HHS CIO: ‘My job is to be the risk mitigator, innovation broker’

The Department of Health and Human Services chief information officer is taking on a different kind of role—one of being an innovation broker.

Beth Killoran said she wants to set the vision and bring the right technology to the right organization that needs it.

Killoran, who spoke on a recent panel at the AFCEA Bethesda Health IT day, said HHS’s new IT strategic plan does just that.

Beth Killoran is the HHS CIO.
Beth Killoran is the HHS CIO.

“That strategic plan allowed us to identify five goals that we are going to do across HHS—Cyber being one of them; interoperability and usability being another; making sure we are looking at different kinds of capabilities; making sure we are providing the right quality workforce for the challenges we have in front of us,” said Killoran who HHS promoted to CIO in July. “I’m really excited that all of our operating divisions and a majority of our staff divisions put their time and effort into making this a departmental plan. It had all of the things each of them is doing from an individual mission perspective, but at the department level, where do we have commonality. Where can we join forces?”

HHS hasn’t updated its IT strategic plan since 2006 when it released a four-year strategy, so it was in need of a refresh.

Killoran said she expects to post it online in the coming weeks.

“It was signed by every CIO in the department, which I think is the first time we’ve ever done that,” she said. “For me, this is a theme you’ve heard from me since the day I started, cyber and privacy are my number one goals in technology. If I make sure we shift from a response and recover to a prevent then I’m doing my job as a risk mitigator. I need to shift our investments and I need to shift our technology from waiting for the bad guy to come and then I’ll be quick to fix it, to thinking one step ahead of them and what technology can I use to make those barriers better and understand the threat as it’s emerging and respond accordingly.”

The cyber challenge hasn’t been lost on one of HHS’s component CIOs. Todd Simpson, the Food and Drug Administration’s CIO, said he’s been focusing on fixing 15 significant program findings that were putting the agency’s data at risk.

Before Simpson arrived at the FDA, auditors were in the middle of a full blown examination of the agency’s IT systems and cybersecurity controls.

The FDA fixed 12 of the 15 major problems in about 45 days. He said the FDA took every vulnerability and turned it into an action item.

Simpson said auditors made 166 recommendations and identified 87 weaknesses, and he made each of them an action item. He said the FDA has fixed 65 percent of the weaknesses and accomplished 70 percent of recommendations.

“I’m just watching the ticker. Every day I’m watching the remediation and those last three programmatic recommendations are big ones—data loss prevention. It’s a multi-million dollar ask and it’s going to be something that will take the next year to resolve,” he said. “We’ve increased our spend from about 2 percent to about 10 percent of our IT base budget [on cybersecurity]. Today we’ve moved the ball down the field really quick. U.S. Computer Emergency Readiness Team (U.S.-CERT) told us what we did in 45 days was what they had seen in 18 months at other agencies. I’m really proud of that work by my team.”

He added the FDA is working to find efficiencies by addressing interoperability and system duplication issues to help continue the increased level of cyber spending.

Killoran said part of her role is to ensure other agency components don’t face the same challenges as the FDA’s experience with cyber or HHS’s with putting email in the cloud.

“When we put the Centers for Medicare and Medicaid Services in the cloud, we didn’t have those same problems,” she said. “We don’t want to have more than one trial or failure. It’s okay to have problems the first time, but we don’t want to keep repeating history. My role as collaborator and communicator is to make sure I’m putting the right folks together. When we have a challenge, it’s bringing the right people in the room and getting it solved quickly. My job is to be the number one risk mitigator. How do I mitigate the risk to the mission, mitigate the risks of the threats we have and how do we mitigate the operational performance impacts? If I can put innovation in place, interact with the industry to bring technology into the right places and if I can set the right goals, then I’ve done by job as CIO by making sure everyone around me is successful and has the technology and tools they need.”