Sidelined HHS Deputy CISO blasts agency, claims security center 'decimated'

After being abruptly placed on admin leave, Leo Scanlon opens up about his 150-day leave, “dirty politics,” and what it means for the future of the HCCIC cybersecurity initiative.
By Jessica Davis
12:38 PM
Share
HHS HCCIC cybersecurity initiative

Leo Scanlon at a hearing examining the role of HHS in healthcare cybersecurity, on June 8, 2017. Credit: Energy & Commerce Committee

With reports that Health and Human Services Chief Information security officer Christopher Wlaschin stepping down at the end of this month, the department’s role in leading and facilitating security efforts in healthcare and other industries is more uncertain than ever. 

The HHS Healthcare Cybersecurity Communications and Integration Center, in fact, has already been at the center of ongoing questions since Sept. 6, 2017, when HHS Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato were abruptly reassigned for what they said was an investigation into allegations for “ethics violations.”

[UPDATE: CMS Deputy CIO Janet Vogel to replace outgoing HHS CISO Wlaschin]

The House Energy and Commerce Committee is currently investigating HHS to determine whether it penalized Scanlon and Amato for whistleblowing. While the investigation is pending, the committee is operating under the assumption these allegations appear credible.

The committee has two major concerns: interference with the constitutional duty to conduct oversight and cybersecurity.

150 days and counting

Scanlon and Amato were first temporarily assigned to unclassified duties in separate locations, while Scanlon was placed on full-time telework status. After a total of four new assigned positions over the course of a month, Scanlon was put on administrative leave and Amato resigned.

As of Wednesday, Scanlon has been on paid administrative leave for just over 150 days -- despite the 120-day limit on government leaves. Scanlon told Healthcare IT News that his treatment has “no precedent” and the OIG investigator, his attorney and other tech leaders have not seen anything like this.

[UPDATE: Outgoing HHS CISO Chris Wlaschin opens up about his departure]

To make matters worse, Scanlon said he was recently informed by HHS that neither he nor Amato are now or have ever been under investigation. The news came as quite a shock, given that Scanlon was told his leave and assignment shuffling was based on that fact.

"As a matter of policy, the U.S. Department of Health and Human Services does not comment on matters related to pending litigation," an HHS spokesperson said. "In regards to HCCIC – we are always working with our partners across the government and the private sector to continue to improve our Nation’s cybersecurity."

And since no one from HHS has contacted Scanlon about these details since Sept. 6. Scanlon said he has essentially been left in the dark. While others in the industry have told him that HHS procedures are notorious for being difficult, his situation is certainly unique.

An HHS spokesperson told Healthcare IT News said they were looking into Scanlon’s situation, but did not share further details. This story will be updated if more information becomes available.

The uncertain fate of HCCIC

HHS’ HCCIC had overwhelming support from Congress and industry leaders when it launched as part of a partnership with the National Health Information Sharing and Analysis Center (NH-ISAC). 

It was designed to take a leadership role facilitating threat intelligence and other cybersecurity related information sharing and, in fact, played a pivotal role in fighting the global WannaCry attack in June of 2017. 

[Also: House investigating HHS over sidelined cybersecurity leaders]

“The threat has changed, the problem has changed,” Scanlon told the House Energy and Commerce Committee following the attack. “There are matters that need to be brought to light … Organizations are now being attacked on a level they aren’t capable of handling on their own.”

At that same meeting, Scanlon touted the efforts of the HCCIC and the progress it was making to coordinate on cybersecurity threats within the healthcare community.

[Also: HHS targeting outdated regs in wake of damning cybersecurity report, WannaCry]

But with the removal of HCCIC leadership and HHS Chief Information Security Officer Chris Wlaschin reportedly stepping down from his role on March 31, the future of HCCIC and, in turn, HHS taking a leadership role in healthcare cybersecurity, is uncertain, to say the least. 

“At the moment, there is no HCICC. It’s been completely decimated,” said Scanlon. “There’s no active committee for response … The short-term trajectory was to be physically and organically aligned with the NH-ISAC.”

“The agency has abandoned the committee that was made with HCCIC and that’s a big loss for NH-ISAC, which now has no partnership,” he added. “The agency is trying to avoid a real answer to that question.” 

Digging in his heels

When asked why he didn’t resign with Amato, he cracked a few jokes, but most notably Scanlon said: “You pick a fight with me -- you finish it.”

He added that he chose to fight because he’s at the apogee of his career. 

“I felt it was important to have a dead body, lying on the floor, so no one could walk away from it. Because it was clear they were going to push this under the rug,” Scanlon said. “We just don’t understand what happened. That’s a shock that forces someone to say: What are you doing? What is going on here? To force the issue.”

There are a lot of administrative tools available to address the situation, and they can be put into place and set into motion, he explained. 

Scanlon insisted that his situation is not dire, both financially and with his reputation. HHS recently approved his request to consult while on leave, and he also feels supported by his colleagues, friends and others in the industry.

“This is dirty politics,” said Scanlon. “Everyone needs delegation -- that’s the end game.”

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com