More Security Scrutiny for HealthCare.govGAO Plans Extensive 'End-to-End' Testing
The Government Accountability Office has confirmed it will conduct "complete and continuous end-to-end testing" of the security of the Obamacare HealthCare.gov website and systems.
The request for the ramped up scrutiny came from Rep. Lamar Smith, R -Texas, chairman of the House Committee on Space, Science and Technology. "We have accepted the request, but I do not have a target start date as of yet," a GAO spokesman tells Information Security Media Group.
The congressman's request is a follow-up to a number of Congressional committee hearings last fall that considered the security risks of the HealthCare.gov site and systems (see Expanded HealthCare.gov Scrutiny Sought).
A spokesman for Smith also confirmed to ISMG that the committee received "an acceptance letter" from GAO about the review request on May 21.
In his letter to GAO, Smith acknowledged that the agency already had under way an audit of the security and privacy of HealthCare.gov that was to include "an architecture review, vulnerability testing and examination of the monitoring and incident detection capabilities of the website."
Smith requested that GAO scrutinize HealthCare.gov by conducting:
- Complete and continuous end-to-end testing, including full-scope penetration testing, "exposing the system to internal and external hacking;"
- Source code analysis;
- Full review of the developer supply chain to ensure that no unauthorized or malicious code, software, or hardware was introduced into the development or production environment, including by foreign nation state-sponsored activity;
- Examination of the presence or absence of secure code practices through the software development lifecycle and the technology used to defend and protect against attackers;
- Investigation of the specific involvement by staff of the Executive Office of the President relative to the development and implementation of the security and privacy standards of HealthCare.gov prior to Oct. 1, 2013, which is when the site went live.
Neither GAO nor Smith's office would comment further on the specifics of GAO's review.
In the letter to GAO, Smith wrote, "In the rush to launch the website, the Obama Administration appears to have cut corners that have put the personal data of millions of Americans at risk. In addition ... many Americans now worry about how the Heartbleed bug may compound the risk of financial or medical identity theft."
Questions to Answer
Smith also requested that GAO by Sept. 1 determine answers to questions including:
- Is there higher than a low risk of security failure for any part of HealthCare.gov?
- How, and in what timeframe, did the incident response team handle the patch for the Heartbleed bug? What assurances have been provided to verify success of the patch?
- Does the website meet or exceed generally accepted security best practices by employing leading-edge standards and controls; employing a defense in-depth strategy that fully meets the standards recommended by NIST; and complying with requirements of the Federal Information Security Management Act?
- Is there a CIO in place who possesses the requisite responsibility and authority to provide continuous security testing, establish and implement proactive security controls and processes, and monitor the health and performance of HealthCare.gov?
HealthCare.gov facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare.
In a statement provided to ISMG, the Department of Health and Human Services' Centers for Medicare and Medicaid Services, which is responsible for HealthCare.gov, declined to comment on GAO's latest plans. However, CMS says, "we do continuous monitoring and testing of the system, and independent security contractors completed a security control assessment of the federally facilitated marketplace on Dec. 18, 2013, which met all industry standards and was an end-to-end test."
HHS CISO Kevin Charest, in a recent interview, said HealthCare.gov is undergoing "end-to-end" security testing every quarter, even though the federal government requires such testing every three years. The next testing is slated for June.
Also, before the next open enrollment period begins on Oct. 1, the HealthCare.gov technical and security team will be updating the site and systems with new health plans being offered by insurers, Charest says. "We're continually improving the site," he says. "There's no lack of understanding that the launch wasn't what we desired."
Some security experts say ongoing security testing is a requirement for federal systems, but so is thorough testing before such systems go live.
'I'd like to see the security test and evaluation plan, the results of the certification and accreditation review that was performed and any issues that were identified and needed to be fixed,'" prior to HealthCare.gov going live last October, says security expert Mac McMillan, CEO of consulting firm CynergisTek. "I don't know if that document exists or if that process was followed. I'm assuming that's what GAO will discover."
Earlier this week, HHS issued a final rule setting standards for the Obamacare health insurance exchanges. The rule allows HHS to impose civil monetary penalties against those who provide consumers with insurance enrollment assistance if they improperly use or disclose consumers' personally identifiable information or submit false or fraudulent information to the exchanges (see Obamacare: New Privacy Regs Revealed).