HealthCare.gov risks still unclear

A congressional panel questions administration officials about the Obamacare website.

stethoscope on keyboard

A panel of federal IT professionals sought to allay concerns that HealthCare.gov launched with significant security risks that could compromise the personal information of users, telling lawmakers on Nov. 13 that such fears have been overstated.

"Cybersecurity is part of anything we do," Federal CIO Steve VanRoekel told the House Oversight and Government Reform Committee. "You almost can't buy a keyboard without taking cybersecurity into account."

Henry Chao, deputy CIO of the Centers for Medicare and Medicaid Services, testified that security testing for the various components was performed on an ongoing basis and in compliance with the requirements of the standards established under the Federal Information Security Management Act.

Chao also asserted that reports that the site launched with two security risks rated high under testing documents provided by contactor CGI Federal and released by the Oversight and Government Reform Committee were incorrect. He said the risks were related to components of the site that didn't launch on Oct. 1 when the site went live.

He addressed reservations he had about advising CMS Administrator Marilyn Tavenner to approve the "authority to operate" document required for HealthCare.gov to launch. A memo that went out Sept. 27 under Chao's name noted that "the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk for the" Federally Facilitated Marketplace.

Chao, who sparred frequently with Republicans during the four-hour hearing, said that every system the federal government operates has to have security testing under the law, and that such testing is an "iterative, ongoing process."

Chao also told the panel that a feature designed to allow users to browse plans before signing up was shelved before the launch  because it "failed so miserably," not – as many critics, including Committee Chairman Darrell Issa (R-Calif.) have suggested -- to avoid giving visitors "sticker shock" about monthly premiums.

Issa was less than satisfied with Chao's explanations.

"This was a monumental mistake to go live and effectively explode on the launchpad," he said.

None of the officials would put a price tag on what had been paid to build HealthCare.gov or what was being spent on post-launch repair efforts. Republicans asked when administration officials were apprised of performance problems with the site, but got no solid answers to that question or to inquiries about why officials didn't seek to delay the launch.

Chao said only that he attended a series of White House meetings that focused on technical issues, including Privacy Act compliance and IRS regulations. Rep. Jim Jordan (R-Ohio) said the committee might look for answers elsewhere, and might seek testimony from political appointees, including former White House advisors Nancy Ann DeParle and Jean Landrieu, who could be subpoenaed for future hearings.

No real bombshells were revealed during the four hours of questioning of Chao, VanRoekel, federal CTO Todd Park, Health and Human Services CIO Frank Baitman, and David Powner of the Government Accountability Office, but a few interesting tidbits emerged.

Baitman acknowledged he had limited visibility into the development of HealthCare.gov, and said he hired an "ethical hacker" to probe the system for vulnerability after launch. The effort yielded information on a few vulnerabilities, which Baitman said he passed along to the information security people at CMS.

Park appeared to waver about whether the "tech surge" designed to make HealthCare.gov fully operative by Nov. 30 would meet that deadline. The effort is being run around the clock, and Park testified that in the early days after the launch he slept in his office to keep up. Currently, he said, the system is able to support up to 25,000 simultaneous users.

For Powner at GAO, the problem was one of governance. He said that HealthCare.gov was not subjected to rigorous TechStat reviews that are designed to make sure that high-profile IT projects are running properly. He noted that the project was rated as green on the federal IT dashboard.

"Does anyone really think it was a green project? There should have been flags on the dashboard," he said. He applauded the level of attention being given to fixing the site, but said the work should have been done before the launch. "When projects go into the tank, we engage with the contractor more. Why don't we do that up front," Powner said.

After the hearing, HHS released the first enrollment figures for coverage under the 2010 law.

Through Nov. 2, a few more than 106,000 people have picked a health insurance plan – about 27,000 from the 36 states that use the Federally Facilitated Exchange and 79,000 from the other 14 states and the District of Columbia that operate their own exchanges. These numbers refer to people who have received an eligibility determination from the data hub and picked a plan, but not necessarily submitted their first premium payment.

The number of enrollees is well below the 500,000 that the Congressional Budget Office projected for the first month of operation.

About 846,000 users were able to complete applications but did not submit them, with about 519,000 of those coming through the Federally Facilitated Exchange. Of those, some were steered toward Medicaid or their eligibility is still being determined.

HHS said 26.8 million unique visitors tried to access the federal marketplace or a state-based marketplace. The federal website has attracted 19.5 million unique visitors.

NEXT STORY: Hagel announces DOD appointments

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.