In light of many published media reports, including a Healthcare Informatics article posted Monday, regarding an ongoing controversy over the reassignment of top cyber leaders at the U.S. Department of Health and Human Services (HHS) and the ongoing work of its Healthcare Cybersecurity Communications Integration Center (HCCIC), the Office of the Inspector General (OIG) has responded with an official statement confirming that there is an investigation involving the HCCIC.
An OIG spokesperson provided a statement via email: “The OIG has a general practice of neither confirming nor denying the existence of an investigation being conducted by our office. However, because information has come to light that suggests that the OIG was conducting an investigation involving the Healthcare Cybersecurity and Communications Integration Center (HCCIC), we are willing to acknowledge that an OIG investigation involving HCCIC is/was ongoing. We are not at liberty to provide any further details at this time.’
The statement comes after an almost seven-month-long controversy over HHS’ fledging cyber operations center and the ousting of the center’s top leaders last fall. According to multiple media reports back in November, the fledging HCCIC became the center of a rumored investigation into contracting irregularities and possible fraud allegations. An anonymous complaint was lodged, alleging contracting improprieties. HHS Deputy CISO Leo Scanlon was put on administrative leave back in September, and the center’s director, Maggie Amato, has since resigned.
Scanlon and Amato allege they were targeted by disgruntled government employees and then retaliated against as whistleblowers.
The OIG statement does not offer any clarification as to whether the “HCCIC investigation” is focused on the allegations of contracting improprieties against Scanlon and Amato, or whether it’s referencing potential reprisals against whistleblowers.
New HHS CISO
As noted in the Healthcare Informatics article posted Monday, Janet Vogel, currently the deputy chief information officer at the Centers for Medicare & Medicare Services (CMS), will be moving over to take over the HHS Chief Information Security Officer (CISO) role, replacing Chris Wlaschin, who announced he was stepping down for personal reasons.
An HHS spokesperson provided the following statement: “During the month of April, CMS Deputy CIO, Janet Vogel, will detail from CMS into the role of CISO at HHS. Janet brings thirty years of federal experience to the position with the last 16 years at CMS. Her broad spectrum of skills in information technology, information security, organizational change, acquisition, and risk mitigation will be key to transforming and expanding HHS’ cyber programs into the healthcare sector.”
Sources within HHS noted that Wlaschin, who recently informed HHS leadership of his desire to spend more time with his family, delivered real change to HHS’ cybersecurity programs, which Vogel will help operationalize and mature.
HHS leadership also contend that the department has made significant strides at improving cybersecurity over the last year with advancements that stem from the internal implementation of Einstein 3A and the Department of Homeland Security (DHS) Continuous Diagnostic and Mitigation program.
In choosing Vogel, HHS reached out to the CMS to assist in this next phase given the agency’s ability to bring organizations together, and its expertise in citizen-focused services. Moving forward, CMS best practices for protecting high value systems and data will be expanded across HHS to enhance cyber risk mitigation practices, according to HHS.
According to HHS, contrary to concerns about the HCCIC’s work given the changes to the top leadership positions, the cybersecurity center continues to move forward in support of the HHS’ efforts to protect the healthcare and public health sector against potential cybersecurity information technology threats or vulnerabilities. The HCCIC regularly coordinates with DHS, the lead agency combatting cyber threats.
HCCIC is being implemented in two distinct phases. Phase One apparently demonstrated HCCIC’s initial operating capability as evidenced by HHS’s ability to effectively articulate, and communicate about, threats to the healthcare and public health sector such as WannaCry and NotPetya. HHS is currently in the second phase of implementation which entails incorporating lessons learned from those ransomware attacks, and engaging subject matter experts from its operating divisions, external agencies and consultants to ensure policies, processes, capabilities and communications are clearly defined.
There have also been reports that HHS plans to rebrand HCCIC, with the renamed organization launching later this year, and housed in HHS headquarters.