House investigating HHS over sidelined cybersecurity leaders
The House Energy and Commerce Committee is investigating the U.S. Department of Health and Human Services on whether it penalized its former Healthcare Cybersecurity Communications and Integration Center leaders for whistleblowing.
In a letter sent to HHS Acting Secretary Eric Hargan, Chairman Greg Walden, R-Oregon, Ranking Member Frank Pallone, D-New Jersey, and Ranking Member Diana DeGette, D-Colorado, ask HHS why two of its Healthcare Cybersecurity Communications and Integration Center leaders were recently sidelined.
The letter, sent late Tuesday night, said the committee is investigating whether HHS retaliated against the cybersecurity leaders -- Leo Scanlon and Margaret Amato --- for speaking with the Committee.
Further, the group is looking into whether recent actions by HHS have weakened the agency’s ability to respond and help stakeholders respond to cybersecurity incidents in the healthcare sector.
Until Sept. 6, Scanlon served as Deputy Chief Information Security Officer and the Designated Senior Advisor for Public Health Sector Cybersecurity. Amato served as Director of the Healthcare Cybersecurity Communications and Integration Center.
But on that date, Scanlon and Amato were told they were being temporarily detailed to unclassified duties. Amato went to another HHS building, while Scanlon was placed on full-time telework status.
The committee referenced a Sept. 28 meeting between the committee, Scanlon and Amato, that revealed HHS “shuffled” Amato around to a total of four positions over the course of a month, threatened her with the cancellation of pre-approved leave and “singled her out for the enforcement of arbitrary administrative requirements.”
Scanlon and Amato are alleging “these collective actions have effectively removed HCCIC’s leadership and suspended its activities.”
During the meeting, the two also alleged that a certain HHS official was responsible for these personnel actions, and that same official had knowledge of Scanlon and Amato’s communication with the committee -- a meeting that was under “protected communication.”
The investigation is still in the preliminary stages, according to the letter. However, the committee said its working under the assumption that these allegations appear credible. The committee has two major concerns: interference with constitutional duty to conduct oversight and cybersecurity.
“Communications with federal employees are essential to our ability to exercise [oversight] and interference with these communications potentially obstructs our oversight and possibly violates federal law,” the representatives wrote.
“Thus, any credible allegation that there has been HHS reprisal for an HHS employee communication with the Committee will receive immediate and careful scrutiny,” they added.
Further, the removal of Scanlon -- who was critical in the response to the U.S. response to the global WannaCry attacks in May -- raises a lot of questions of HHS’ commitment to providing effective cybersecurity leadership.
The committee is asking the HHS to brief its representatives by Nov. 28 on the allegations brought forward by Scanlon and Amato; the status of the investigation into the allegations; the reason Scanlon and Amato were reassigned and whether HHS took action against the two leaders for communicating with the committee.
HHS will need to provide the committee with whom is leading its cybersecurity efforts, since Scanlon was assigned to that role in the Cybersecurity Act of 2015. Further, HHS will need to show documents related to appointing an HHS leader for that position.
All communications and analysis of the effectiveness of the HCCIC will also need to be provided to the committee, along with all documents regarding Scanlon and Amato’s temporary assignments.