September 17, 2014

GAO: HealthCare.gov Still a Security Risk

Yesterday, the non-partisan Government Accountability Office released a report detailing ongoing problems with the security of HealthCare.gov. Moreover, GAO accused the Centers for Medicare and Medicaid Services of accepting significant security risks when it allowed the website to launch on October 1, 2013. Following the hack of HealthCare.gov in July in which malicious software was installed within the website’s network and went undetected for over a month, the GAO report highlights concerns that users of the website still face a serious risk of having their personal information, including Social Security numbers, income and employment records, and tax returns stored by the system, stolen by fraudsters and identity thieves. According to GAO’s review:

“CMS has not fully addressed security and privacy management weaknesses, including having incomplete security plans and privacy documentation, conducting incomplete security tests, and not establishing an alternate processing site to avoid major service disruptions. In addition, we identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the data maintained in the [federally facilitated marketplace]. … Until these weaknesses are addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by HealthCare.gov and related systems or the disruption of service provided by the systems.”

GAO’s report also shows that the Obama administration was less than candid with the American people. Top officials, including then-Secretary of Health and Human Services Kathleen Sebelius and CMS Administrator Marilyn Tavenner, testified last year that HealthCare.gov passed security testing and met government standards. It is clear that HealthCare.gov did not meet these standards and should not have launched when it did. GAO found that HealthCare.gov had serious security weaknesses when it was first deployed, including incomplete security plans and testing, and lax privacy documentation. According to GAO:

“In granting the FFM system an ‘authority to operate’ in September 2013 and allowing states to connect to the data hub that had not fulfilled all security requirements, CMS accepted increased security risks. However, accepting such risks meant that the overall risk was heightened that a compromise could occur to the confidentiality, availability, and integrity of HealthCare.gov and the data it maintained. In addition to allowing four states to connect without fulfilling all security requirements, CMS also authorized the FFM to operate in September 2013 though testing for several support systems had not been completed and high-risk findings had been identified in the testing that was completed.”

The Obama administration has consistently tried to keep Congress and the public in the dark about problems with HealthCare.gov. For example, it was not until December 2013 that Congress learned that CMS’s chief information security officer, Teresa Fryer, recommended against launching HealthCare.gov.

In her appearances before Congress last fall, CMS Administrator Tavenner failed to inform Congress that she was forced to take the unprecedented action to sign HealthCare.gov’s authority to operate because Tony Trenkle, CMS’s chief information officer (CIO), refused to authorize it given the problems with the security testing and Ms. Fryer’s recommendation. Tavenner also failed to inform Congress that she received a recommendation from both Bryan Sivak, the chief technology officer at HHS, and Frank Baitman, the CIO at HHS, to conduct a limited launch of HealthCare.gov on October 1, rather than a full launch. More recently, CMS was not fully cooperative with GAO’s investigation, refusing to provide GAO with detailed information and documentation about the 13 security incidents with HealthCare.gov.

On Thursday, Tavenner is scheduled to testify in front of the House Committee on Oversight and Government Reform. The last time she was there, in July 2013, she testified that HealthCare.gov and the data hub would operate with the highest degree of security and privacy protection. Yesterday’s report shows that she was wrong about HealthCare.gov last year when it launched, and that she is still mistaken.

Administrator Tavenner has a lot to answer for. Perhaps now she will finally be candid with Congress and the American people.

Issue Tag: Health Care