- Recent healthcare cybersecurity leadership changes within HHS have pushed lawmakers to question the agency why those changes took place.
Both Margaret Amato and Leo Scanlon emailed bipartisan staff on the House Committee on Energy and Commerce a cover letter and attachments “in what was described as ‘a protected communication’ pursuant to 5 U.S.C 7211 and U.S.C. 2302(b)(8),” a letter written to HHS Acting Secretary Eric Hargan explained.
The Committee wants to know if Amato and Scanlon were moved from their previous positions as a response to sending the letter, and also whether the changes will “weaken the HHS role in responding, or assisting stakeholder responses” to healthcare cybersecurity incidents.
“On September 28, 2017, Ms. Amato and Mr. Scanlon met with bipartisan Committee staff to discuss information contained in the ‘protected’ disclosure,” the letter explained. “On October 5, 2017, counsel for Ms. Amato and Mr. Scanlon notified committee staff that subsequent to the disclosure to the Committee and the meeting with Committee staff, HHS had ‘shuffled’ Ms. Amato around to two other positions (for a total of four in the past month), threatened her with the cancellation of pre-approved leave, and singled her out for the enforcement of arbitrary administrative requirements.”
“Further, it was alleged that a certain HHS official was responsible for these personnel actions, and that there was reason to believe that this official had actual knowledge of Ms. Amato’s and Mr. Scanlon’s communications with the Committee.”
Amato had previously been Healthcare Cybersecurity Communications and Integration Center (HCCIC) Director. Scanlon was the Deputy Chief Information Security Officer and the Designated Senior Advisor for Public Health Sector Cybersecurity. Both were notified on September 6, 2017 that they were being “temporarily detailed to unclassified duties.”
The Committee also pointed out in its letter that Scanlon had testified on HCCIC’s response to the WannaCry ransomware outbreak.
“This hearing examined the ‘WannaCry’ ransomware outbreak, and, in particular, the role of HHS – and its recently-conceived HCCIC – in health care cybersecurity,” the Committee wrote. “Although it may be too early to evaluate the long-term merits or effectiveness of the HCCIC, it was widely recognized that the Department’s HCCIC took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public- and private-sector response efforts.”
Healthcare cybersecurity is becoming an increasingly critical issue in the country, the Committee stressed. The “recent and abrupt” changes raise numerous questions about HHS and its “commitment to providing effective leadership to the sector.”
HHS needs to explain why it temporarily removed key officials from their leadership positions, which might have also created structural changes to the HHS cybersecurity role.
“HHS’s apparent inability to provide stability and clarity about internal roles and responsibilities for cybersecurity risks undermining any recent progress made by the department in developing the trust and confidence within the health care sector necessary to provide leadership on this important topic,” the letter stated.
The Committee wishes to know what allegations are against Amato and Scanlon, as well as the status and nature of the allegations. Lawmakers added they also want HHS to explain if the personnel actions were taken in response to Amato and Scanlon communicating with the Committee.
The HCCIC reorganization status should also be presented, along with the rationale behind the reorganization and “how HHS is ensuring that the HHS health care cybersecurity response will not be degraded in any way by recent personnel and organizational changes.”
HHS’ role in cybersecurity was previously reviewed by the House Subcommittee on Oversight and Investigations, where it was determined that patient safety and PHI security must be key focus areas.
In June 2017, the Subcommittee reviewed HHS cybersecurity reports and examined how the US can learn from recent large-scale cybersecurity issues to improve the reports’ effectiveness and applicability.
“HHS’s internal preparedness report sets out the roles and responsibilities of various HHS offices in managing cyber threats, among other information,” Subcommittee Chairman Tim Murphy explained in his opening statement.
“But what precisely does this mean, and how does this cybersecurity designee work with the eleven components identified by HHS as having cybersecurity responsibilities?” he continued. “In addition, the Committee has learned that many of the details may already be obsolete due to recent and ongoing changes in HHS’s internal structure.”