Sebelius Grilled on Obamacare SecurityHouse Committee Probes HealthCare.gov Website Woes
Members of Congress grilled Health and Human Services Secretary Kathleen Sebelius Oct. 30 about whether systems supporting the Obamacare HealthCare.gov website had undergone thorough security testing before the site went live on Oct. 1.
See Also: Webinar | Data Breach Myth Vs. Reality
At a House Energy and Commerce Committee hearing, Rep. Mike Rogers, R-Mich., quizzed Sebelius on whether a lack of "end-to-end" security testing on the systems supporting the federally facilitated insurance marketplace under the Affordable Care Act put consumer health and financial information at risk.
Rogers cited a Sept. 27 memo to Marilyn Tavenner, administrator at the Centers for Medicare and Medicaid Services, from two senior staff members that read: "Due to system readiness issues, the SCA [security control assessment] was only partially completed. This constitutes a risk that must be accepted and mitigated to support Marketplace Day 1 operations."
Rogers also referred to last week's Congressional testimony by technology contractors for HealthCare.gov that there should have been months of end-to-end testing, not weeks.
Sebelius told the committee she "will find out" if end-to-end security testing has been completed yet, noting that there is "continuous testing" and monitoring of the federal website systems, including "daily and weekly scanning."
The memo to Tavenner, a copy of which was obtained by Information Security Media Group after the hearing, says that "testing of the marketplace has been ongoing since its inception."
The memo also notes: "As with all new systems pending launch there are inherent security risks with not having all code tested in a single environment. ... The system requires rapid development and release of hot-fixes and patches, so it is not always available or stable during the duration of testing."
It continues: "From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed high risk for the FFM [federally facilitated marketplace]."
While three rounds of security control assessment testing had been conducted, the testing was done on different versions of the system, the memo notes. "The security contractor has not been able to test all the security controls in one complete version of the system," it states.
The memo explains that CMS will implement a two-part security mitigation plan to reduce risks.
The first step calls for establishing a dedicated security team under the CIO of CMS to monitor, track and ensure the mitigation plan activities are completed; monitoring and performing weekly testing of all border devices, including Internet-facing web servers; conducting daily and weekly scanning using CISO continuous monitoring tools; and conducting a full security control assessment on the FFM and related systems in a stable environment, "where all security controls can be tested within 60 to 90 days of going live on Oct. 1."
The second part of the plan calls for CMS to migrate the marketplace systems to its virtual data center environment in the first quarter of fiscal 2014.
Sebelius testified that Mitre, the security control assessment contractor, had conducted an assessment and completed a preliminary report and is working on a final report.
Regarding another security question, Sebelius also testified that CMS' technical team "immediately fixed" a potential security issue that was identified in a recent blog by Ben Simo, a white hat hacker and software tester. The issue hadn't caused an actual breach, but was "a theoretical problem," she contended. In his blog, Simo wrote about a number of security issues related to username and password resets.
In another security-related development, Rep. Darrell Issa, R-Calif., this week issued a subpoena to HealthCare.gov contractor Quality Software Solutions Inc., a unit of United Healthcare, to obtain documents related to development and security of the website. QSSI was one of the four contractors that testified before the House Energy and Commerce Committee last week about the website's technical woes.
Two Days of Testimony
Sebelius' testimony came one day after members of the House Ways and Means Committee questioned CMS administrator Tavenner about the Affordable Care Act and problems with the HealthCare.gov website.
Sebelius and Tavenner both acknowledged that technical issues that have prevented many consumers from setting up accounts on the HealthCare.gov site or completing applications are being ironed out. They said the technical problems are being addressed and that by the end of November, they expect the vast majority of consumers to be able to enroll in plans in time for coverage that begins Jan. 1.
Network component issues experienced by Terremark, a unit of Verizon that hosts the website, caused an outage of HealthCare.gov over the weekend (see: Network Issue Causes Obamacare Outage). Another outage was experienced late in the day on Oct. 29, Sebelius said.
To date, 700,000 insurance applications have been submitted to the federal and state marketplaces from across the nation, and more than 20 million unique visits have been made to the HealthCare.gov site, Sebelius said in her written testimony.
"The initial consumer experience of HealthCare.gov has not lived up to the expectations of the American people and is not acceptable," the HHS secretary said in her testimony. "We are committed to fixing these problems as soon as possible. I am as frustrated and angry as anyone over the flawed launch of HealthCare.gov."
Sebelius also testified that a privacy disclaimer that appears in the source code of the HealthCare.gov site is being removed by the site's contractor, CGI Federal Inc. The disclaimer, in part, read: "You have no reasonable expectation of privacy regarding any communication or data transmitting or stored on this information system."
The wording was "boiler plate" that shouldn't have been in the source code, she says.
HealthCare.gov contractors, including CGI, were asked about the disclaimer by Rep. Joe Barton, R-Texas, in last week's committee hearing (see: Obamacare Website Security Questioned).