House E&C Panel Hears HHS Cyber Testimony in Private

The House Energy and Commerce Committee’s oversight and investigations subcommittee today heard testimony from Department of Health and Human Services and Government Accountability Office officials in the closed portion of a hearing called to examine GAO audits of HHS cybersecurity programs.

A hearing notice issued by the committee on June 13 noted that the hearing would be held mostly in closed session.  MeriTalk reported earlier today that the subcommittee unexpectedly went into closed session.  We apologize for that error.

Rep. Gregg Harper, R.-Miss., chairman of the subcommittee, opened the brief public portion of the hearing by saying some of the findings to be discussed by the subcommittee were “sensitive,” and that the remainder of the hearing would be held in a closed session “to protect information that may endanger national security.”  Rep. Diana DeGette, D-Colo., ranking member of the subcommittee, supported the move to a closed session.

The hearing was called to discuss a series of audits that GAO has been conducting on “information security controls at HHS and its component agencies,” the subcommittee said in a June 18 hearing notice, along with what steps HHS and component agencies have taken to address GAO’s findings.

Witnesses scheduled to appear at today’s hearing were Sherri Berger, chief operating officer, Center for Disease Control (CDC); Suzi Connor, chief information officer at CDC; Beth Killoran, CIO at HHS; and Greg Wilshusen, director of information security issues at GAO.

Earlier this month, Republican and Democratic leaders of the full Energy and Commerce Committee sent a letter to HHS Secretary Alex Azar in which they raised concerns with the agency’s implementation of the 2015 Cybersecurity Information Sharing Act, specifically with the agency’s Cyber Threat Preparedness Report (CPTR) required by the law, and a status update regarding Health Care Industry Security Approaches also required by the law.

Regarding the CPTR, committee leadership said HHS delivered the report in April 2017, but that it lacked “sufficient detail on many outstanding issues,” and that since then “HHS has continued to alter its cybersecurity strategy.”

Committee leadership urged HHS to “take prompt actions to address these outstanding issues,” and added, “As cyber threats to the health care sector increase in frequency and severity, it is imperative that HHS provide clear and consistent leadership and direction to the sector regarding cyber threats.”

Recent