most of them, and they become a pretty interesting entry point for the bad actors to get into our networks. It doesn't take much of a crack in the hull for the water to start pouring in. So, that would be my major concern with medical devices, is just how we have been able to treat them. Because they are regulated by the FDA, most of them, I assume all of them--I don't know--but because they are regulated, many of their operating systems are decades old. So, we don't have all the patches that Mr. McMillan talked about that we can apply to it to get the security at a level that we want. So, medical devices I think are something we are paying attention to as an industry, but we are going to have to pay a lot more attention to. Mr. Griffith. And when you talk about they are regulated by the FDA and, therefore, some of them have operating systems that are decades old, that is because if there is any change, it has to go back through the process---- Mr. Probst. Exactly right. Mr. Griffith [continuing]. To be reapproved by the FDA? So, what you are suggesting is that, maybe in the same bipartisan spirit that this bill was put together, some of us might want to be looking at a way that we could change at least for the security side, say that if you do a patch on security issues, it does not have to go through that FDA process? I know you haven't had time to think about it, and maybe you want to answer that question later. Mr. Probst. Yes, maybe---- Mr. Griffith. That is a reasonable conclusion, is it not? Maybe put it that way. Would that be a reasonable conclusion for someone like myself to make? Mr. Probst. I think that is a reasonable conclusion, that it should be looked at. I don't know the exact answer---- Mr. Griffith. Sure. Mr. Probst [continuing]. For the FDA, but it definitely needs to be looked at. Mr. Griffith. And I appreciate that, and that is why I love coming to these hearings and listening, because there are often things that you learn that you never thought you would. And that sounds like a good suggestion. I do appreciate it very much, all of you being here. You have really opened a lot of our eyes and convinced me this is (a) a good bill and that, in fairness, every healthcare provider in the Nation ought to be reexamining what they are doing and see what fits for them to try to give us some more security in these areas. With that, Mr. Chairman, I yield back. Mr. Long. The gentleman yields back. And I believe Mr. Corman wanted to add something. Mr. Corman. On that point, the I Am The Cavalry group, founded by volunteers, we are specifically focused on cybersafety for connected medical devices. And many of them are very hackable. There was a recent DHS ICS-CERT announcement on a single device that had over 1400 known vulnerabilities in it. But, to clarify, we have been working with the FDA, the Food and Drug Administration, on their guidance for connected cybersafety in medical devices. Their pre-market guidance has clarified that you can, in fact, patch without going through recertification. There has been poor education awareness that that has been clarified, and some vendors claim that it can't patch, even though it has been clarified repeatedly that they can. And, No. 2, this January the post-market guidance for ongoing care, feeding, and hygiene for those devices has also been published, and the 90-day comment period is closed. So, the FDA is taking actions to modernize the very things you are concerned about. I think there is a long way to go, but they are on the right journey. Mr. Griffith. Thank you. I yield back again. Mr. Long. Thank you. And at this time, I will recognize myself for 5 minutes. Ms. Burch, in your testimony you talked about the evolving role of the Chief Information Security Officer and how information security has evolved into a risk management activity. I think most of us hear this job title and think about firewalls, antivirus, not risk management. Can you elaborate a little bit on what you mean by that? Ms. Burch. Sure. So, we think it is important in this role to be looking at the business risk that is faced by the organization. So, we don't like to think of healthcare as businesses, hospitals as businesses, but, you know, in functioning in that way, they have to keep their doors open and they have to treat patients, and they have certain business missions that they are trying to work through. So, for us, we think that it is really important to look at the range of risk and the way that the CISO looks at the range of risk in terms of working with the various other executives, whether it be the general counsel on legal and compliance risks, or whatever it happens to be. So, it is looking sort of across the entire organization at why are we securing our information and assets. What are we trying to prevent from happening? First of all, being harm to patients, but there are certainly other risk involved. Mr. Long. OK. Thank you. And you go on to state that, because the Chief Information Security Officer is now a risk management position, that it should be moved out of its traditional subordination to IT. Can you connect