The removal of two senior cybersecurity officials at the Department of Health and Human Services has had “undeniable impacts” on the agency’s ability to respond to cyberthreats, and thrown a new cybersecurity communications center in disarray, according to lawmakers.
In a five-page letter (PDF) to HHS Secretary Alex Azar, members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions said “significant confusion” surrounds the role and status of the Healthcare Cybersecurity and Communications Integration Center following the departure of two senior officials tasked with overseeing the new initiative.
The letter, signed by Sens. Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., along with Reps. Frank Pallone, D-N.J., and Greg Walden, R- Ore., noted that HHS credited HCCIC for helping the industry respond to last year’s WannaCry attack. But months later, the agency temporarily reassigned Deputy Cybersecurity Information Officer Leo Scanlon, and Maggie Amato, an HHS cybersecurity official tasked with directing HCCIC, citing an anonymous letter that claimed the pair received gifts from cybersecurity vendors.
Amato resigned in September because of “increasingly hostile and retaliatory acts,” according to a letter from her attorney to HHS. Scanlon was recently reinstated to a telework position in which he is barred from interacting with staff or entering HHS offices. Both have denied the allegations.
In March, Scanlon told FierceHealthcare the HCCIC has been “derailed.” Former Chief Information Security Officer Chris Wlaschin left the agency for the private sector, citing personal reasons for his departure.
The lawmakers said the departure of Scanlon and Amato are among several issues that raise concerns about HHS’ ability to respond to a cyberattack.
“Stakeholders have informed our staffs they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has,” the lawmakers wrote. “Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”
The letter noted that HHS failed to include HCCIC in its “Cyber Threat Preparedness Report,” in April 2017 despite plans for the center to be fully operational in June 2017.
The committee leaders asked HHS to update the report to include any changes to its cybersecurity strategies, a detailed explanation of the HCCIC and the challenges HHS faces as both a regulator and facilitator of cyberthreat information.
The HHS Office of Inspector General spokesperson previously confirmed that an investigation involving HCCIC is ongoing but would not provide additional details. Leaders of the House Energy and Commerce Committee have previously asked HHS to explain why Amato and Scanlon were reassigned.