House Committee Examining Personnel and Organizational Changes at HHS Cybersecurity Center | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

House Committee Examining Personnel and Organizational Changes at HHS Cybersecurity Center

November 16, 2017
by Heather Landi
| Reprints

The House Committee on Energy and Commerce is examining whether the U.S. Department of Health and Human Services (HHS) retaliated against two key HHS cybersecurity officials and whether those actions weakened the federal agency’s role in responding to healthcare cybersecurity incidents.

Earlier this week, Politico initially reported that a healthcare-specific cybersecurity communication center within HHS, the Healthcare Cybersecurity Communications Integration Center (HCCIC), was “paralyzed” by the removal of its top two officials.

"An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed. The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business,” Politico’s Darius Tahir reported.

In a letter to HHS Acting Secretary Eric Hagan, Reps. Greg Walden, R-Ore., Frank Pallone Jr., D-N.J., and Diana DeGette, D-Colo., are requesting more information about whether HHS retaliated against Scanlon and Amato for “communicating with this Committee” as well as whether recent actions taken by HHS “potentially weaken the HHS role in responding, or assisting stakeholder responses, to cybersecurity incidents affecting the health care sector in the U.S.”

The letter states that until September 6, Amato served as director of the HCCIC, and Scanlon had served as Deputy Chief Information Security Officer and the designated senior advisor for public health sector cybersecurity. On Sept. 6, Amato and Scanlon were notified that, effective immediately, they were being temporarily detailed to unclassified duties, at another HHS building in Amato’s case, or placed on full time telework status in Scanlon’s case, the letter states.

“In both cases, a September 6, 2017 memoranda from Christopher Wlaschin, the HHS executive director of information security, state that the temporary details are to permit the Agency to review allegations raised against the Office of Chief Information Officer (OCIO), Office of Information Security," the lawmakers wrote in their letter.

Amato and Scanlon allege that the actions have effectively removed the HCCIC’s leadership and suspended its activities. After Amato and Scanlon met with bipartisan committee staff to discuss information contained in a protected disclosure at a hearing in late September, HHS shuffled Amato around two additional times, marking her fourth move in less than a month, according to the Committee leader.

In the letter, lawmakers voiced several concerns, one regarding interference with the Committee’s duty to conduct oversight, noting that communications with federal employees is essential to its ability to conduct oversight. Second, the lawmakers wrote, the Committee has a strong bipartisan interest in healthcare cybersecurity, including strengthening HHS leadership, coordination and engagement with private stakeholders in confronting cyber threats.

Scanlon and other HHS officials touted the HCCIC's success in light of the WannaCry ransomware attack back in March. While the malware attack severely impacted the National Health Service in the UK, WannCry’s effect was ultimately minimal in the U.S. During a House Energy and Commerce Oversight subcommittee hearing in June, Scanlon reported that HCCIC played an integral role in HHS’ coordinated response to the WannaCry incident as HCCIC analysts provided early warning about the impact to health care.

“Given how critical health care cybersecurity is to the nation and the apparently central role of the new HCCIC in the Department’s response to WannaCry, these recent and abrupt changes raise a number of questions about HHS and its commitment to providing effective leadership to the sector,” the lawmakers wrote in the letter. “It is, therefore, important to understand what led HHS to temporarily remove two key HHS cybersecurity officials from their positions, while possibly making structural changes to HHS’s role, thus creating new uncertainty as to who is in charge.”

What’s more, the lawmakers wrote, “HHS’s apparent inability to provide stability and clarity about internal roles and responsibilities for cybersecurity risks undermining any recent progress made by the department in developing the trust and confidence within the health care sector necessary to provide leadership on this important topic.”

In light of these concerns, the lawmakers request that HHS brief Committee staff by Nov. 28 about the allegations against Scanlon and Amato and the status of the HCCIC reorganization and how HHS is ensuring that the HHS health care cybersecurity response will not be degraded in any way by these personnel and organizational changes.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.

Humana Develops Medication Management Tool

A new tool developed by Humana enables the company’s members to keep a list of their medications in one place.

Four Hospitals Piloting OurNotes Initiative in 2018

Beginning in January, four academic hospitals—Beth Israel Deaconess Medical Center in Boston, University of Washington in Seattle, Dartmouth-Hitchcock Medical Center in Lebanon, New Hampshire and University of Colorado in Boulder—will begin piloting a new digital tool called OurNotes that enables patients to contribute to their clinical notes.