the dots for us? Does the fact information security is currently subordinated to IT mean that the risks aren't always appropriately communicated to officials higher in the organization? Ms. Burch. That is what we have heard from our members in certain situations. Again, every situation is unique and, as we said from the beginning, it gets back to the organizational culture. But we have certainly heard of instances where operations has been prioritized over security. One example that we have heard is you have a device, let's say a bedside monitor that works really well in its base function. You know, the medical staff is happy with it. However, said device happens, also, to be operating on Windows XP, which is obviously no longer supported. Therefore, it is very vulnerable to attack that could result in substantial harm to a patient. So, I think that is sort of an example why we need to level the playing field at least in terms of elevating security within organizations. Mr. Long. Mr. Corman, you had something? Mr. Corman. Yes. One change in IT in business models, even in the Federal Government, is the increased use of third parties and supply chain partners and third-party services. And the CIOs, traditionally, while they can inform and create criteria for the selection of those third-party services, they have less operational visibility and control over them. So, it has been increasingly important for the CISO to provide upfront guidance and ongoing audit against those third-party risks as we become more dependent on third-party technology. Mr. Long. I have a sign in my office that says, ``Bring back common sense.'' And it is the most commented sign or anything in my office. People always say, ``That is exactly what we need to do.'' And I know that Mr. Probst, as the CIO of his organization, is very much in tune with the CISO and gives that person everything they need. But, for any of the panel, in my last minute here does anyone care to comment? Doesn't it make common sense that, if someone is charged with being a Chief Information Security Officer and they want to implement new systems, and then, the person above them has bigger fish to fry and doesn't care about that right now, doesn't that lead to the types of things we saw at HHS, Mr. McMillan? Mr. McMillan. Yes, sir, it certainly can. But I will have to go back to something that Marc said because I do absolutely agree with him that it is not just about the position; it is also about the processes and the structure within the organization as a whole, and how the leadership of the organization views security as well. The reason Marc is able to do a lot of the things he does and the support that he gives his CISO is because he also has the support of the rest of the executive team for his model. There are situations where that isn't necessarily the case. Again, it gets back to what I said earlier, and this gets back to your comment about common sense. Anytime we leave it up to people, people will disappoint us, and that is one thing that we have learned in security. They will make bad decisions. They will make good decisions for the wrong reasons. I mean, there are all kinds of things that can happen. What I have come to understand over the years in doing this is that, when there is a separation of duties and there is a clear delineation of responsibilities, and both parties are doing what they are supposed to be doing and communicating openly, and the leadership has the ability to hear both those arguments, they make much better decisions. Mr. Long. Mr. Probst? Mr. Probst. Yes, I mean, if the CIO at HHS' job is to be the tech guy, to go install systems and monitor networks, and those types of things, and it isn't around highest security, then, by all means, the CISO should report somewhere else. If the CIO's job is to protect the data and to do all those other things that I mentioned, then, potentially, maybe the CISO should report to the CIO. But it goes to what Mac just said: what are the accountabilities? What are the responsibilities you are putting on those roles? And then, see that they do it. But this is a major issue, you know, security. Mr. Long. But the person charged within it should be able to make the final decision, should they not if---- Mr. Probst. They should. Mr. Long [continuing]. They implement a security system? Mr. Probst. They should. Mr. Long. OK. Thank you all for your time. And at this time, I am going to yield to the gentleman from New York, Mr. Collins, for 5 minutes. Mr. Collins. Thank you, Mr. Long. I want to follow on that with Mr. Probst and Mr. McMillan because I absolutely agree with the comments you just made. I spent my life as a CEO in the private sector; in fact, was CEO of the largest upstate county in New York. And at some point, a person has to call the shot because you are always going to have the potential--you are not going to have perfection. We are saying there will always be some differences between operational efficiencies and security, always. I can make it 100 percent secure and we do nothing or I can open it wide up and be as efficient as you could imagine