Amid Leadership Changes at HHS, Former Deputy CISO Speaks Out on Cybersecurity Center Controversy
Over the past seven months, there have been a number of events that have upended top technology and cyber leadership at the U.S. Department of Health and Human Services (HHS), and some healthcare leaders are questioning the status of HHS’s cyber operations center, which launched just last June.
Now, there are reports that there will be a new HHS chief information security officer (CISO) to replace Chris Wlaschin, who is resigning from the role effective March 31.
According to reports from Federal News Radio, Janet Vogel, currently the deputy chief information officer at the Centers for Medicare & Medicare Services (CMS), will be replacing Wlaschin, who announced he was stepping down for personal reasons.
However, Wlaschin’s resignation, and the leadership changes in the agency’s top cyber position, come amid an almost seven-month-long controversy over HHS’ fledging cyber operations center and the ousting of the center’s top leaders last fall. The center’s director, Maggie Amato, has since resigned, and the former deputy CISO, Leo Scanlon, has been on involuntary leave for the past six months. In a letter provided by their attorney, Charles McCullough, III, both Scanlon and Amato contend that there was no legitimate basis for their reassignments, and that they were retaliated against as whistleblowers.
The Healthcare Cybersecurity Communications Integration Center (HCCIC), which went live at the end of June 2017, was established to protect the nation’s healthcare system from cyber attack. HCCIC focuses its efforts on analyzing and disseminating cyberthreats across the healthcare industry in real time. Wlaschin has been overseeing the cyber center in Amato and Scanlon’s absence. According to an interview with Nextgov, Wlaschin said his resignation was entirely for personal and family reasons, and unrelated to disputes over the HCCIC.
When Healthcare Informatics contacted HHS regarding whether there was or had been an Office of the Inspector General (OIG) investigation into allegations against Scanlon and Amato or an investigation into reprisal complaints from Scanlon and Amato, an agency spokesperson responded via email, “At this time, I cannot confirm or deny OIG investigations into Scanlon or Amato, nor can I confirm or deny the existence or receipt of any whistleblower complaints.”
The controversy regarding top tech and cyber positions at HHS is a tangled web of personal and policy disputes, and, according to Scanlon in a published statement provided by his attorney, the net effect of the reassignments has been that “the HCCIC initiative, which played such an important and promising role during the WannaCry incident, has been derailed.” Further, Scanlon states that “the Critical Infrastructure Protection Program of HHS once again lacks a cybersecurity component, and the NH-ISAC [National Health Information Sharing and Analysis Center] has no functioning partners in the agency.”
Top Leaders Reassigned
According to multiple media reports back in November, the fledging HCCIC became the center of a rumored investigation into contracting irregularities and possible fraud allegations. An anonymous complaint was lodged, alleging contracting improprieties with regards to steering a no-bid contract to an individual with personal connections to Amato. Scanlon was put on administrative leave back in September, and Amato left the government.
According to an article written by Politico’s Darius Tahir back in November, “An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed. The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business.”
In his published statement provided through his attorney, Scanlon, who is still on administrative leave, wrote: “Over 200 days ago, Chris Wlaschin removed Maggie Amato and I from our positions as the leaders of the HHS HCCIC. He cut us off from colleagues, denied us access to HHS facilities, removed our security clearances, and told agency officials, the Congress and the media that this was a response to an ongoing investigation by the OIG into anonymous and unsubstantiated allegations directed against OCIO [office of the chief information officer] staff and leadership. These allegations were spread by HHS employees who sought to stop the HCCIC initiative. Wlaschin took his actions without recommendations from any investigative entity, and in fact, without any investigation being underway at all.”
In a March 12 letter to HHS Secretary Alex Azar, McCullough, a partner with Washington, D.C.-based Tully Rinckey, LLC, and who represents both Scanlon and Amato, wrote that he wanted to call Azar’s attention to “significant irregularities and possible violations of law" carried out by HHS in the treatment of these employees. According to McCullough’s letter, Scanlon and Amato were removed from their positions, without warning, on September 6 by Wlaschin and reassigned to “unclassified temporary duties.”
McCullough also wrote in the letter to Sec. Azar that Wlaschin “stated under oath that the allegations against Scanlon and Amato were being investigated by the HHS Office of Inspector General.”
On September 19, Scanlon and Amato reported these and numerous other agency-related improprieties to Congress, and gained whistleblower status. Scanlon and Amato, as stated in the letter, contend that they were then retaliated against. “Ms. Amato was thereafter subjected to a series of increasingly hostile and retaliatory acts which forced her resignation. On the day after Ms. Amato was driven out, Mr. Scanlon was placed on Administrative Leave with no explanation,” according to McCullough’s letter to Sec. Azar.
