A fledgling HHS initiative to protect the nation’s health care system from cyberattack has been paralyzed by the removal of its two top officials amid allegations of favors and ethical improprieties.
The executive running the Health Cybersecurity and Communications Integration Center was put on administrative leave in September, while his deputy left the government. An HHS official says the agency is investigating irregularities and possible fraud in contracts they signed.
The two executives, Leo Scanlon and Maggie Amato, allege they were targeted by disgruntled government employees and private-sector companies worried the cyber center would take away some of their business.
What is not in dispute is that their departures have put the center’s work on hold and left many health care officials worried about its fate at a time when cyberattacks on hospitals and other health care institutions have become increasingly prevalent. A ransomware attack last summer cost pharmaceutical giant Merck nearly $300 million in lost revenues and other costs in the third quarter of 2017 alone. More than a dozen U.S. hospitals have been hit by ransomware attacks since 2016, forcing them to delay surgeries or use paper records while their computers are on the fritz.
The paralysis of the cyber center is “a step backwards,” said James Routh, the chair of NH-ISAC, a private-sector group that distributes information about digital attacks to its health care customers. The cyber center, whose activities were designed to complement work done by NH-ISAC, “had solid, strong leadership and now it doesn’t. The industry is hurt by that.”
Scanlon, the deputy HHS chief information security officer, and Amato, the director of the center, began building it late in 2016 so that HHS would have a way of sharing information about digital threats like ransomware with the health care sector.
Scanlon and others argued that the health care industry needed cyber help directly from HHS, which could communicate clearly in the language of the industry while coordinating with the rest of the government.
The center debuted in May and immediately claimed success. While much of the United Kingdom’s National Health Service was ravaged by the “WannaCry” ransomware attack that month, the United States’ health care system emerged relatively unscathed.
Many in industry praised the new center for broadcasting useful information. Scanlon testified in a House Energy and Commerce Committee hearing that the center played an integral role in repelling the attack although it wasn’t fully set up yet.
“While this was the first time HHS had organized itself in this way for a cybersecurity incident, we believe that it has set a standard on how to manage cybersecurity incidents,” he testified.
Yet controversy immediately stalked the center. First, many wondered whether it duplicated existing organizations that share information about bugs and patches. DHS hosts a nationwide information-sharing center, and the health care industry has two prominent cyber threat-sharing groups, NH-ISAC and the HITRUST Alliance.
Some worried that the HHS center would just confuse or burden health care security officials already dealing with cyber threat alerts from Homeland Security and the private-sector groups.
“There’s almost a weariness in the private sector [about information-sharing efforts],” Wiley Rein attorney Megan Brown said over the summer. NH-ISAC warned in July of an “already crowded government information sharing space” that is already “awash in bulletins” when a threat emerges.
CEO Daniel Nutkis of HITRUST, which already competes with NH-ISAC, told a July hearing that the HHS center was duplicative of private-sector information groups.
In response, Sens. Ron Johnson (R-Wis.) and Claire McCaskill (D-Mo.) demanded that HHS provide legal and policy justification for the center. A 2015 bill, the Cybersecurity Information Sharing Act, gave companies liability protection for sharing information with Homeland Security. It wasn’t clear that information shared with HHS would enjoy the same protections.
The policy and legal questions were only part of the center’s troubles. A series of anonymous letters alleged that Scanlon and Amato had improper relations with contractors. One July 4 letter asserted that companies received contracts with HHS after providing the two officials with free dinners and tours of California wineries, including a hot air balloon ride.
HHS spokesman Mark Weber said the department would not comment on personnel issues. The HHS Office of the Inspector General confirmed that it opened an investigation after receiving an anonymous letter. It offered no further comment.
Scanlon and Amato dispute the allegations, and filed reports detailing their alleged mistreatment with Congress. They also spoke on the record with POLITICO.
In their version of events, they acknowledged meeting with contractors in Northern California but said the tours and meals were done on their own time at their own expense.
HHS officials have focused on a no-bid contract with a startup, Akiva Technologies. The department on Aug. 1 posted notice of the contract, which according to government documents was for an initial one-year term, for approximately $1 million, followed by three one-year options.
Akiva registered as a Virginia business in March, and operates out of an Alexandria, Va., condo. HHS canceled the contract and has not paid any money to Akiva, an HHS spokesman says.
Scanlon and Amato said in their report to Congress that after receiving anonymous allegations and inquiries from the media, HHS’ chief information security officer, Chris Wlaschin, pressed the pair on perceived irregularities with the contracting process.
Wlaschin, they assert, believed Amato had shown an improper bias toward the company. He told them he was troubled by Amato’s display of grief at the news that a former colleague of the Akiva officials had died.
An HHS official, who said he was not authorized to speak on the record, said that HHS was investigating various contracts — including the one with Akiva — and was examining allegations of favors and falsified documents and resumes. Akiva, the official said, was not qualified for the contract, and its employees had a close professional relationship with Amato.
Scanlon and Amato deny the accusations. “I did not falsify anything,” Amato said.
An official for Akiva Technologies, who spoke on condition of anonymity, also denied the claims. Relations between Amato and the company were minimal and strictly professional. Akiva employees were well-qualified, he said, adding that no one from the government had contacted him to explain the contract cancellation.
“Someone’s playing dirty pool,” he said. The cancellation did an “irreparable amount of damage” to the fledgling firm.
The departures of Scanlon and Amato have unsettled some health care officials who worry about the status of the center.
“It has turned a bit political, but [I’m] not entirely sure why,” said Leslie Krigstein, vice president for congressional affairs at the College of Healthcare Information Management Executives. She said HHS needs to be more forthcoming about the center’s future.
Routh, the NH-ISAC chair, agreed. “The information I get recently is sparse,” he said, adding that he had no knowledge of the details behind the summer controversy.
“The [cyber center], my belief was that it was a positive step,” he said, praising its response to the May ransomware attacks. “[It] was a new function that needed arms and legs. There’s no more arms and legs.”
“We want some stability,” said another industry executive. “The political jockeying is just ridiculous.”
HHS insists that the cyber center’s work is proceeding, with officials detailed from elsewhere at HHS and the federal government, and a search underway to replace Scanlon and Amato.
An HHS official said the cyber center was likely to focus its outreach on small and rural practices that may not be able to afford sophisticated private-sector services like HITRUST.
Meanwhile, some former critics of the center have been mollified. Carl Anderson, HITRUST’s chief legal officer, said recently that after conversations with HHS, “our concerns regarding the [cyber center] have been addressed.”
Despite earlier misgivings, “we now believe that the [information sharing organizations] and the [HHS cyber center] each will serve complementary and reinforcing roles and, together, will serve effectively the needs of the government and industry,” he said.