Posted in Policy

Is HHS shortchanging healthcare cybersecurity preparedness?

Chris Nerney
Chris Nerney, Contributing Writer |
Is HHS shortchanging healthcare cybersecurity preparedness?

Turmoil and lack of leadership within the U.S. Department of Health and Human Services (HHS) may be jeopardizing the federal agency’s cybersecurity plans, according to members of Senate and House subcommittees in a letter to HHS Secretary Alex Azar.

Specifically, the letter expressed concern about the ability of HHS’s Healthcare Cybersecurity and Communications Integration Center (HCCIC) to function effectively after two senior HCCIC officials were temporarily – and controversially – removed from their jobs last September.

HHS Deputy CISO Leo Scanlon and HCCIC Director Maggie Amato were reassigned that month after being accused in an anonymous letter of accepting gifts and other “special treatment” from cybersecurity vendors.

Amato resigned, but Scanlon fought the allegations, arguing that the pair was being punished for alleged whistleblowing. Scanlon was put on administrative leave for more than 200 days. He returned to work in May, but was relegated to a relatively menial job. Their treatment prompted an investigation late last year by the House Energy and Commerce Committee.

In Tuesday’s letter to Azar, party leaders of that committee and the Senate Committee on Health, Education, Labor, and Pensions argued that removal of the pair from leadership roles within HHS “undeniable impacts on HCCIC and the agency’s cybersecurity capabilities.”

“As cyber threats to the health care sector increase in frequency and severity, it is imperative that HHS provide clear and consistent leadership and direction to the sector regarding cyber threats,” the letter said.

Instead, the committee leaders asserted, HHS hasn’t provided sufficient details of its cybersecurity plans, while its overall strategy continues to change. The letter asks Azar for information regarding the "Cyber Threat Preparedness Report" (CTPR) required by Section 405 of the Cybersecurity Information Sharing Act of 2015 (CISA).

“While the CTPR provided a high-level overview of the cybersecurity responsibilities of each HHS office and operating division, the report omitted or lacked sufficient detail on many outstanding issues,” the letter said. “For example, HHS is both a regulator of the health care sector and the Sector Specific Agency (SSA) responsible for leading and providing guidance under the national critical infrastructure protection model. HHS must make clear how it plans to carry out this dual role and clearly communicate to stakeholders, who must balance the need for support from HHS during cybersecurity incidents with the perceived risk that seeking support could lead to regulatory enforcement actions.”

The CTPR also “failed to document HHS's policies and procedures for responding to cybersecurity concerns or incidents that implicate multiple HHS operating divisions or offices,” the letter said. The lawmakers urged HHS to update the CTPR to “include any and all changes, modifications, and evolutions that have occurred in HHS cybersecurity strategies since its original drafting.”

They also asked for clarification regarding the “role of HHS, including the responsibility of HHS offices and operating divisions, in securing its own internal information systems as compared to its role in providing guidance, information, education, training, and assistance to the health care sector, and how it will differentiate between those two roles.”