Congress stepping in after reorganizations, leadership vacuum leave HCCIC fate unclear

The Health and Human Services Department doesn’t want to talk about its Health Cybersecurity and Communications Integration Center. And that’s no surprise, since it doesn’t seem to know what to do with it, and no one who was responsible for standing it up is involved with it anymore.

Lawmakers from the House Committee on Energy and Commerce and the Senate committee on Health, Education, Labor and Pensions sent a letter on June 5 to HHS Secretary Alex Azar pointing out some significant omissions in the department’s Cybersecurity Threat Preparedness Report, which the department is required to submit to Congress. The report is supposed to detail HHS’ responsibilities and preparedness to deal with cyber threats in health care.

Yet, according to the letter, the report made no mention whatsoever of the HCCIC. Which is strange, because the HCCIC was supposed to be the linchpin in HHS’ plans to coordinate information sharing about major cyber threats to the health care sector. The concept is based on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC), but with a more specific focus.

But documents obtained by Federal News Radio show an internal disagreement within the HHS Office of Information Security in 2017 as to how the HCCIC fits into its structure.

Advertisement

Organization and Leadership

In July 2017, then-Chief Information Security Officer Chris Wlaschin decided to reorganize the HCCIC under the purview of the OIS Security Operations Division, alongside the internally-facing Computer Security Incident Response Center (CSIRC) and the Network Operations/Security Operations Center (NOC/SOC).

But then-Deputy CISO Leo Scanlon argued that the HCCIC was never designed for operational purposes. Instead, it was supposed to serve an analytics function and provide sectorwide supporting. This was best illustrated during the WannaCry incident in May 2017, which prompted HHS to activate the HCCIC one month early.

“In the recent WannaCry immobilization,  HCCIC analysts provided early warning of the potential impact of the attack and HHS responded by putting the secertary’s operations center on alert,” Scanlon said during a June 8, 2017  House Energy and Commerce subcommittee hearing. “This was the first time that a cyber attack was the focus of such a mobilization and HCCIC was able to support [the Office of the Assistant Secretary for Preparedness and Response] interactions with the sector by providing real time cyber situation awareness, best practices guidance and coordination.”

In the end, Wlaschin relented, and the HCCIC stood as its own entity under the purview of the deputy CISO.

Until, that is, Scanlon and HCCIC Director Maggie Amato were removed from their positions without warning on Sept. 6, 2017 by Wlaschin, and reassigned to “unclassified temporary duties.” Wlaschin stated that this was so HHS could review allegations against them, and that both Scanlon and Amato were under investigation by the HHS Office of Inspector General. The HHS OIG confirmed in March that an investigation into the HCCIC is ongoing, though it did not confirm whether subject of the investigation was Scanlon and Amato’s conduct, as Wlaschin stated, or the allegations of unfair treatment and whistleblower reprisals Scanlon and Amato raised against Wlaschin.

At some point after the two were removed, HCCIC once again found itself under the purview of Cybersecurity Operations, as evidenced by HHS’ Public Health and Social Services Emergency Fund justification, published in March. This is exactly where Wlaschin had originally tried to place it in July 2017. In that budget justification, HCCIC does not have its own line-item in the proposed budget. It instead is included with the CSIRC.

Then Wlaschin resigned his position in March, citing personal reasons. With Scanlon and Amato no longer connected to the HCCIC, no one involved in setting it up was left in a leadership position.

“Stakeholders have informed our staffs that they no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has,” lawmakers wrote in the June 5 letter. “Responses to committee requests to HHS for clarification on these questions remain vague at best, and the lack of documentation provided continues to undermine HHS’ efforts to address the HCCIC’s status.”

Lawmakers get involved

Now lawmakers are considering reorganizing it yet again, this time to the Office of the Assistant Secretary for Preparedness Response (ASPR). The House Energy and Commerce Health Subcommittee discussed the Pandemic and All-Hazards Preparedness Reauthorization Act of 2018 during a June 7 hearing. The subcommittee’s draft of the bill would make ASPR responsible for “the ability of the healthcare sector to provide continuity of care during a cybersecurity incident,” and place the HCCIC within its structure.

“How has HHS addressed its cybersecurity strategies to confront the changing cyber threats and what more needs to be done in your recommendations?” Rep. Billy Long (R-Mo.) asked Dr. Robert Kadlec, ASPR, during the hearing. Kadlec opted to provide his response on the record, and the committee has not yet received that, according to a committee staffer.

Long also asked Erik Decker, chief security and privacy officer for University of Chicago Medicine, whether HHS could repeat its performance in the event of another situation similar to WannaCry.

“The means by which HHS is facilitating the process versus the means by which information sharing and analysis centers facilitate technical and distribute technical information down to the health systems, I think there is some better coordination that could occur there, as well as some further monitoring of the other critical infrastructures that is occurring,” Decker said.

He also said there is some hesitancy and confusion among the health care sector about whether they should contact HHS, and what organization to contact specifically, should such an event occur.

“A lot of focused education and awareness I think would be important,” Decker said. “Designating a very specific agency that’s going to be responsible for coordinating with the sector, with the industry, is I think very important.”

That agency was supposed to be the HCCIC. One year after its successful debut, no one is sure if that’s the case anymore.