January 28, 2014

Obamacare Website Still Not Secure

Over the past several weeks, consumers around the country have been warned about a data security breach at Target. The company notified customers, apologized, and is putting resources behind fixing the problem. Target did something that the Obama Administration will not agree to do if something similar happens with HealthCare.gov. 

Target admitted its problem, but Democrats still refuse to admit the extent of the flaws with their health care law. The Administration knows the law is on shaky ground. Last week a poll found that 59 percent of Americans disapprove of President Obama’s handling of health care. Washington Democrats seem to believe that if they repeat the false claim that the worst of HealthCare.gov’s problems are fixed, people will stop asking questions. The truth is that substantive problems reported before January 1 didn’t simply vanish. Americans know that HealthCare.gov is not completely built, and it is not safe and secure for the public to use. 


“I don’t understand how we’re still discussing whether the website is insecure or not … It is insecure – 100 percent.”  -- Security expert David Kennedy


Experts Agree: HealthCare.gov Remains Vulnerable

Cyber security experts have been warning for months that HealthCare.gov contains massive data security gaps that could lead to people’s personal and financial information being stolen. In November, four experts testifying before the House Committee on Science, Space, and Technology were asked, “Would any of you advise an American citizen to use this website as the security issues now exist?” None said they would.

One month later, after the Administration’s frantic efforts to patch and reconfigure the HealthCare.gov front end, one industry expert contended the website’s security vulnerabilities had only increased. “When you recode the application to fix these 400 bugs … you’re introducing more security flaws as you go along ... I think there’s some major security concerns there around privacy and information, and they haven’t even come close to being addressed, and won’t be in the short term.”

Two weeks ago, the same security expert warned that the situation today is “much worse.” David Kennedy – a former National Security Agency and Marine Corps cyberwarfare expert – testified in the House: “I don’t understand how we’re still discussing whether the website is insecure or not … It is insecure – 100 percent.” Kennedy also indicated the Obama Administration has failed to address 20 or more HealthCare.gov vulnerabilities that he and other cybersecurity experts reported immediately after the website launched on October 1.

HHS claims that “there have been no successful attempts of what anyone has been able to attack the system and penetrate it.” But Kennedy says that HHS does not have the technological capability to detect hacks. The government was supposed to contract with a private company to build a security operations center specifically designed to detect website attacks. As of November, this so-called operations center had yet to be built.

Obama Administration Ignored Warnings

In the months leading up to HealthCare.gov’s launch, Obama Administration officials claimed that the Obamacare exchanges would be tested, secure, and ready to start enrolling people on October 1.

Before the exchanges went live, the Administration’s Chief Technology Officer declared that HealthCare.gov “is built and ready for operation, and we have completed security testing and certification to operate.” White House Press Secretary Jay Carney claimed, “Consumers can trust that their information is protected by stringent security standards.” In fact, the Administration received multiple warnings that a train wreck was coming.

  • GAO Report Showed Administration Way Behind Schedule. In June 2013, the non-partisan GAO raised concerns about the Administration’s missed deadlines and program delays.
  • Data Hub IT Security System Wasn’t Independently Tested. In August 2013, news emerged that the Federal Data Services Hub’s IT security system to protect Americans’ private financial data had yet to be independently tested and verified. The HHS Inspector General reported that the Administration missed multiple deadlines necessary to test the Data Hub’s operational capability, identify vulnerabilities, and fix security holes.
  • CMS Memo Warned Website Was a “High Risk” Security Threat. An internal Centers for Medicare and Medicaid Services (CMS) memo – dated four days before HealthCare.gov went live – shows that Administration officials knew the website contained “inherent security risks.”
  • Administration Failed to Conduct Website Security Tests Before Launch. According to a report by CBS News: “key tests to ensure the security and privacy of customer information on the troubled Obamacare website fell behind schedule. A deadline for final security plans was delayed three times over the summer, and final top-to-bottom security tests never were finished before the launch.”
  • Senior CMS Official Warned Website Faced “Limitless” Security Risks. A September 3 CMS memo outlined six specific security concerns with the exchange. Henry Chao, the CMS Deputy Chief Information Officer who cleared HealthCare.gov to launch on October 1, claimed he never saw the memo.
  • Report Proves White House and HHS Officials Knew About Website Issues. The Obama Administration hired McKinsey and Co. to assess HealthCare.gov’s progress. In March 2013, McKinsey delivered its findings to senior White House and HHS officials in four separate briefings. McKinsey warned that the website’s October 1 launch plan faced significant problems, including failure to provide sufficient time to complete end-to-end testing and failure to appoint a “single empowered decision-making authority.” Contractors got “conflicting directions between the various entities within CMS.”

