HealthCare.gov risks still unclear

stethoscope on keyboard

A panel of federal IT professionals sought to allay concerns that HealthCare.gov launched with significant security risks that could compromise the personal information of users, telling lawmakers on Nov. 13 that such fears have been overstated.

"Cybersecurity is part of anything we do," Federal CIO Steve VanRoekel told the House Oversight and Government Reform Committee. "You almost can't buy a keyboard without taking cybersecurity into account."

Henry Chao, deputy CIO of the Centers for Medicare and Medicaid Services, testified that security testing for the various components was performed on an ongoing basis and in compliance with the requirements of the standards established under the Federal Information Security Management Act.

Chao also asserted that reports that the site launched with two security risks rated high under testing documents provided by contactor CGI Federal and released by the Oversight and Government Reform Committee were incorrect. He said the risks were related to components of the site that didn't launch on Oct. 1 when the site went live.

He addressed reservations he had about advising CMS Administrator Marilyn Tavenner to approve the "authority to operate" document required for HealthCare.gov to launch. A memo that went out Sept. 27 under Chao's name noted that "the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk for the" Federally Facilitated Marketplace.

Chao, who sparred frequently with Republicans during the four-hour hearing, said that every system the federal government operates has to have security testing under the law, and that such testing is an "iterative, ongoing process."

Chao also told the panel that a feature designed to allow users to browse plans before signing up was shelved before the launch  because it "failed so miserably," not – as many critics, including Committee Chairman Darrell Issa (R-Calif.) have suggested -- to avoid giving visitors "sticker shock" about monthly premiums.

Issa was less than satisfied with Chao's explanations.

"This was a monumental mistake to go live and effectively explode on the launchpad," he said.

None of the officials would put a price tag on what had been paid to build HealthCare.gov or what was being spent on post-launch repair efforts. Republicans asked when administration officials were apprised of performance problems with the site, but got no solid answers to that question or to inquiries about why officials didn't seek to delay the launch.

Chao said only that he attended a series of White House meetings that focused on technical issues, including Privacy Act compliance and IRS regulations. Rep. Jim Jordan (R-Ohio) said the committee might look for answers elsewhere, and might seek testimony from political appointees, including former White House advisors Nancy Ann DeParle and Jean Landrieu, who could be subpoenaed for future hearings.

No real bombshells were revealed during the four hours of questioning of Chao, VanRoekel, federal CTO Todd Park, Health and Human Services CIO Frank Baitman, and David Powner of the Government Accountability Office, but a few interesting tidbits emerged.

Baitman acknowledged he had limited visibility into the development of HealthCare.gov, and said he hired an "ethical hacker" to probe the system for vulnerability after launch. The effort yielded information on a few vulnerabilities, which Baitman said he passed along to the information security people at CMS.

Park appeared to waver about whether the "tech surge" designed to make HealthCare.gov fully operative by Nov. 30 would meet that deadline. The effort is being run around the clock, and Park testified that in the early days after the launch he slept in his office to keep up. Currently, he said, the system is able to support up to 25,000 simultaneous users.

For Powner at GAO, the problem was one of governance. He said that HealthCare.gov was not subjected to rigorous TechStat reviews that are designed to make sure that high-profile IT projects are running properly. He noted that the project was rated as green on the federal IT dashboard.

"Does anyone really think it was a green project? There should have been flags on the dashboard," he said. He applauded the level of attention being given to fixing the site, but said the work should have been done before the launch. "When projects go into the tank, we engage with the contractor more. Why don't we do that up front," Powner said.

After the hearing, HHS released the first enrollment figures for coverage under the 2010 law.

Through Nov. 2, a few more than 106,000 people have picked a health insurance plan – about 27,000 from the 36 states that use the Federally Facilitated Exchange and 79,000 from the other 14 states and the District of Columbia that operate their own exchanges. These numbers refer to people who have received an eligibility determination from the data hub and picked a plan, but not necessarily submitted their first premium payment.

The number of enrollees is well below the 500,000 that the Congressional Budget Office projected for the first month of operation.

About 846,000 users were able to complete applications but did not submit them, with about 519,000 of those coming through the Federally Facilitated Exchange. Of those, some were steered toward Medicaid or their eligibility is still being determined.

HHS said 26.8 million unique visitors tried to access the federal marketplace or a state-based marketplace. The federal website has attracted 19.5 million unique visitors.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the About.com online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Nov 14, 2013 OccupyIT

"None of the officials would put a price tag on what had been paid to build HealthCare.gov or what was being spent on post-launch repair efforts. Republicans asked when administration officials were apprised of performance problems with the site, but got no solid answers to that question or to inquiries about why officials didn't seek to delay the launch. " Why track costs when you have a vacuum into the pockets of the taxpayer as a direct hire. What would happen to a contractor that said, "I don't know how much of your money I have spent. I didn't know there were problems and I still don't. These things happen. Don't worry, we'll work it out sooner or later since price is no object and you can't stop us." Sigh....

Thu, Nov 14, 2013

Security risks are minimal precisely because the site doesn't permanently store much about a user beyond login ID and password: http://www.dailykos.com/story/2013/11/12/1254621/-Meet-the-DeBuggers-An-attitude-adjustment-regarding-the-Fix-at-Healthcare-gov

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group