Members of the House Committee on Energy and Commerce are looking into whether the Department of Health and Human services retaliated against two cybersecurity employees who made protected communications to the committee by detailing them to unclassified duties, according to a letter sent to the acting HHS secretary by committee leadership.
“The committee is examining whether the Department of Health and Human Services retaliated against two key cybersecurity officials for communicating with this committee as well as whether recent actions taken by the department potentially weaken the HHS role in responding, or assisting stakeholder responses, to cybersecurity incidents affecting the healthcare sector,” Reps. Greg Walden, R-Ore., Frank Pallone Jr., D-N.J., and Diana DeGette, D-Colo., wrote.
The two employees are Margaret Amato, who served as the director of the Healthcare Cybersecurity Communications and Integration Center until her Sept. 6, 2017 detailing away from the position, and Leo Scanlon, who served as the deputy chief information security officer and designated senior adviser for public health sector cybersecurity until his redesignation on the same date.
Amato was assigned to other work duties at a different HHS building, while Scanlon was placed on full-time telework status “to permit the agency time to review allegations raised against the Office of the Chief Information Officer.”
“Ms. Amato and Mr. Scanlon further alleged that the HCCIC office had been reorganized at the time or since they were notified of their temporary details, with the acting director located in Atlanta, Georgia under the HHS Computer Security Incident Response Center (CSIRC) rather than continuing to be located at HHS headquarters in Washington, D.C.,” the congressmen wrote. “Ms. Amato and Mr. Scanlon allege that these collective actions have effectively removed the HCCIC’s leadership and suspended its activities.”
The two HHS employees met with the committee on Sept. 28, 2017 to discuss information contained in their protected disclosure, according to the letter. A week later, counsel for Amato and Scanlon notified the committee that Amato had been shuffled around to two more positions, threatened with the cancellation of preapproved leave, and singled out for the enforcement of arbitrary administrative requirements after talking with the committee.
“It was alleged that a certain HHS official was responsible for these personnel actions, and that there was reason to believe that this person had actual knowledge of Ms. Amato’s and Mr. Scanlon’s communications with the committee,” the letter said.
Both Amato and Scanlon serve key roles in the functioning of the HCCIC, a healthcare sector information sharing center modeled after the National Cybersecurity Communications and Integration Center run by the Department of Homeland Security.
HHS officials have said that the recent WannaCry ransomware attack proved the value of the HCCIC, and the congressmen’s letter raised concerns that HHS would not be able to provide such services in the future.
“Although it may be too early to evaluate the long-term merits or effectiveness of the HCCIC, it was widely recognized that the department’s HCCIC took a central role in coordinating government resources and expertise, compiling and distributing relevant information, and generally serving as a hub for both public- and private-sector response efforts,” the letter said. “Given how critical healthcare cybersecurity is to the nation and the apparently central role of the new HCCIC in the department’s response to WannaCry, these recent and abrupt changes raise a number of questions about HHS and its commitment to providing effective leadership to the sector.”
The committee has requested that HHS brief them on the allegations related to the two employees, the status of the HCCIC reorganization and how the agency intends to address the HHS designee for cybersecurity role vacated by Scanlon by Nov. 28.
An HHS representative told Federal Times that they plan to respond to the committee in a timely manner and that they do not comment on personnel issues as a matter pf policy.