HHS cybersecurity center so unstable staff don't know if it exists, Congress argues

House and Senate committees criticize department with essentially the same case sidelined Deputy CISO Leo Scanlon made in March.

The Senate HELP and House Energy and Committees are highly concerned about the U.S. Department of Health and Human Services’ cybersecurity plan, preparedness and the lack of leadership of its Healthcare Cybersecurity and Communications Integration Center -- and is demanding answers from HHS Secretary Alex Azar. The bipartisan letter to Azar outlines a laundry list of issues at HHS when it comes to its security plan. Among them, includes the temporary reassignment of two senior HCCIC officials in charge of the day-to-day operations.

Leo Scanlon at a hearing examining the role of HHS in healthcare cybersecurity, on June 8, 2017. Credit-Energy & Commerce CommitteeHHS removed Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato for what they called “ethics violations.” While Amato left HHS entirely, Scanlon stayed on to fight those allegations he argued were made for whistleblowing, and the situation is under investigation.In May, Scanlon was finally brought back to the agency after more than 200 days on administrative leave -- to a minor telework role. Scanlon told Healthcare IT News in March that the HCCIC was ‘decimated’ -- a claim confirmed by the Congressional letter. The committee agrees that Scanlon and Amato’s removal has had “undeniable impacts on HCCIC and the agency’s cybersecurity capabilities.”

Not only that but “stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it or what capabilities and responsibilities it has,” the commitees wrote. And attempts from the committee to gain clarification on these concerns are “vague at best.” The Senators blasted the agency for failing to provide necessary documentation that “continues to undermine HHS’ efforts to address HCCIC status.” The committees asked for documents to support the Cybersecurity Information Sharing Act of 2015 -- but what was given didn’t fully address those issues...