Congressional Leaders Call Out HHS Leaders on Healthcare Cybersecurity Center

June 11, 2018
A bipartisan group of U.S. Senators and U.S. Representatives wrote a joint letter June 5 to HHS Secretary Alex Azar voicing concerns and confusion about the status of the one-year-old Healthcare Cybersecurity and Communications Integration Center, and HHS’ overall cybersecurity capabilities.

A bipartisan group of U.S. Senators and U.S. Representatives wrote a joint letter June 5 to U.S. Department of Health and Human Services (HHS) Secretary Alex Azar voicing concerns and confusion about the status of the one-year-old Healthcare Cybersecurity and Communications Integration Center (HCCIC), and HHS’ overall cybersecurity capabilities.

The disorganization and drama around the fledging HCCIC goes back more than a year. The HCCIC was announced back in April 2017 by the then-HHS deputy Chief Information Security Officer, Leo Scanlon, and the center went live in June 2017. HCCIC was established to protect the nation’s healthcare system from cyber attack and was designed to focus its efforts on analyzing and disseminating cyberthreats across the healthcare industry in real time, according to HCCIC officials at the time.

However, since that time, there has been ongoing controversy over the reassignment of top cyber leaders at HHS and the work of the HCCIC. According to multiple media reports back in November, the fledging HCCIC became the center of a rumored investigation into contracting irregularities and possible fraud allegations. An anonymous complaint was lodged, alleging contracting improprieties. Scanlon was put on administrative leave back in September, and the center’s director, Maggie Amato, has since resigned. Chris Wlaschin then stepped in to the HHS CISO role, but stepped down March 31 and was replaced with Janet Vogel, previously the deputy chief information officer at the Centers for Medicare & Medicaid Services (CMS).

As previously reported by Healthcare Informatics, the controversy regarding top tech and cyber positions at HHS is a tangled web of personal and policy disputes, and, according to Scanlon in a published statement provided by his attorney back in March, the net effect of the reassignments has been that “the HCCIC initiative, which played such an important and promising role during the WannaCry incident, has been derailed.” Further, Scanlon states that “the Critical Infrastructure Protection Program of HHS once again lacks a cybersecurity component, and the NH-ISAC [National Health Information Sharing and Analysis Center] has no functioning partners in the agency.”

It seems Congressional leaders are also concerned about the current role and status of HCCIC. In the five-page letter, members of the House Energy and Commerce Committee and the Senate Committee on Health, Education, Labor and Pensions noted that when the HCCIC was announced a year ago, there were few details provided, “offering little clarity on how HCCIC would fit into the larger healthcare cybersecurity picture and raising concerns that HCCIC could duplicate work by entities such as the National Health-Information Sharing and Analysis Center (NH-ISAC).”

And, the lawmakers cited the leadership changes, specifically the reassignment of senior officials responsible for the day-to-day operation of the HCCIC, as one of their top concerns. “HHS’s removal of senior HCCIC personnel has had undeniable impacts on HCCIC and HHS’s cybersecurity capabilities.”

In the same week that the letter was sent to Azar, the House Energy and Commerce health subcommittee held a hearing on the reauthorization of the Pandemic and All-Hazards Preparedness Act, legislation that seeks to enhance the nation’s ability to prepare for and respond to health threats from infectious diseases, bioterrorism, chemical attacks, radiological emergencies and cybersecurity incidents. The bill proposes moving the HCCIC from the HHS’s Office of the Chief Information Officer to the Assistant Secretary for Preparedness and Response (ASPR), also within HHS.

During that hearing, Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine, testified that there’s confusion about the status of HCCIC as well as the cybersecurity roles of various agencies at HHS, and the confusion is hindering many healthcare organizations from participating in cyber intelligence sharing,

The letter, signed by Sens. Patty Murray, D-Wash., and Lamar Alexander, R-Tenn., along with Reps. Frank Pallone, D-N.J., and Greg Walden, R- Ore., also noted, “Stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has. Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’s efforts to address the HCCIC’s status.”

And, and lawmakers wrote, “HHS’s private and public representation of the HCCIC as central to its cybersecurity efforts has confounded efforts to understand how HHS meets its obligations related to cybersecurity given the HCCIC’s instability.”

The lawmakers are also concerned that HHS has failed to provide a Cyber Threat Preparedness Report as required by the Cybersecurity Information Sharing Act of 2015. The HCCIC developments and the lack of a CTPR “raises concerns about HHS’s ability to address the growing number and severity of cyber threats facing the health care sector,” the lawmakers wrote.

Congressional leaders are demanding an updated CTPR with a detailed explanation of the HCCIC, its roles and responsibilities, how its work and operations intersect with the NCCIC and NH-ISAC and how it fits into HHS’s broader cybersecurity capabilities and responsibilities.

In a broader sense, the lawmakers also raised concerns about HHS operating as both a regulator of the healthcare sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. “HHS must make it clear how it plans to carry this dual role and clearly communicate to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions,” the lawmakers wrote.

Congressional leaders are asking for HHS leaders to clarify how it plans to differentiate those dual roles, regulator and SSA for healthcare, and how it plans to transition between the two roles.