Congressional leaders say staff reassignments had ‘undeniable impacts’ on HHS cybersecurity capabilities

Patty Murray and Lamar Alexander during committee hearing
Sens. Patty Murray and Lamar Alexander are among four lawmakers questioning the departure of two HHS cybersecurity officials. (help.senate.gov)

The removal of two senior cybersecurity officials at the Department of Health and Human Services has had “undeniable impacts” on the agency’s ability to respond to cyberthreats, and thrown a new cybersecurity communications center in disarray, according to lawmakers.

In a five-page letter (PDF) to HHS Secretary Alex Azar, members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions said “significant confusion” surrounds the role and status of the Healthcare Cybersecurity and Communications Integration Center following the departure of two senior officials tasked with overseeing the new initiative.

The letter, signed by Sens. Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., along with Reps. Frank Pallone, D-N.J., and Greg Walden, R- Ore., noted that HHS credited HCCIC for helping the industry respond to last year’s WannaCry attack. But months later, the agency temporarily reassigned Deputy Cybersecurity Information Officer Leo Scanlon, and Maggie Amato, an HHS cybersecurity official tasked with directing HCCIC, citing an anonymous letter that claimed the pair received gifts from cybersecurity vendors.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Amato resigned in September because of “increasingly hostile and retaliatory acts,” according to a letter from her attorney to HHS. Scanlon was recently reinstated to a telework position in which he is barred from interacting with staff or entering HHS offices. Both have denied the allegations.

In March, Scanlon told FierceHealthcare the HCCIC has been “derailed.” Former Chief Information Security Officer Chris Wlaschin left the agency for the private sector, citing personal reasons for his departure.

RELATED: HHS cybersecurity official relegated to telework position after 7-month suspension

The lawmakers said the departure of Scanlon and Amato are among several issues that raise concerns about HHS’ ability to respond to a cyberattack.

“Stakeholders have informed our staffs they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has,” the lawmakers wrote. “Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”

The letter noted that HHS failed to include HCCIC in its “Cyber Threat Preparedness Report,” in April 2017 despite plans for the center to be fully operational in June 2017.

RELATED: Ousted HHS cybersecurity leaders demand answers about last year's sudden removal

The committee leaders asked HHS to update the report to include any changes to its cybersecurity strategies, a detailed explanation of the HCCIC and the challenges HHS faces as both a regulator and facilitator of cyberthreat information.

The HHS Office of Inspector General spokesperson previously confirmed that an investigation involving HCCIC is ongoing but would not provide additional details. Leaders of the House Energy and Commerce Committee have previously asked HHS to explain why Amato and Scanlon were reassigned. 

Suggested Articles

Blue Cross and Blue Shield of North Carolina and Cambia Health Solutions have jointly decided to end their talks to enter a "strategic affiliation."

The Trump administration's new rules to overhaul the Stark Law have some areas that could create major regulatory headaches.

Medicare Part D beneficiaries could see their out-of-pocket costs go up next year before they reach catastrophic coverage, a new analysis shows.