and have a lot of backdoors. So, a person, an individual, a human being has to make a judgment call, correct? Mr. Probst. Yes. Mr. Collins. All right. So, what you have to have in an organization is a good, smart person with common sense to make that judgment call, understanding the potential consequences, which may be different with a medical health record than something else. I mean, they have got to make a judgment call. In hindsight, if something goes wrong, they are always going to be attacked on that judgment call. So, I guess I am somewhat ambivalent on this, only in thinking, when there is a disagreement on security and operations, it goes to someone else. Now, if it goes to the CEO in a small company, the third time those two people walk in his office will be the last time they walk in his office because he has got too much going on, and he is going to say, ``You know what, Joe? You are now in charge of both. Sam, you report to Joe. You have security and other operations. You figure it out. Your head is on the line. Get out of my office.'' That is how a small company would work. Now HHS is different. It is a huge organization. But, at some point, these two concerns come together and somebody has got to make the call. I think, Mr. Probst, as you pointed out, the right individual, given guidance by the person in charge and the board of directors, or whatever, could be the CIO, and everything would be fine. On the other hand, if the organization is inept, then it would never be fine. So, I am just sitting here--at some point, Congress has a role to play. At some point, you have got to hope the President appointed the right person to be the Secretary of HHS, who, in turn, appointed the right person here and here. And I just have to wonder sometimes, is it Congress' role to get into the operational structure of an administrative department or do we need to just trust that smart people are in Government? I mean, what would you say to that, Mr. Probst? Should Congress be micromanaging at a CIO/CISO level and writing job descriptions? Mr. Probst. Well, I don't believe they should personally, but that kind of just puts aside everything that we talked about today. I mean, the things have to happen, right? You have to have an architecture. You have to have an approach, and you have policies. Mr. Collins. Correct. Mr. Probst. If you do, you can have smart people. The one thing we didn't talk about while you were speaking, sir, was the presidential appointment of the CISO. That concerns me a little bit as well because now you are going to politicize a really important role. If you have smart people as the Secretary of HHS--by the way, I think we do, and there is some very good leadership there--they ought to be able to find the right person to do it. Mr. Collins. Oh, no question. No question. Mr. Probst. But that is part of this role. Mr. Collins. Yes, Mr. McMillan, do you have a comment, having come out of DoD? Mr. McMillan. I agree with that as well. I think, again, it gets back to having all the different components. And you are right, if you have the right structure, if you have the right expectations in terms of how we do things, then you are right, smart people can make good decisions and they will do responsible things. I think it is a combination of all those things. But, even so, my experience has been that there does need to be that open communication with respect to managing risk. And there have been countless situations where the IT organization, which ultimately at the end of the day is responsible for delivering services, has numerous pressures put on them to meet deadlines, et cetera, things like developing software where we have to hit a deadline to meet software. So, we get rid of the regression testing or we get rid of the security testing. The next thing you know, we have a piece of software out there that has got bloated code in it or it has got insecure code. But we hit our deadline, right? So, we didn't have any penalties. We can't let those things happen when we are talking about something as serious as this. When you are talking about things, to get back to medical devices, what we haven't talked about yet is why don't we have a solid standard for how a medical device has to be engineered and architected from the beginning. The FDA guidance is just that, guidance. The manufacturers don't have to listen to it. Mr. Collins. I think my time has expired. You know, I appreciate that, and I just would conclude by saying we all, I think, know a person is ultimately going to have to make the call on the balance. It is a human being. Sometimes they make a mistake. In hindsight, people would always say they made a mistake. And we just need to recognize, whatever we do here, we are not going to end up with perfection and it is going to be a human being making that call between efficiency and security. Thank you all very much. It has been very interesting. Mr. Long. Thank you, Chairman. Mr. Pitts [presiding]. The Chair thanks the gentleman and now recognizes the gentleman from Indiana, Dr. Bucshon, 5 minutes for questions. Mr. Bucshon. Thank