HHS cybersecurity center so unstable staff don't know if it exists, Congress argues
The Senate HELP and House Energy and Committees are highly concerned about the U.S. Department of Health and Human Services’ cybersecurity plan, preparedness and the lack of leadership of its Healthcare Cybersecurity and Communications Integration Center -- and is demanding answers from HHS Secretary Alex Azar.
The bipartisan letter to Azar outlines a laundry list of issues at HHS when it comes to its security plan. Among them, includes the temporary reassignment of two senior HCCIC officials in charge of the day-to-day operations.
HHS removed Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato for what they called “ethics violations.” While Amato left HHS entirely, Scanlon stayed on to fight those allegations he argued were made for whistleblowing, and the situation is under investigation.
In May, Scanlon was finally brought back to the agency after more than 200 days on administrative leave -- to a minor telework role. Scanlon told Healthcare IT News in March that the HCCIC was ‘decimated’ -- a claim confirmed by the Congressional letter. The committee agrees that Scanlon and Amato’s removal has had “undeniable impacts on HCCIC and the agency’s cybersecurity capabilities.”
Not only that but “stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it or what capabilities and responsibilities it has,” the committees wrote. And attempts from the committee to gain clarification on these concerns are “vague at best.”
The Senators blasted the agency for failing to provide necessary documentation that “continues to undermine HHS’ efforts to address HCCIC status.” The committees asked for documents to support the Cybersecurity Information Sharing Act of 2015 -- but what was given didn’t fully address those issues.
According to the senators, HHS “failed to document HHS’ policies and procedures for responding to cybersecurity concerns or incidents that implicate multiple HHS operating divisions of offices.” But worse than the “policy gap,” HHS lacked basic information about HCCIC and where it fits in the “larger healthcare cybersecurity picture.”
“HHS still have not produced the ‘common set of voluntary, consensus-based and industry-led guidelines, best practices, methodologies, procedures and process’ required by law,” the committees wrote.
While HHS -- and its outgoing HHS CISO Chris Wlaschin -- continued to stress to the public that the HCCIC and its security efforts are ongoing, the senators wrote that they have “confounded efforts to understand how HHS meets its [security] obligations” especially given “HCCIC’s instability.”
The crux of the concern stems from the initial announced success of the HCCIC after helping protect the U.S. from the global WannaCry attack that crippled the U.K. National Health Service and other businesses around the world in May. The number of U.S. victims was remarkably smaller than its global counterparts, which HHS told Congress was in part helped by HCCIC.
But after touting its success, the agency drastically altered its cybersecurity strategy, the committees wrote. And reports given to the committee either omitted or lacked crucial information about these outstanding issues.
The committees are giving HHS until June 19 to respond to these concerns and to explain the HCCIC’s role and how it fits with “HHS’ broader cybersecurity capabilities and responsibilities.” They also asked to have information on how internal HHS offices coordinate cybersecurity efforts and how HHS secures its own systems.