Congressional leaders say staff reassignments had ‘undeniable impacts’ on HHS cybersecurity capabilities

Patty Murray and Lamar Alexander during committee hearing
Sens. Patty Murray and Lamar Alexander are among four lawmakers questioning the departure of two HHS cybersecurity officials. (help.senate.gov)

The removal of two senior cybersecurity officials at the Department of Health and Human Services has had “undeniable impacts” on the agency’s ability to respond to cyberthreats, and thrown a new cybersecurity communications center in disarray, according to lawmakers.

In a five-page letter (PDF) to HHS Secretary Alex Azar, members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions said “significant confusion” surrounds the role and status of the Healthcare Cybersecurity and Communications Integration Center following the departure of two senior officials tasked with overseeing the new initiative.

The letter, signed by Sens. Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., along with Reps. Frank Pallone, D-N.J., and Greg Walden, R- Ore., noted that HHS credited HCCIC for helping the industry respond to last year’s WannaCry attack. But months later, the agency temporarily reassigned Deputy Cybersecurity Information Officer Leo Scanlon, and Maggie Amato, an HHS cybersecurity official tasked with directing HCCIC, citing an anonymous letter that claimed the pair received gifts from cybersecurity vendors.

Conference

13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

Amato resigned in September because of “increasingly hostile and retaliatory acts,” according to a letter from her attorney to HHS. Scanlon was recently reinstated to a telework position in which he is barred from interacting with staff or entering HHS offices. Both have denied the allegations.

In March, Scanlon told FierceHealthcare the HCCIC has been “derailed.” Former Chief Information Security Officer Chris Wlaschin left the agency for the private sector, citing personal reasons for his departure.

RELATED: HHS cybersecurity official relegated to telework position after 7-month suspension

The lawmakers said the departure of Scanlon and Amato are among several issues that raise concerns about HHS’ ability to respond to a cyberattack.

“Stakeholders have informed our staffs they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has,” the lawmakers wrote. “Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”

The letter noted that HHS failed to include HCCIC in its “Cyber Threat Preparedness Report,” in April 2017 despite plans for the center to be fully operational in June 2017.

RELATED: Ousted HHS cybersecurity leaders demand answers about last year's sudden removal

The committee leaders asked HHS to update the report to include any changes to its cybersecurity strategies, a detailed explanation of the HCCIC and the challenges HHS faces as both a regulator and facilitator of cyberthreat information.

The HHS Office of Inspector General spokesperson previously confirmed that an investigation involving HCCIC is ongoing but would not provide additional details. Leaders of the House Energy and Commerce Committee have previously asked HHS to explain why Amato and Scanlon were reassigned. 

Suggested Articles

The FTC is suing Surescripts, accusing the health IT company of employing illegal restraints to maintain its monopolies over the e-prescribing market.

Boston-based Athenahealth is laying off a portion of its workforce to “decrease bureaucracy and consolidate capabilities" as part of a reorganization.

Ohio’s attorney general is continuing his war on PBMs, this time by proposing a multistep plan to improve transparency and lower drug costs.