House Committee Examining Personnel and Organizational Changes at HHS Cybersecurity Center | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

House Committee Examining Personnel and Organizational Changes at HHS Cybersecurity Center

November 16, 2017
by Heather Landi
| Reprints

The House Committee on Energy and Commerce is examining whether the U.S. Department of Health and Human Services (HHS) retaliated against two key HHS cybersecurity officials and whether those actions weakened the federal agency’s role in responding to healthcare cybersecurity incidents.

Earlier this week, Politico initially reported that a healthcare-specific cybersecurity communication center within HHS, the Healthcare Cybersecurity Communications Integration Center (HCCIC), was “paralyzed” by the removal of its top two officials.

"An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed. The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business,” Politico’s Darius Tahir reported.

In a letter to HHS Acting Secretary Eric Hagan, Reps. Greg Walden, R-Ore., Frank Pallone Jr., D-N.J., and Diana DeGette, D-Colo., are requesting more information about whether HHS retaliated against Scanlon and Amato for “communicating with this Committee” as well as whether recent actions taken by HHS “potentially weaken the HHS role in responding, or assisting stakeholder responses, to cybersecurity incidents affecting the health care sector in the U.S.”

The letter states that until September 6, Amato served as director of the HCCIC, and Scanlon had served as Deputy Chief Information Security Officer and the designated senior advisor for public health sector cybersecurity. On Sept. 6, Amato and Scanlon were notified that, effective immediately, they were being temporarily detailed to unclassified duties, at another HHS building in Amato’s case, or placed on full time telework status in Scanlon’s case, the letter states.

“In both cases, a September 6, 2017 memoranda from Christopher Wlaschin, the HHS executive director of information security, state that the temporary details are to permit the Agency to review allegations raised against the Office of Chief Information Officer (OCIO), Office of Information Security," the lawmakers wrote in their letter.

Amato and Scanlon allege that the actions have effectively removed the HCCIC’s leadership and suspended its activities. After Amato and Scanlon met with bipartisan committee staff to discuss information contained in a protected disclosure at a hearing in late September, HHS shuffled Amato around two additional times, marking her fourth move in less than a month, according to the Committee leader.

In the letter, lawmakers voiced several concerns, one regarding interference with the Committee’s duty to conduct oversight, noting that communications with federal employees is essential to its ability to conduct oversight. Second, the lawmakers wrote, the Committee has a strong bipartisan interest in healthcare cybersecurity, including strengthening HHS leadership, coordination and engagement with private stakeholders in confronting cyber threats.

Scanlon and other HHS officials touted the HCCIC's success in light of the WannaCry ransomware attack back in March. While the malware attack severely impacted the National Health Service in the UK, WannCry’s effect was ultimately minimal in the U.S. During a House Energy and Commerce Oversight subcommittee hearing in June, Scanlon reported that HCCIC played an integral role in HHS’ coordinated response to the WannaCry incident as HCCIC analysts provided early warning about the impact to health care.

“Given how critical health care cybersecurity is to the nation and the apparently central role of the new HCCIC in the Department’s response to WannaCry, these recent and abrupt changes raise a number of questions about HHS and its commitment to providing effective leadership to the sector,” the lawmakers wrote in the letter. “It is, therefore, important to understand what led HHS to temporarily remove two key HHS cybersecurity officials from their positions, while possibly making structural changes to HHS’s role, thus creating new uncertainty as to who is in charge.”

What’s more, the lawmakers wrote, “HHS’s apparent inability to provide stability and clarity about internal roles and responsibilities for cybersecurity risks undermining any recent progress made by the department in developing the trust and confidence within the health care sector necessary to provide leadership on this important topic.”

In light of these concerns, the lawmakers request that HHS brief Committee staff by Nov. 28 about the allegations against Scanlon and Amato and the status of the HCCIC reorganization and how HHS is ensuring that the HHS health care cybersecurity response will not be degraded in any way by these personnel and organizational changes.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.