Media Report: HHS Cybersecurity Initiative Stalled Due to Contracting Investigation | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Media Report: HHS Cybersecurity Initiative Stalled Due to Contracting Investigation

November 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

A healthcare-specific cybersecurity communication center within the U.S. Department of Health and Human Services (HHS) is now at the center of an investigation into contracting irregularities and possible fraud allegations, according to a report by Politico.

The Healthcare Cybersecurity Communications Integration Center (HCCIC), which went live at the end of June, was established to protect the nation’s healthcare system from cyber attack. HCCIC focuses its efforts on analyzing and disseminating cyberthreats across the healthcare industry in real time.

According to an article written by Politico’s Darius Tahir, the fledgling HHS initiative has been “paralyzed” by the removal of its top two officials. Leo Scanlon, deputy chief information security officer at HHS, who ran the HCCIC, was put on administrative leave in September and his deputy, Maggie Amato, left the government, Tahir wrote.

“An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed,” Tahir wrote. “The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business.”

According to Tahir’s reporting, the top officials’ departures have put the center’s work on hold and left many healthcare officials worried about its fate, and at a time when the healthcare industry is facing evolving, persistent cyber attacks.

HHS officials touted the center’s success in light of the WannaCry ransomware attack back in March, in which the U.S. healthcare system saw minimal impact. On March 12, a cyber attack using the WannaCry ransomware virus spread quickly across the globe, infecting hundreds of thousands of devices in a dozen countries in a matter of hours. Computer systems at 40 National Health System (NHS) hospitals in the United Kingdom were infected, which forced many of those hospitals to reduce services, cancel certain operations and turn away all but emergency patients.

As previously reported by Healthcare Informatics, during a House Energy and Commerce Oversight subcommittee hearing in June, Scanlon reported that HCCIC played an integral role in HHS’ coordinated response to the WannaCry incident, although the center wasn’t fully set up yet. “In the recent WannaCry mobilization, HCCIC analysts provided early warning about the impact to health care. This was first time a cyber attack was the focus of a mobilization,” he testified.

Scanlon testified during that hearing that when the WannaCry attack began and throughout the following days HHS took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public-and private-sector response efforts.

Politico’s Tahir reports that problems arose after a series of anonymous letters alleged that Scanlon and Amato had improper relations with contractors. “One July 4 letter asserted that companies received contracts with HHS after providing the two officials with free dinners and tours of California wineries, including a hot air balloon ride,” Tahir wrote.

Politico also reported that the HHS Office of the Inspector General confirmed that it opened an investigation after receiving an anonymous letter.

Tahir further reports, “Scanlon and Amato dispute the allegations, and filed reports detailing their alleged mistreatment with Congress. They also spoke on the record with POLITICO. In their version of events, they acknowledged meeting with contractors in Northern California but said the tours and meals were done on their own time at their own expense.”

The Politico story also states that HHS insists that the cyber center’s work is proceeding, with officials detailed from elsewhere at HHS and the federal government, and a search is underway to replace Scanlon and Amato.

 

2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


/news-item/cybersecurity/media-report-hhs-cybersecurity-initiative-stalled-due-contracting
/news-item/cybersecurity/phishing-attack-georgia-health-system-may-have-exposed-400k-patients-data

Phishing Attack at Georgia Health System May Have Exposed 400K Patients’ Data

August 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.

In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.

Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and PHI of approximately 417,000 individuals.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time, Keel wrote in his message.

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number, organization officials said.

Keel also wrote that IT staff reacted quickly to contain the July 11, 2018, attack. “The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway,” Keel wrote.

 In response to the incident, the organization has taken or will be promptly initiating several actions to protect against future incidents, Keel stated. Organization leadership created a new position of vice president for audit, compliance, ethics and risk management to bring “fresh leadership and direction to compliance functions.”

The organization also is implementing multifactor authentication for off-campus email and system access, reviewing and adopting solutions to limit email retention, and leadership is taking steps to implement a policy banning PHI in email communications.

In addition, Augusta University officials said the organization is employing software to screen emails for PHI or personally identifiable information (PII) to prevent them from sending, increasing employee training in preventing security breaches, and enhancing compliance-related policies and procedures.

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts.

More From Healthcare Informatics

/article/cybersecurity/podcast-ahas-cybersecurity-leader-john-riggi-evolving-cyber-threats-facing

PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi, Associate Editor
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery

 

Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.


Related Insights For: Cybersecurity

/whitepaper/who-can-healthcare-trust-when-ransomware-hits

Who Can Healthcare Trust When Ransomware Hits?

Please register to download


WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

See more on Cybersecurity