you, Mr. Chairman. I was a healthcare provider before I came to Congress. So, this is a pretty interesting issue. And I will probably diverge, go away from the pathway we have been on just a little bit to talk more about why are people going after healthcare information. To start, what data is the most important that people can get from an electronic medical record? Mr. Corman. Well, some of this is just the natural expansion of the dark markets and the criminal organizations. The street price of a credit card has plummeted due to a surplus from our rampant failures. It used to be over $100; now it is under $1 in certain circles. So, they have migrated to other forms of assets they can turn into currency. A difference between a credit card and some of the healthcare records is that I can get a new credit card; I can't get a new body. Mr. Bucshon. Right. Mr. Corman. So, it is the durability of the information. Mr. Bucshon. Say, for example, though, that you are a patient. Mr. Corman. Yes. Mr. Bucshon. OK? And you have a specific disease. Why is that marketable? Mr. Corman. It is not as much the disease. A lot of the information there can be used to perpetrate bank fraud, check fraud, account takeover. Mr. Bucshon. OK. So, it is not necessarily the health information. Like say you have heart disease, or whatever. It is everything that is in your record at the hospital, which includes your Social Security number or your other financial information, things like that? Mr. Corman. Yes. If it is someone famous or if it is someone important, that could be a high-value target. Mr. Bucshon. Right, right. I understand. Then, you could leverage---- Mr. Corman. Yes. Mr. Bucshon. Say someone has a particular disease and they don't want the public to know, for example. Mr. Corman. Even employer discrimination. There is a bunch of markets for that. I just want to remind, part of the testimony is, you know, we have a joke that we say we love our privacy; we want to be alive to enjoy it. So, as we do tackle these, we want to make sure we are looking at the privacy and the safety of this. Mr. Bucshon. Anybody else have any brief comments on that one? Mr. McMillan. I agree with all of it. I would say the one exception to that that I worry about is, when you start looking at things like the OPM breach and the Anthem Blue Cross breaches, et cetera, where enormous amounts of medical information and background information on Government workers was exposed, there are national or state actors out there who absolutely would like to know if we have medical conditions that are sensitive to certain individuals in our Government and certain positions in our military, et cetera. So, there is time where medical information is valuable to certain other individuals, and it is not necessarily the cybercriminal who is looking to commit fraud or commit identity theft or those types of things. I don't think we can discount those things. They didn't steal 80 million records from Anthem Blue Cross for nothing. They didn't steal 23 million records from OPM for nothing. There was a purpose behind that. We probably don't know what the purpose is yet. Mr. Bucshon. Yes, I just wonder whether like, you know, I mean, people can find out that I have high blood pressure, which I do. Why do they care? Why would they care? Do you know what I am saying? So, that is the thing I was trying to get at. Is it the other information? In certain circumstances I understand that could be valuable information to people, right? It seems to me that the reason--and I think, Mr. McMillan, you pointed this out--that the focus is on now criminals going after health information, it is not the health information per se; it is the fact that now everything is being connected, and it is a portal through which they can get other information that in many other areas of our society, banking and other areas, those portals have been closed, effectively closed. They are never closed. And we haven't gotten ahead of it on the health IT side, Mr. Probst, as you pointed out. I mean, exactly, as a physician, you know, it always drove me crazy if it took me very much time to get into the health record or not. So, it is going to be a real easy--you know, I put in my password, and there it is, right? I can get into the entire system because that was the focus, right? So, I am just trying to get at, it is not necessarily that this is healthcare IT; it is a portal into people's financial lives and everything else. Is that true or not true? Mr. Probst. I think that is part of it. I mean, we are talking about people stealing data and using that data for inappropriate things. But the whole concept of cyberterrorism is very real. I mean, if you think about healthcare as an infrastructure piece of our country, I mean very key component of the infrastructure, cyberterrorism is very real and it probably scares me more than even some of the data that is being taken. Mr. Bucshon. OK. I have got one more question. So, briefly? Mr. Corman. Yes, real fast, on that point, none of us in the room are really that concerned about the ransom aspect of Hollywood Presbyterian. We