HealthCare.gov launched with security risks, documents show

Henry Chao, testifying before Congress in July 2013

Centers for Medicare and Medicaid Services Deputy CIO Henry Chao, shown here testifying before Congress in July 2013, told the House Oversight and Government Reform Committee more recently that he was not informed of HealthCare.gov security risks before he recommended granting an authority to operate.

Henry Chao, a leading IT official involved in the HealthCare.gov rollout, told congressional investigators he was out of the loop on a memo that authorized a key component of the federal insurance marketplace system to launch despite at least two high-risk findings in security assessments.

In a Sept. 3 memo, Tony Trenkle, CIO of the Centers for Medicare and Medicaid Services (CMS), authorized the Federally Facilitated Marketplace to go online when the open enrollment period launched Oct. 1. The FFM, which determines insurance eligibility under the 2010 health care law and allows users to shop for plans, performed poorly because of software bugs, lack of capacity and hardware problems. Trenkle's resignation as CIO was announced last week.

Repairs to the site and other HealthCare.gov components are ongoing, and the administration hopes to make the site workable by the end of this month. Behind the scenes, however, it appears that the site launched with security vulnerabilities that could render personal information prone to capture.

A heavily redacted attachment to the Sept. 3 memo, released by the House Oversight and Government Reform Committee, lists high-risk problems, with suggested remedies and deadlines that must be met before an authority to operate can be granted. One finding warns that "the threat and risk potential is limitless," although because of the redactions the threats themselves are not detailed.

Under questioning from a committee attorney, Chao -- who is CMS' deputy CIO -- said he was "surprised" that he wasn't copied on the memo. He also said that had he known about the risks, he would have mentioned them in a Sept. 27 memo that went out under his signature to CMS Administrator Marilyn Tavenner recommending she sign a six-month authority to operate for the FFM.

"It is disturbing. I mean, I don't deny that this is, kind of, a fairly nonstandard way to document a decision to make a recommendation to proceed in [an authority to operate]," Chao said.

Chao also acknowledged not personally drafting much of the memo, which he signed along with James Kerr, now acting deputy director of operations in the Center for Consumer Information and Insurance Oversight at CMS. According to Chao, that memo was written by Teresa Fryer, chief information security officer at CMS, and the individual authorized by federal computer security rules to conduct testing on the HealthCare.gov components before they went live, including the FFM and the data hub.

Chao is scheduled to testify Nov. 13 before the committee alongside federal CIO Steve VanRoekel, Frank Baitman, CIO of the Department of Health and Human Services, Dave Powner of the Government Accountability Office, and federal CTO Todd Park. The committee issued a subpoena to Park on Nov. 8 after he declined an invitation to testify. Park is currently immersed in the “tech surge” to fix HealthCare.gov, an effort led by former Obama administration official Jeff Zients and aided by several Presidential Innovation Fellows and developers from private sector companies including Google, Oracle and Red Hat.

In a letter to the committee, a White House official wrote that Park "is central to the work to improve the healthcare.gov shopping experience as quickly as possible, and he is devoting nearly all of his attention and expertise to assisting CMS in that critical effort," and that the distraction of preparing for sworn testimony would be "highly disruptive."

Committee Chairman Rep. Darrell Issa (R-Calif.) has accused Park of a "pattern of interference and false statements" related to the performance and testing of HealthCare.gov.

On Nov. 11, Reps. Elijah Cummings (D-Md.) and Gerry Connolly (D-Va.) requested that Issa withdraw the subpoena of Park. "We believe the Committee should focus instead on areas of common ground, such as federal information technology (IT) acquisition reform initiatives," they wrote.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Tue, Nov 19, 2013 user

Folks..just so you know, there are plenty of VERY honest and VERY good people who work for the Federal government. Don't read or see on the news..."believe about half of what you read and believe about 10% of what you see".

Thu, Nov 14, 2013 OccupyIT

Once again the real-world behavior of certain direct hires is that federal law and regulations DO NOT APPLY TO THEM - only to their political targets. So we have a CIO that has resigned; a CISO that hid evidence from the Deputy CIO; a Deputy CIO that is either setup to be the stooge, knowingly conspired to circumvent the law, or is derelict in the performance of his duties by signing (authorizing in the name of the United States of America) a document he didn't write and didn't independently verify (sounds like robosigning to me). Fire these people and set an example. Cybersecurity isn't just a good idea - its the law!

Thu, Nov 14, 2013

"Not to get off the subject but what is going to happen if this so called Congresman and Senators can not agree on a budget come Jan. 15, 2014." The Republicans have already said that they want another shutdown. Ted Cruz in particular is calling for one. By ambushing guys like Chao with slanted information, and depending on known GOP spin funnels like CBS' Sharyl Attkisson (http://www.esquire.com/blogs/politics/cbs-darrell-issa-111213) they're hoping to try and distract the public before springing the shutdown on them.

Thu, Nov 14, 2013 TK

As an Information System Security Professional, I know that Federal Agency operated information systems must be certified and accredited. FISMA, HIPAA and other mandates are designed to ensure the systems are not operated until appropriate security controls have been implemented and tested for effectiveness. It is outrageous to see that such a high visibility information system failed in this regard, and did not follow the mandates put in place by the same people who pushed for this health care information system.

Wed, Nov 13, 2013

Based on what is presented in this article, the parties responsible for allowing any system containing information protected under the E-Government Act of 2002 (AKA Public Law 107-347) is a serious breach of the law. Even relatively small systems containing limited amounts of protected data normally undergo significant testing and evaluation to eliminate or significantly mitigate the risks associated with the system before the system is opened to the public. The decision to allow a system designed to contain massive quantities of individual financial, medical and personal information is not one made by a single individual and is never implemented by memo. The decision by senior officials to take the system live with known security deficiencies is a very serious breach of the public trust, as well as violation of public law.
As with the IRS breeches, the initial response that it was one or two people who exercised bad judgment, but that proved not to be the case with the IRS and no assumptions can be made in this case. As in the IRS breaches, the key question is, “Who was responsible for the decision(s)? Given the seriousness of decision to launch a system which is intended to contain private and financial information on virtually every citizen, one must ask how such a decision was reached and who made the decision. At the very least, all parties to the decision should be removed and contract penalties should be assessed for failing to deliver a product meeting the legal standards for data security.
Failure to fully investigate and deal with those responsible will contribute to the increased likelihood of future failures.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group