HealthCare.gov risks still unclear

A panel of federal IT professionals sought to allay concerns that HealthCare.gov launched with significant security risks that could compromise the personal information of users, telling lawmakers on Nov. 13 that such fears have been overstated.

"Cybersecurity is part of anything we do," Federal CIO Steve VanRoekel told the House Oversight and Government Reform Committee. "You almost can't buy a keyboard without taking cybersecurity into account."

Henry Chao, deputy CIO of the Centers for Medicare and Medicaid Services, testified that security testing for the various components was performed on an ongoing basis and in compliance with the requirements of the standards established under the Federal Information Security Management Act.

Chao also asserted that reports that the site launched with two security risks rated high under testing documents provided by contactor CGI Federal and released by the Oversight and Government Reform Committee were incorrect. He said the risks were related to components of the site that didn't launch on Oct. 1 when the site went live.

He addressed reservations he had about advising CMS Administrator Marilyn Tavenner to approve the "authority to operate" document required for HealthCare.gov to launch. A memo that went out Sept. 27 under Chao's name noted that "the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk for the" Federally Facilitated Marketplace.

Chao, who sparred frequently with Republicans during the four-hour hearing, said that every system the federal government operates has to have security testing under the law, and that such testing is an "iterative, ongoing process."

Chao also told the panel that a feature designed to allow users to browse plans before signing up was shelved before the launch  because it "failed so miserably," not – as many critics, including Committee Chairman Darrell Issa (R-Calif.) have suggested -- to avoid giving visitors "sticker shock" about monthly premiums.

Issa was less than satisfied with Chao's explanations.

"This was a monumental mistake to go live and effectively explode on the launchpad," he said.

None of the officials would put a price tag on what had been paid to build HealthCare.gov or what was being spent on post-launch repair efforts. Republicans asked when administration officials were apprised of performance problems with the site, but got no solid answers to that question or to inquiries about why officials didn't seek to delay the launch.

Chao said only that he attended a series of White House meetings that focused on technical issues, including Privacy Act compliance and IRS regulations. Rep. Jim Jordan (R-Ohio) said the committee might look for answers elsewhere, and might seek testimony from political appointees, including former White House advisors Nancy Ann DeParle and Jean Landrieu, who could be subpoenaed for future hearings.

No real bombshells were revealed during the four hours of questioning of Chao, VanRoekel, federal CTO Todd Park, Health and Human Services CIO Frank Baitman, and David Powner of the Government Accountability Office, but a few interesting tidbits emerged.

Baitman acknowledged he had limited visibility into the development of HealthCare.gov, and said he hired an "ethical hacker" to probe the system for vulnerability after launch. The effort yielded information on a few vulnerabilities, which Baitman said he passed along to the information security people at CMS.

Park appeared to waver about whether the "tech surge" designed to make HealthCare.gov fully operative by Nov. 30 would meet that deadline. The effort is being run around the clock, and Park testified that in the early days after the launch he slept in his office to keep up. Currently, he said, the system is able to support up to 25,000 simultaneous users.

For Powner at GAO, the problem was one of governance. He said that HealthCare.gov was not subjected to rigorous TechStat reviews that are designed to make sure that high-profile IT projects are running properly. He noted that the project was rated as green on the federal IT dashboard.

"Does anyone really think it was a green project? There should have been flags on the dashboard," he said. He applauded the level of attention being given to fixing the site, but said the work should have been done before the launch. "When projects go into the tank, we engage with the contractor more. Why don't we do that up front," Powner said.

After the hearing, HHS released the first enrollment figures for coverage under the 2010 law.

Through Nov. 2, a few more than 106,000 people have picked a health insurance plan – about 27,000 from the 36 states that use the Federally Facilitated Exchange and 79,000 from the other 14 states and the District of Columbia that operate their own exchanges. These numbers refer to people who have received an eligibility determination from the data hub and picked a plan, but not necessarily submitted their first premium payment.

The number of enrollees is well below the 500,000 that the Congressional Budget Office projected for the first month of operation.

About 846,000 users were able to complete applications but did not submit them, with about 519,000 of those coming through the Federally Facilitated Exchange. Of those, some were steered toward Medicaid or their eligibility is still being determined.

HHS said 26.8 million unique visitors tried to access the federal marketplace or a state-based marketplace. The federal website has attracted 19.5 million unique visitors.