were concerned of someone like Trick, a former Anonymous hacker who radicalized into an ISIS. Someone like that could do a sustained denial-of-service attack---- Mr. Bucshon. OK. Mr. Corman [continuing]. In any crisis. It is not even the deaths per se; it is the crisis of confidence in the public to trust these---- Mr. Bucshon. So, I guess the last question I have is, briefly, creating a separate healthcare ID for all of us based on either biometrics or based on a number or something versus our Social Security number, for example, would that improve the ability to protect non-medical information that is in our health records from cyberattack? Mr. McMillan? Mr. McMillan. No, sir. If that information is still in that record and I can misappropriate those records, then I can still use that information. I think what Marc was referring to--and I will let him answer that--but I think what he was referring to is that, if we have that unique identifier, then we could remove a lot of that personal information that today is in there just for the purpose of identifying the patient. So, think of it as---- Mr. Bucshon. But that could be important. Mr. McMillan. Think of it as the ID cards that veterans now have, I, as a veteran, and other veterans have or as Medicare/ Medicaid now have. They have taken the Social Security number off of those cards. Mr. Bucshon. OK. Mr. McMillan. Right? Why have they done that? Because it put that number at risk. Mr. Bucshon. OK. Mr. McMillan. Why do we have it in the health record? Mr. Bucshon. I am over time. So, I will yield back, Mr. Chairman. Mr. Pitts. The Chair thanks the gentleman. I now recognize the gentlelady from Indiana, Ms. Brooks, 5 minutes for questions. Mrs. Brooks. Thank you, Mr. Chairman. I would like to build on my colleague from Indiana's questions and allow each of you to answer and give your opinion with respect to his proposal or idea that, Mr. Probst, you talked about earlier, having a specific identifier for healthcare records. Specifically, if you could each comment on what your views are of the pros and cons of that? Mr. Probst. Well, I actually completely agree with what Mr. McMillan said. I mean, it is our opportunity to reduce the amount of data that we have that, then, could be used for nefarious purposes. So, by having that national patient ID, that is going to help there. From a clinical perspective, it is going to help massively because we want to be able to align our clinical data with the patients. And so, the national patient ID has huge benefit from a clinical perspective. But, from a security, I think Mac hit it perfectly. Mr. McMillan. So, the other benefit that a unique identifier for patients would provide is in the form of access control. As we expand our sharing of information into things like population health, where we are going to have disparate physicians and other individuals touching a record for different reasons at different times, the old role-based access control rules that we have followed in the past are not going to be adequate anymore. We are going to have to go to more attribute-based access-control-type principles. When we have everybody or everything uniquely identified in the system, whether it is an individual, whether it is the patient, whether it is the physician, whether it is environmental factors, et cetera, I can now create rules that actually facilitate access quicker for that gentleman to get into the record that he needs to get into and assure the patient that he is the right physician that is looking at that information. Mrs. Brooks. Thank you. Mr. McMillan. So, unique identifiers are beneficial. Mrs. Brooks. Thank you. Any further comments, Ms. Burch or Mr. Corman? Ms. Burch. Absolutely. The issue of patient matching and patient identification is something that HIMSS has been working on for a long time. We currently fund an innovator-in-residence at HHS in the Chief Technology Officer's Office to look at perfecting algorithms and other ways that you can identify patients and match patient information. From the HIMSS perspective, we absolutely think there needs to be a national strategy for patient data matching. We don't believe that a unique patient identifier is the panacea solution for that problem. Given the short amount of time, we can certainly share the research that we have done and the arguments that we have that may not support a unique patient identifier, but we do believe that there needs to be a serious look taken at what are new and emerging technologies around digital identity. What is right for healthcare? So, we have for a long time been a proponent of GAO or some other group really looking at this issue from the standpoint of what is the right solution of healthcare, and it may be multi- solutions. Mrs. Brooks. Thank you. We would be interested in receiving that research and seeing what some of those ideas are. Mr. Corman, anything you would like to add? Mr. Corman. Yes. I would concur that it is not a panacea. As someone representing the security research community, often we place too many hopes in the efficacy of these things. I will say it is