The U.S. House of Representatives Committee on Energy and Commerce released a report revealing that five operating divisions at the U.S. Department of Health and Human Services (“HHS”), including the Food and Drug Administration, have experienced breaches of their information systems through unsophisticated cyber means in the last three years.  The Committee determined that security concerns related to HHS’ information systems often have been subordinated to operational concerns in part because the Chief Information Security Officer (“CISO”) is required by the Federal Information Security Management Act (“FISMA”) to report to the Chief Information Officer (“CIO”), who may be more focused on the management of information technology than the management of information security concerns.  So, although the Committee found that HHS complies with FISMA, the Committee believed that the FISMA-mandated organizational structure is flawed, and that the “separation of the management of information technology from the management of information security concerns would remove information security from the information technology ‘silo’ and would facilitate the inclusion of expertise across HHS in information security decisions.”  To address this, the Committee recommends moving the CISO position to the Office of the General or Chief Counsel to ensure that security concerns are given more priority.  To read the full report, please click here.