Two House Energy and Commerce Committee members on Tuesday introduced a bill intended to improve cybersecurity at the Department of Health and Human Services (HHS).
The bill from Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) comes in response to an August report by the committee that found “pervasive and persistent deficiencies across HHS and its operating divisions’ information security programs.”
“We’ve developed a thoughtful solution to improve cybersecurity at HHS, based on committee findings,” Long and Matsui said in a statement. “This legislation is a critical step toward safeguarding the delicate information countless Americans have entrusted in HHS’ hands.”
The bill would create an office of the chief information security officer within the agency, which was the top recommendation from the committee’s report.
HHS came under fire from committee members when the report revealed that hackers had breached at least five divisions over the last three years.
“What we found is alarming and unacceptable,” said committee Chairman Fred Upton (R-Mich.) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-Pa.) in a joint statement at the time.
The committee launched the security review after the Food and Drug Administration, a department within HHS, suffered a breach in late 2013 that exposed account details on more than 14,000 people.
Their search uncovered the five additional breaches at HHS, although the findings said the extent of each were unclear.
“Of concern to the committee, officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents during the committee’s investigation,” the report said.
In some cases, the confusion may have resulted from information security workers not being given the right authorities.
“Information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks,” the report said.
In other cases, offices were poorly organized or simply made mistakes. In two of the breaches, officials simply missed required software patches. At another HHS division, security workers mistook a list of hacker aliases for a list of security vulnerabilities.
The committee’s so-called HHS Data Protection Act would mandate that the president appoint a chief information security officer by Oct. 1 of this year.
It also calls for the HHS Secretary to submit a report to the committee on the new official’s plan to oversee and coordinate the agency’s information security, no later than one year after the legislation’s enactment.
“We must do all we can to ensure greater security of the government’s health networks and Americans’ sensitive data,” said Long and Matsui.