The 120-day limit on administrative leave ended Feb. 18, but, as of March 12, Scanlon was still on paid administrative leave. According to McCullough’s letter, Scanlon and Amato were recently made aware that the HHS OIG was not, nor ever had been, investigating them.
In his public statement, Scanlon wrote: “In an interview with OIG investigators, in February, my attorney and I were told that neither Amato nor I were under investigation or had ever been under investigation with regard to the allegations Wlaschin presented to them. Yet, in sworn depositions, Wlaschin stated that the personnel actions taken against Amato and me were based on an 'OIG investigation.' The investigators explained that as with any federal investigative entity, all complaints received by the OIG are reviewed, but a review is not an investigation. Wlaschin has admitted that he was never contacted by OIG or ethics officials after submitting his complaints. The claims of an OIG investigation were and are reckless misrepresentations.”
Meanwhile, the House Energy and Commerce committee also is reviewing the situation. In a letter dated Nov. 14 to then Acting HHS Secretary Eric Hargan, House E&C committee chairman and ranking members wrote that the committee is examining whether HHS retaliated against two key HHS cybersecurity officials for communicating with the committee “as well as whether recent actions by the department potentially weaken the HHS role in responding, or assisting stakeholder response, to cybersecurity incidents affecting the healthcare sector.”
Scanlon and Amato are requesting an in-person meeting with Secretary Azar to resolve the situation, McCullough wrote. The letter from McCullough also suggests resolution through other means, such as Congressional committees, the Equal Employment Opportunity (EEO) Commission and the Office of Special Counsel.
It’s been reported that HHS’s inspector general has interviewed Scanlon and Amato as part of their reprisal complaint. “It is our understanding that they take whistleblower reprisal very seriously, and that they are actively looking into the allegations of retaliation made by Mr. Scanlon and Ms. Amato,” McCullough, Scanlon and Amato’s attorney, said in a statement. “We fully expect the truth to come out soon.”
Status of HHS Cybersecurity Center?
Controversy about the HCCIC goes back to the center’s inception. According to many media reports, including an article by Nextgov, some industry officials and lawmakers believe that the HCCIC duplicates the work already being done by the Department of Homeland Security and the healthcare industry.
According to Scanlon and other healthcare officials, the reassignments have put the HCCIC’s work on hold, and at a time when the healthcare industry is facing evolving, persistent cyber threats.
During a House Energy and Commerce Oversight subcommittee hearing back in June, Scanlon touted the HCCIC's success in light of the WannaCry ransomware attack in March 2017. While the malware attack severely impacted the National Health Service in the UK, WannCry’s effect was ultimately minimal in the U.S. Scanlon reported that HCCIC played an integral role in HHS’ coordinated response to the WannaCry incident as HCCIC analysts provided early warning about the impact to health care. Scanlon testified that during the WannaCry attack and throughout the following days HHS took a central role in coordinating government resources, compiling and distributing relevant information, and generally serving as a hub for both public-and private-sector response efforts.
Top lawmakers on the House Energy and Commerce committee also voiced concerns about how the abrupt changes that took place back in September would impact the HCCIC. In the letter to Acting HHS Secretary Hargan, they wrote, “Given how critical health care cybersecurity is to the nation and the apparently central role of the new HCCIC in the Department’s response to WannaCry, these recent and abrupt changes raise a number of questions about HHS and its commitment to providing effective leadership to the sector. HHS’s apparent inability to provide stability and clarity about internal roles and responsibilities for cybersecurity risks is undermining any recent progress made by the department in developing the trust and confidence within the health care sector necessary to provide leadership on this important topic.”
There are rumors that HHS’s cyber information-sharing center, the HCCIC, will be rebranded and will be housed within Homeland Security in order to align with DHS’s information-sharing efforts. Speaking during a phone interview, Scanlon contends that the effort to create a healthcare-specific cybersecurity information-sharing center is now "back to square one.”
“It’s a tremendous risk to the healthcare industry. The purpose of HCCIC was to set up and establish the kinds of collaborative communication channels that were demonstrated in WannaCry. And, absent a robust relationship between ASPR [the HHS Office of Assistant Secretary for Preparedness and Response] and the NH-ISAC with the healthcare sector, the ability of HHS to leverage it’s very real, very robust emergency response capabilities in a cyber-related incident is diminished. With the WannaCry attack, the reason the sector was well-served was that the agency was finally prepared to do what it’s supposed to be doing as a sector-specific agency. It’s not prepared to do that as this point. In practical, operational terms, it’s back to square one.”
