WASHINGTON – Medicare’s top cybersecurity official says the Obama administration’s health care website recently passed full security tests, easing her earlier concerns about vulnerabilities.
Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, told Congress at a hearing Thursday that she would now recommend full operational and security certification for the website known as HealthCare.gov.
The Medicare agency is responsible for expanding coverage to the uninsured under President Barack Obama’s health care law.
Shortly before the website’s disastrous launch Oct. 1, Fryer told other top officials that she could not recommend going live because full security testing had not been completed. She drafted a formal memo expressing her concerns, but never sent it, partly because more senior officials had already determined to proceed with additional safeguards to address the potential risks.
“The testing was successfully completed. It had good results,” Fryer told the House Oversight and Government Reform committee. She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that the system now has “a clean bill of health.”
But Republicans sought to turn the focus to the administration’s decision to launch the site on Oct. 1, before full security testing was complete.
The concerns of Fryer and others were relayed to senior levels of the department, Assistant Secretary of Information Technology Frank Baitman testified. He told the panel he had informed Deputy Secretary Bill Corr, second in line after Secretary Kathleen Sebelius. Baitman said he was not personally convinced the security worries were a “red flag.”
Officials said there have been 13 known cases in which personal information has been inadvertently disclosed or exposed to disclosure. But there have been no successful attacks by hackers, including a group calling itself “Destroy Obamacare.”
Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama’s signature program.
The panel’s senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.
With “Obamacare” expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.
In a closed-door deposition prior to the hearing, the top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch.
But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.
“I would say that it didn’t follow best practices,” Charest testified a Jan. 8 deposition.
HealthCare.gov has two major components: an electronic “back room” that got full operational and security certification and a consumer-facing “front room” that was temporarily certified Sept. 27.
The back room, known as the federal data services hub, pings government agencies to verify applicants’ personal information. It does not store data.
But the front room does. That’s where consumers in the 36 states served by the federal website create and save their accounts. Individual components of the front room did undergo security testing. But the system as a whole could not be tested because it was being worked on until late in the process — and it was also crashing.
Charest testified that security testing usually takes place on a fully built, stable system that represents real-world functionality.
The path followed by HealthCare.gov was “not typical,” he said. “In a perfect world, the system is completely done when you test it.”
The operational and security certification for the consumer-facing part of the website was signed by Medicare chief Marilyn Tavenner, after security professionals in her division balked.
Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over the added vigilance and testing measures put in place to reduce risks.
“I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk,” he told the committee.