Tom Schankweiler – Centers for Medicare and Medicaid Services

Imagine being responsible for protecting private health information for as many as one in four people in the U.S.

Tom Schankweiler’s doesn’t have to imagine it—this is his reality as director of cyber threat and security operations for the Centers for Medicare and Medicaid Services. Known by its CMS acronym, the agency is one of the world’s largest purchasers of health insurance, which it provides through Medicare, Medicaid and Children’s Health Insurance Program coverages.

Schankweiler is tasked with keeping insurance data secured. He’s also in charge of the cyberthreat intelligence team and forensic malware and cloud security operations.

Tom Schankweiler | Director – Division of Cyber Threat and Security Operations | Centers for Medicare and Medicaid Services

He’s been with CMS and the U.S. Department of Health and Human Services—of which the CMS is part—since 2008. As he chatted with Toggle in December 2022, Schankweiler was ensuring the agency complied with a 2021 executive order from President Joe Biden requiring that federal agencies and their vendors bolster cybersecurity.

“The magnitude of the executive order is challenging but necessary,” Schankweiler says. “I work with a stellar team of federal employees and contractors that have a sole purpose—protecting CMS systems and data.”

An ill SolarWind

Executive Order M-21-31 was written with cyber breaches in mind, including an attack on software developer SolarWinds in December 2020. The breach happened when customers downloaded what they thought were updates, unwittingly giving hackers access to their networks.

More than 18,000 customers may have downloaded the updates, including the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. However, not all those organizations were breached because they have their own security or because compromised networks weren’t connected to the internet and accessible to hackers, according to NPR.

Still, Biden ordered agencies to modernize and improve cybersecurity standards and infrastructure across the board, including cloud services, by adding multifactor authentication to access systems and encrypting data.

Biden also required federal government software suppliers to improve security and transparency by making security data publicly available. Among other provisions in the order, agencies are required to create a playbook for responding to cyber incidents while improving how they investigate and remediate them.

‘FedRAMPing’ up

“A challenge for large agencies like ours is not just knowing what is on your network but knowing whom it belongs to so that mitigation and remediation activities can be applied,” Schankweiler explains. “I believe there is a long and complex road ahead of us.”

He says his team’s compliance efforts are complicated by the fact that attackers can bypass or purge logs used in forensic analysis. An additional challenge comes in securing the open-source coding in software his and other agencies use.

To help address these and other challenges, Schankweiler implemented ServiceNow software and tools, which route service calls to the personnel who can then fix the problems.

In addition to complying with Biden’s order, Schankweiler must meet other strict federal standards set by the Federal Risk Authorization Management Program, or FedRAMP. Those apply because he’s been helping the agency move its operations to the cloud, which adds convenience but also risk.

Among the stipulations, cloud providers he uses—primarily Amazon Web Services but also Microsoft Azure and Google—need the federal certification to operate.

FedRAMP certification also requires adherence to rules of the National Institute of Standards and Technology, which stipulate that jobs and roles involving sensitive data be identified. The rules also mandate that data be encrypted, and that cloud providers monitor networks and create plans to recover from cyberattacks.

To the Batcave and beyond

To vet work done by contractors, which make up 80 percent of the CMS workforce, the organization built what it calls the batCave. Launched in summer 2021, the batCave is a program used to audit and verify code, automating what used to be a manual process. That both speeds up the vetting process and catches errors, including security and compliance concerns.

“In short, having tests ready to go reduces the time a developer needs to dedicate to creating a security test plan,” Schankweiler says. “The intent is to not wait to the very end to say there’s a problem.”

It’s fulfilling work for the native Ohioan who moved often as a child because his parents were in the military. Schankweiler gained exposure to technology in the U.S. Air Force, serving almost 10 years as an air traffic controller. He’s a Gulf War veteran.

After leaving the Air Force, Schankweiler moved to Maryland and pursued a career as a Microsoft network administrator. He worked for companies including Integrated Communication Solutions from June 2000 to January 2003 and Unisys from January 2003 to October 2008. Typically, he was tasked with supporting government agencies, including the Defense Logistics Agency, DHHS and the U.S. Coast Guard.

In October 2008, Schankweiler joined the DHHS Office of the Secretary as chief information security officer. In 2010, he began leading the security program for Healthcare.gov, created to offer and administer health insurance plans under the Affordable Care Act. He was promoted to his current position in November 2015.

“Being part of a new program that could potentially bring affordable healthcare insurance to 100 million people was incredibly rewarding,” he says.

Though cybersecurity is a passion and a career, Schankweiler also owns two Beef Jerky Experience franchises in Gettysburg, Pennsylvania. He and his wife raised two children and now love spending time with their two grandchildren. He loves being outdoors and visiting state and national parks and the ocean.

“I encourage anyone to consider working for or on behalf of CMS,” Schankweiler says. “The mission is so important, and the emphasis for innovation is real.”

View this feature in the Spring I 2023 Edition here.