In May 2017, the Department of Health and Human Services decided to stand up its own version of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in order to address the increasing cybersecurity risks to the health care sector.
But creating the Health Cybersecurity and Communications Integration Center, or HCCIC, was the easy part. Soon after, the newfound center landed in the spotlight, sparking agency and industry drama about the role and scope of HHS authorities in information sharing.
In less than a year, the HCCIC saw some of its chief leaders and proponents either leave the agency or be placed on administrative leave, and oversight reverted from the deputy chief information security officer and into the agency’s Atlanta, Georgia-based Cybersecurity Operations Division.
Trial by fire
In December 2015, Congress passed the Cybersecurity Act of 2015, which called for greater cyberthreat preparedness and information sharing in HHS and the health care industry.
“It was obvious that there was a clear direction from Congress for the agency to take a different approach than the one it had taken,” Leo Scanlon, HHS deputy chief information officer and special adviser to the deputy secretary, told Federal Times, reiterating statements he’d made to Congress in June 2017.
HHS then decided to engage the Carnegie Mellon Software Engineering Institute to figure out the best way to meet the new requirements. Based on those findings, the HCCIC was born.
The timing proved profound. In May 2017, just as the HCCIC was first being stood up, the WannaCry ransomware cyberattack swept across many industries and portions of the public sector by exploiting a vulnerability in Windows systems. And while the health care industry in Europe was heavily impacted by the attack, the U.S. health sector remained comparatively secure.
Many attributed this security to the newly founded HCCIC, which placed an industry representative in the HHS security operations center and held regular calls with industry during the attacks.
“The department’s actions in response to the WannaCry ransomware — coordinated through the newly established HCCIC — have generally received praise from the sector. This and other recent actions are positive signs that the department is heading in the right direction,” Rep. Greg Walden, R-Ore., said during a June 2017 hearing on the HHS response to the ransomware event.
Duplicative or indispensable?
But the fanfare faded quickly. Despite early success, some members of industry and government questioned whether the HCCIC’s efforts were duplicative of those made by the DHS NCCIC, and even other parts of HHS.
“Clear guidance and communication should be established to ensure private sector activities are supported and not duplicated by government programs,” said Daniel Nutkis, CEO of the HITRUST Alliance, in a June 2017 hearing with the Senate Homeland Security and Governmental Affairs Committee.
HITRUST is a Health Information Sharing and Analysis Organization — or ISAO — established to promote cooperation between government and industry.
The heart of this debate, according to an HHS official who spoke with Federal Times on the condition of anonymity, is a bureaucratic one: the difference, or lack thereof, between ISAOs and Information Sharing and Analysis Centers — or ISACs.
The concepts for ISACs was created through a 1998 presidential decision directive, and they are typically nonprofit organizations formed by critical infrastructure owners and operators to share information and best practices about physical and cyberthreats to their sector. They are congressionally chartered and must fulfill specific obligations to their members.
ISAOs are subsector specific groups that are formed to help share information about cybersecurity risks and to aid the sector in interacting with the federal government. A 2015 executive order directed DHS to encourage the development of these ISAOs, which “develop transparent best practices that align with the needs of all industry groups, not just those traditionally represented by ISACs,” according to the DHS website.
ISAC membership for the national health sector — or NH-ISAC — has been small when compared with the ISACs of other sectors, such as finance’s FS-ISAC, which has benefited from the Treasury Department’s encouragement of membership as an industry best practice.
Denise Anderson, president of the NH-ISAC, said in an April 2017 House Energy and Commerce Committee hearing on public-private partnerships in the health care sector that there is a great deal of “confusion and unnecessary effort” in the sector about ISAOs, when the ISACs already have the infrastructure to support the sector in emergency response.
Revising the reporting structure
In a July 2017 email conversation obtained by Federal Times that took place between HHS CIO Beth Killoran, then-chief information security officer Chris Wlaschin and Deputy CISO Leo Scanlon, Wlaschin laid out a new plan for the reporting structure of the HCCIC, taking it out from under Scanlon’s direct oversight and placing it under Cybersecurity Operations Director James Antonucci in the Atlanta office, which also included the Cyber Security Incident Response Center (CSIRC).
The HHS official confirmed that CISIRC had a close relationship with the HITRUST Alliance. Federal Times contacted HHS CIO Beth Killoran and HITRUST CEO Daniel Nutkis for comment and did not receive a response.
In the email conversation, Scanlon opposed the new model, claiming that because the HCCIC served an external-facing function to coordinate incident response with the rest of the health sector, it did not belong with the internal, operational-oriented Atlanta office.
“In our view, HCCIC is an ‘analytics engine’ that supports real-time threat assessment, evaluation and assessment of indicators, and reporting on defensive measures. It is linked to the threat analytics capabilities that exist in the Operating Divisions and among our sector partners, and it provides analytic support, commensurate with its resources, where capability does not exist,” Scanlon wrote.
