HealthCare.gov Security: Answers SoughtConservative Group Files Freedom of Information Act Suit
Although open enrollment season for health insurance coverage under the Affordable Care Act has ended, skepticism about the security and privacy protections for data on the HealthCare.gov website and systems continues.
Judicial Watch, a politically conservative government watchdog group, has filed a Freedom of Information Act lawsuit against the Department of Health and Human Services seeking the release of all records - including studies, memos, e-mails, and slide presentations - related to the security of the HealthCare.gov Web portal dating back to Jan. 1, 2012.
HHS did not respond to a request for comment from Information Security Media Group on the Judicial Watch lawsuit. But HHS told ISMG that from Oct. 1, 2013, when the website went live, through April 1, 2014, "there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information from the site."
In an interview with ISMG, Judicial Watch President Tom Fitton explains that his group filed the suit after HHS' Centers for Medicare and Medicaid ignored Judicial Watch's Dec. 20, 2013, requests for the documents under the Freedom of Information Act.
"They are outside the law in withholding these documents," Fitton contends. If there is sensitive or top-secret information about HHS security practices in the documents that pose security risks if publicly disclosed, and that's a reason why documents haven't been released, HHS hasn't said, Fitton says. "We have questions, and they just haven't bothered to respond to us."
Not disclosing the documents - including potential records indicating possible security flaws in HealthCare.gov, as well as how those problems are being addressed - "gives the appearance that they are hiding something and suggests the systems are not secure," he says.
HHS has 30 to 60 days to respond to the lawsuit, which was filed on March 18 in the U.S. District Court in Wash. D.C., Fitton says.
Judicial Watch's pressure on HHS to disclose information related to HealthCare.gov security follows months of scrutiny by a number of Congressional committees and others probing the technology and data security and privacy practices of HHS in the wake of the troubled rollout of the site in October.
In addition to several Congressional hearings into HealthCare.gov security over the last several months, new legislation has been pushed by some GOP leaders aimed at bolstering the site's security (see GOP Plans HealthCare.gov Security Bill.)
While some Democratic leaders have also voiced concerns over HealthCare.gov security, many have characterized GOP outrage about the site's technical and alleged security problems as part of Republicans' overall political quest to repeal the Affordable Care Act.
Over the last several months, many of the technical problems plaguing the site during its early weeks appeared to be fixed, thanks in part to a "tech surge" of experts working on the issues, and a shakeup among technology services contractors involved with the HealthCare.gov.
HHS dismissed CGI Federal, the prime IT services contractor of the project, and hired Accenture to take over much of the effort. In addition, the site's problems apparently contributed to the departure of several HHS leaders, including CMS' CIO Tony Trenkle.
Despite HealthCare.gov operating more smoothly in recent months, HHS blamed heavy website traffic and a "software bug" on the recurrence of performance problems and an outage of the site on March 31, the final day of open enrollment.
"We experienced record volume on HealthCare.gov," on March 31, says an HHS statement provided to ISMG. "That traffic included more than 3 million visits through noon on [March 31,] and 125,000 plus concurrent users at peak," says the statement.
The record volume of people trying to access HealthCare.gov on March 31 resulted in the tech team monitoring the site in real time "identifying an issue with users creating new accounts," the statement says. The application and enrollment tools had been unavailable to new users, but the situation was resolved, the statement adds.
"While the system was unavailable, consumers were able to leave their e-mail and were invited back when the system became available again. Consumers could also complete their application by calling the Health Insurance Marketplace call center," the statement notes. "CMS's tech team identified the root cause of the early morning problem and fixed a software bug as part of the regular nightly maintenance window that takes place on the site during off peak hours."
A HHS spokeswoman tells ISMG "there were no known security or privacy issues" related to the performance issues on March 31.
David Kennedy, founder of security consulting firm TrustedSec, who in November testified at a House Committee on Science, Space and Technology about security risks he believed needed to be remediated on the HealthCare.gov site, tells ISMG he's still worried about the state of security on the site.
"I still have little confidence on the protection of the data," he says. "Since the release of CGI and the move to the new programming firm Accenture, the focus has been transitioning the site over to the new company. It doesn't appear as if anything really has been done to the site. ... I hope the focus goes on security, because it hasn't yet."
Kennedy also says more transparency is needed from HHS on security of the site.
"The main troublesome worry I have is that for HealthCare.gov, the federal government and HHS are not required to disclose in the event a breach occurs ... so the site can already be hacked and numerous times, and we would know nothing about it," he says. "I think the federal government needs to focus more on breach disclosure laws and, most importantly, developing secure websites."
Before the next open enrollment period begins in October, Kennedy would like to see HHS take several steps to build public confidence that consumer data is secure on the HealthCare.gov site and systems. Those steps include:
- Conducting a full-scope review of the entire environment, including penetration testing, source code analysis and architecture reviews;
- Working with the developers, including Accenture, to ensure secure coding practices;
- Stepping up monitoring and detection capabilities, and preventive measures, including Web application firewalls.