Healthcare Sector Outlook Negative

The Obama Administration’s failure to address HealthCare.gov’s security concerns is not likely to improve any time soon. The Administration has been preoccupied with other major problems that continue to plague the program. In mid-November, testifying before the House Energy and Commerce Committee, one official acknowledged that 30 to 40 percent of the IT systems needed to make HealthCare.gov work had not been built. This month, another top HHS official admitted that HealthCare.gov’s insurer payment system is still being built, and he would not estimate when it will be completed.

Behind the scenes, Administration officials fear HealthCare.gov’s defective back-end payment systems spell disaster for the nation’s insurance companies. According to a recently released HHS no-bid contract, the Obama Administration believes that failure to deliver specific Financial Management Platform functions – such as enrollments, subsidies, cost sharing reductions, and insurer payment plans – “by mid-March 2014 will result in financial harm to the Government.” The HHS document goes on to say that “without a Financial Management Platform … the entire health care reform program is jeopardized.”

This is no idle threat. In early December, credit agency Moody’s warned that the Obama Administration’s relentless changing of health care law rules and regulations, along with multiple delays, could “negatively impact business for health insurance companies.” Moody’s asserted that these unilateral, last-minute Administration actions are “credit negative” for health insurance companies and may “expose the sector to additional financial and operational risks.”

Then, last week, Moody’s downgraded its outlook for the United States health insurance sector from stable to negative. The credit rating agency cited several reasons for its decision:

  • Unstable Economic Environment. Due to the law’s bungled roll-out and regulatory changes affecting product pricing determinations, projections indicate insurers will earn two percent less than originally predicted for 2014.
  • Slow Rate of Youth Enrollment. Only 24 percent of the Obamacare exchange sign-ups so far are young people between the ages of 18 and 34. The Administration estimated it needs young adults to comprise at least 39 percent of the Obamacare risk pool. If this demographic composition continues, premiums will likely skyrocket.
  • Patient Premiums Won’t Cover Obamacare Health Insurer Tax. Moody’s remains concerned that the insurance industry’s premium cost calculations may not cover the tax Obamacare imposes on health insurance providers starting this year. Based on net premiums in the fully insured market, the aggregate tax in 2014 is $8 billion. It climbs to $14.3 billion in 2018, and after that grows by premium inflation.
  • Regulatory Uncertainty. Confirming its December warning, Moody’s said the Obama Administration’s new regulations and last-minute changes “imposed operational changes well after product and pricing decisions had been finalized.”

If the Administration does not fix HealthCare.gov’s insurer payment and other back-end systems soon, then the Administration’s own analysis confirms the nation’s insurance companies may no longer be viable. But if the Administration shifts its focus to the back-end payment system, when will it start the work of patching critical website security holes? If it rushes to get an insurer payment system online, will it take the time to test the security of the back-end features as they are built?

Senate Must Take Up Legislation Requiring Security Breach Disclosure

On January 10, the House of Representatives passed legislation, by a vote of 291 to 122, requiring the Administration to notify Americans if their personal information has been stolen or unlawfully accessed through an Obamacare exchange. Once the HHS Secretary discovers the breach, the agency must notify affected people within two business days. Among the members supporting the Health Exchange Security and Transparency Act were 67 House Democrats.

Identical legislation has been introduced in the United States Senate. It is time for the Senate Majority Leader to bring this critical measure to the floor for a vote. President Obama claims he is open to good Republican health care ideas. Now is his chance to prove it by protecting the American people from identity theft.

Issue Tag: Health Care