The House Committee on Energy and Commerce is examining whether the U.S. Department of Health and Human Services (HHS) retaliated against two key HHS cybersecurity officials and whether those actions weakened the federal agency’s role in responding to healthcare cybersecurity incidents.
Earlier this week, Politico initially reported that a healthcare-specific cybersecurity communication center within HHS, the Healthcare Cybersecurity Communications Integration Center (HCCIC), was “paralyzed” by the removal of its top two officials.
"An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed. The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business,” Politico’s Darius Tahir reported.
In a letter to HHS Acting Secretary Eric Hagan, Reps. Greg Walden, R-Ore., Frank Pallone Jr., D-N.J., and Diana DeGette, D-Colo., are requesting more information about whether HHS retaliated against Scanlon and Amato for “communicating with this Committee” as well as whether recent actions taken by HHS “potentially weaken the HHS role in responding, or assisting stakeholder responses, to cybersecurity incidents affecting the health care sector in the U.S.”
The letter states that until September 6, Amato served as director of the HCCIC, and Scanlon had served as Deputy Chief Information Security Officer and the designated senior advisor for public health sector cybersecurity. On Sept. 6, Amato and Scanlon were notified that, effective immediately, they were being temporarily detailed to unclassified duties, at another HHS building in Amato’s case, or placed on full time telework status in Scanlon’s case, the letter states.
“In both cases, a September 6, 2017 memoranda from Christopher Wlaschin, the HHS executive director of information security, state that the temporary details are to permit the Agency to review allegations raised against the Office of Chief Information Officer (OCIO), Office of Information Security," the lawmakers wrote in their letter.
Amato and Scanlon allege that the actions have effectively removed the HCCIC’s leadership and suspended its activities. After Amato and Scanlon met with bipartisan committee staff to discuss information contained in a protected disclosure at a hearing in late September, HHS shuffled Amato around two additional times, marking her fourth move in less than a month, according to the Committee leader.
In the letter, lawmakers voiced several concerns, one regarding interference with the Committee’s duty to conduct oversight, noting that communications with federal employees is essential to its ability to conduct oversight. Second, the lawmakers wrote, the Committee has a strong bipartisan interest in healthcare cybersecurity, including strengthening HHS leadership, coordination and engagement with private stakeholders in confronting cyber threats.
Scanlon and other HHS officials touted the HCCIC's success in light of the WannaCry ransomware attack back in March. While the malware attack severely impacted the National Health Service in the UK, WannCry’s effect was ultimately minimal in the U.S. During a House Energy and Commerce Oversight subcommittee hearing in June, Scanlon reported that HCCIC played an integral role in HHS’ coordinated response to the WannaCry incident as HCCIC analysts provided early warning about the impact to health care.
“Given how critical health care cybersecurity is to the nation and the apparently central role of the new HCCIC in the Department’s response to WannaCry, these recent and abrupt changes raise a number of questions about HHS and its commitment to providing effective leadership to the sector,” the lawmakers wrote in the letter. “It is, therefore, important to understand what led HHS to temporarily remove two key HHS cybersecurity officials from their positions, while possibly making structural changes to HHS’s role, thus creating new uncertainty as to who is in charge.”
What’s more, the lawmakers wrote, “HHS’s apparent inability to provide stability and clarity about internal roles and responsibilities for cybersecurity risks undermining any recent progress made by the department in developing the trust and confidence within the health care sector necessary to provide leadership on this important topic.”
In light of these concerns, the lawmakers request that HHS brief Committee staff by Nov. 28 about the allegations against Scanlon and Amato and the status of the HCCIC reorganization and how HHS is ensuring that the HHS health care cybersecurity response will not be degraded in any way by these personnel and organizational changes.