important as a principle to reduce your attack surface and reduce how many copies of these things you have and how they are come as you are, do as you please. You know, the less data you have, the less exposed you are. So, that is a good principle. But, typically, when you do something like this, you are just simply moving the focal point of the adversary. So, you would have to take a more strategic and holistic approach. I also know there are some privacy concerns around the downside or unintended consequences of such things. Mrs. Brooks. Thank you. I would be interested in knowing whether or not having what is proposed under this bill, 5068, would that help the Federal Government become more innovative with respect to security if we adopted this proposal for HHS to create this new office specifically? Do you think that would improve the innovation? I am all about innovation in Government, and I am curious whether or not this could actually help promote some more innovation in our systems. Mr. Corman. My immediate instinct is no. I think it is a very different role. It is going to be a more operational role for the agency as opposed to the genesis of new and holistic ideas for the industry. Mrs. Brooks. But, with respect to security--and maybe I should go to you, Ms. Burch. You were talking about innovation research and work that is being done with respect to security. Is that correct? Ms. Burch. Yes, I was speaking to the importance of the security aspect and being foundational to the innovation work that is happening. So, if you don't have a strong security architecture, patients won't trust sharing their information. You don't have the information to feed the research pipeline, and then, you ultimately don't get to cures. So, we think a CISO position within HHS that is empowered to work both internally and externally is critically important. Mrs. Brooks. Thank you, and I am sorry my time--I yield back my time. Thank you. Mr. Pitts. The Chair thanks the gentlelady. That concludes the questions of the Members present. We will have further questions, follow-up, and other Members will submit them to you in writing. We ask that you please respond promptly. And that means Members have 10 business days to submit questions for the record. So, they should submit their questions by the close of business on Thursday, June the 9th. We will also be consulting with HHS and work collaboratively and bipartisanly. And we thank you very much. This has been a very important and complex, really, issue that we must deal with. Thank you very much for your testimony. Without objection, this hearing is adjourned. [Whereupon, at 11:55 a.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] Prepared statement of Hon. Fred Upton The House Energy and Commerce Committee knows, better than I think just about any committee on the Hill, how important cybersecurity is. We've examined issues surrounding encryption, considered how best to address data breaches, and evendug deep into the protocols that run our cell phones, studying the vulnerabilities. We understand that our digital infrastructure is under attack--every second of every day--from actors of all motivations and levels of sophistication. And that is why we are here today. Just like every other Federal department and private organization, HHS' networks and the information contained within them are under constant threat. At first glance, some may assume that we're holding today's hearing to chastise HHS for cybersecurity incidents that have happened in the past. We are not. We are holding this hearing because we are looking to the future. We are holding this hearing to examine whether or not HHS has the opportunity, by embracing the reforms suggested in Mr. Long's and Ms. Matsui's bipartisan bill, not only to improve its own internal cybersecurity, but to become a leader in cybersecurity within the Federal Government and in the health care industry. Consider this: the current structure for cybersecurity officials in place at HHS was originally mandated in 2003. The Internet looked radically different 13 years ago; smartphones were rare, cloud computing had yet to really take off, and the biggest threats to our digital infrastructure were viruses and worms, both of which could be stopped using standard firewalls and anti-virus software. But the cyberworld is constantly changing, and the threats that we faced 10 years ago are not the threats that we face today. Instead, we face a daunting array of cybersecurity threats, from sophisticated thefts of personal information held by health care providers, to the hostage-taking of hospital networks and equipment by ransomware. So I hope Members will take this opportunity to examine closely the issue before us, and give careful consideration as to whether or not an organizational structure established a decade ago is as agile, versatile, and powerful as we need it to be in order to combat the growing threats that we face. Our oversight identified a problem. And we have a thoughtful solution in the HHS SData Protection Act to address it. [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]