Under its original structure, according to an HHS official, the HCCIC derives its external-facing authority through the assistant secretary for preparedness and response, or ASPR. Should that authority be moved under the HHS CIO, which only has internal authorities, the legality of the center can be called into question.
In a responding email, Wlaschin said that he was “won over” by Scanlon’s argument for the HCCIC’s role, though questioned whether then-HCCIC Director Maggie Amato needed help with managing the program.
However, in the agency’s fiscal 2019 budget justification, the organization chart reflects much of Wlaschin’s original model, and places the HCCIC under the cybersecurity operations division.
Wlaschin told Federal Times that HHS is building out a new HCCIC watch floor in the Washington, D.C., Humphrey building, but did not elaborate on the reporting structure for the center.
“The HCCIC is alive and well under new leadership,” Wlaschin said. “I am proud of my time at HHS, and I am confident that the HCCIC will continue to grow and mature into the health sector cyber collaboration organization it was envisioned to be.”
Personnel problems
As the email conversation about the future of the HCCIC was occurring, an anonymous letter — dated July 4, 2017, and addressed to Sens. Ron Johnson, R-Wis.; Claire McCaskill, D-Miss.; and Rep. Tim Murphy, R-Pa.; as well as members of the media — claimed that the HCCIC’s management was a “complete mess,” and was a duplication of the NCCIC.
The letter also said that HHS leadership abused decision-making power to stand up the HCCIC and that Amato, Scanlon and Cybersecurity Technology Adviser Vik Sinha had accepted special gifts of “tours of wineries, dinners, hot air balloon rides, private drivers and cars, and other amenities by companies like Splunk and FireEye.”
Scanlon told Federal Times that he, Amato and Sinha attended an NH-ISAC conference held at Walt Disney World in Orlando, Florida, at which balloon rides were present but not offered as part of the conference, and none of the HCCIC team went on the ride.
Amato and Scanlon were reassigned to temporary duties in September 2017, “to permit the agency to review allegations raised against the Office of the Chief Information Officer, Office of Information Security,” according to the reassignment memo.
Scanlon was placed on administrative leave on Oct. 19 that year, the day Amato resigned from her position at the agency. Scanlon said that neither he nor Amato have been given any explanation for the reassignment and subsequent placement on leave.
According to the HHS official, the review involved the allegations in the anonymous letter and concerns about Amato’s role in the award of a sole-source contract to Akiva Technologies, a veteran-owned small business that was to provide intelligence support to the HCCIC and its liaison to the NCCIC watch floor.
The official added that Wlaschin raised concerns about the award after reviewing the resumes of Akiva employees.
“This is highly unusual,” the HHS official said. “Resumes of the employees of a contractor are not relevant to an award decision, and neither Scanlon nor Amato have a warrant, nor were they involved in the selection decision — it was reviewed, approved and awarded by contracting authorities independent of the OIS.”
The official said that Wlaschin told HHS staff that Scanlon and Amato were removed so that there would be no interference with the OIG investigation.
But such an investigation never existed, said Charles McCullough, a partner at Tully Rinckey PLLC and the lawyer of Amato and Scanlon, in a March 12, 2018, letter to the HHS secretary.
“They were both recently advised, unequivocally and categorically, by senior investigators from the HHS OIG, that neither of them are currently or were at any time in the past under investigation by the OIG,” the letter stated. Also noted was that Scanlon continues to remain on administrative leave, despite a legal 120-day limitation on that kind of leave, which expired for Scanlon in February 2018. Federal Times confirmed with Scanlon that he was placed on temporary reassignment on May 9, 2018, after 200 days on administrative leave.
Employees can be moved to investigative leave for a longer period, but only if an investigative body signs off on it.
An HHS OIG spokesperson confirmed to Federal Times April 6 that “an OIG investigation involving HCCIC is/was ongoing,” though the spokesperson was unable to provide any further details.
Scanlon and Amato filed for whistleblower protection status with the HHS OIG in September 2017, McCullough told Federal Times, on the grounds that they were being targeted for their opposition to the HCCIC transformation. The two also filed for whistleblower protection status with the Energy and Commerce Committee, which confirmed that November that it was looking into whether the two experienced retaliation from management.
According to McCullough, it is possible that the OIG is asking the same question in its confirmed investigation.
McCullough, a former inspector general under President Barack Obama, said he was confident the OIG would get to the bottom of the HCCIC issues, adding: “I know blatant retaliation when I see it, and we intend to expose the truth, no matter how long it takes.”
The HCCIC director and deputy CISO roles at HHS have both been filled in an acting capacity since Amato’s resignation and Scanlon’s placement on administrative leave.
Wlaschin declined to comment on personnel matters. He left HHS, citing family health reasons, before being announced as vice president of systems security at Election Systems and Software.
This article has been changed to reflect a change in Leo Scanlon’s work status that occured after the time of original publication.
Jessie Bur covers federal IT and management.