OIG Confirms HCCIC Investigation, HHS’ Cyber Efforts Moving Forward | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OIG Confirms HCCIC Investigation, HHS’ Cyber Efforts Moving Forward

March 29, 2018
by Heather Landi
| Reprints

In light of many published media reports, including a Healthcare Informatics article posted Monday, regarding an ongoing controversy over the reassignment of top cyber leaders at the U.S. Department of Health and Human Services (HHS) and the ongoing work of its Healthcare Cybersecurity Communications Integration Center (HCCIC), the Office of the Inspector General (OIG) has responded with an official statement confirming that there is an investigation involving the HCCIC.

An OIG spokesperson provided a statement via email: “The OIG has a general practice of neither confirming nor denying the existence of an investigation being conducted by our office. However, because information has come to light that suggests that the OIG was conducting an investigation involving the Healthcare Cybersecurity and Communications Integration Center (HCCIC), we are willing to acknowledge that an OIG investigation involving HCCIC is/was ongoing. We are not at liberty to provide any further details at this time.’

The statement comes after an almost seven-month-long controversy over HHS’ fledging cyber operations center and the ousting of the center’s top leaders last fall. According to multiple media reports back in November, the fledging HCCIC became the center of a rumored investigation into contracting irregularities and possible fraud allegations. An anonymous complaint was lodged, alleging contracting improprieties. HHS Deputy CISO Leo Scanlon was put on administrative leave back in September, and the center’s director, Maggie Amato, has since resigned. 

Scanlon and Amato allege they were targeted by disgruntled government employees and then retaliated against as whistleblowers.

The OIG statement does not offer any clarification as to whether the “HCCIC investigation” is focused on the allegations of contracting improprieties against Scanlon and Amato, or whether it’s referencing potential reprisals against whistleblowers.


As noted in the Healthcare Informatics article posted Monday, Janet Vogel, currently the deputy chief information officer at the Centers for Medicare & Medicare Services (CMS), will be moving over to take over the HHS Chief Information Security Officer (CISO) role, replacing Chris Wlaschin, who announced he was stepping down for personal reasons.

An HHS spokesperson provided the following statement: “During the month of April, CMS Deputy CIO, Janet Vogel, will detail from CMS into the role of CISO at HHS. Janet brings thirty years of federal experience to the position with the last 16 years at CMS. Her broad spectrum of skills in information technology, information security, organizational change, acquisition, and risk mitigation will be key to transforming and expanding HHS’ cyber programs into the healthcare sector.”

Sources within HHS noted that Wlaschin, who recently informed HHS leadership of his desire to spend more time with his family, delivered real change to HHS’ cybersecurity programs, which Vogel will help operationalize and mature.

HHS leadership also contend that the department has made significant strides at improving cybersecurity over the last year with advancements that stem from the internal implementation of Einstein 3A and the Department of Homeland Security (DHS) Continuous Diagnostic and Mitigation program.

In choosing Vogel, HHS reached out to the CMS to assist in this next phase given the agency’s ability to bring organizations together, and its expertise in citizen-focused services. Moving forward, CMS best practices for protecting high value systems and data will be expanded across HHS to enhance cyber risk mitigation practices, according to HHS.

According to HHS, contrary to concerns about the HCCIC’s work given the changes to the top leadership positions, the cybersecurity center continues to move forward in support of the HHS’ efforts to protect the healthcare and public health sector against potential cybersecurity information technology threats or vulnerabilities. The HCCIC regularly coordinates with DHS, the lead agency combatting cyber threats.

HCCIC is being implemented in two distinct phases. Phase One apparently demonstrated HCCIC’s initial operating capability as evidenced by HHS’s ability to effectively articulate, and communicate about, threats to the healthcare and public health sector such as WannaCry and NotPetya. HHS is currently in the second phase of implementation which entails incorporating lessons learned from those ransomware attacks, and engaging subject matter experts from its operating divisions, external agencies and consultants to ensure policies, processes, capabilities and communications are clearly defined.

There have also been reports that HHS plans to rebrand HCCIC, with the renamed organization launching later this year, and housed in HHS headquarters.

2018 Philadelphia Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

May 21 - 22, 2018 | Philadelphia



Mass. General, Eastern Maine Healthcare Systems Form Clinical Affiliation

Massachusetts General Hospital will form a clinical affiliation with Eastern Maine Healthcare Systems, in which the two provider organizations will collaborate on areas as telemedicine, research, and protocols for providing care, according to a report in the Boston Globe.

Humanitarian Data Exchange Wins Health Data Liberator Award

Sarah Telford and Ahmadou Dicko were named the winners of this year’s Health Data Liberator award at the Health Datapalooza conference in Washington, D.C., for their work on the Humanitarian Data Exchange.

Survey: Optimism for Health IT Startups in 2018, Skepticism for Amazon Healthcare Partnership

Despite all the buzz about new entrants disrupting healthcare, the majority of healthcare stakeholders are dubious about the impact of the Amazon/Berkshire Hathaway/JP Morgan healthcare partnership and believe the effort will face substantial challenges, according to a survey by venture capital firm Venrock.

NIH Awards $10M to Alabama-based Newborn Genome Sequencing Project

The National Institutes of Health (NIH) has awarded a four-year, $10 million grant to HudsonAlpha Institute for Biotechnology, a Huntsville, Ala.-based genomics and genetics research institute, in collaboration with the University of Alabama at Birmingham (UAB) School of Medicine and the University of Mississippi Medical Center, to investigate how genome sequencing can help with the diagnosis and care of babies with birth defects and genetic disorders.

Senate Committee Advances Opioid Bill that Includes Telehealth Provisions

The Senate Health, Education, Labor and Pensions (HELP) Committee voted Tuesday to advance a bipartisan opioid bill, called the Opioid Crisis Response Act of 2018, that includes provisions promoting the use of telemedicine in substance abuse treatment.

Florida Insurer Establishes Digital Health and Wellbeing Program for Members

Florida Blue, a health insurer based in Jacksonville, has announced a partnership with Welltok. The goal of the collaboration will be to provide Florida Blue members with access to a digital health and wellbeing program designed to help them become and stay healthy.