Government insiders who flagged security issues prior to the launch of HealthCare.gov were right to be concerned. That’s according to a new audit by the Government Accountability Office, which concluded that security weaknesses are putting “the sensitive personal information” contained by HealthCare.gov and its related systems at risk.
HealthCare.gov security problems put “sensitive personal information” at risk, @usgao concluded.
As the Obama administration prepared to launch the website last fall, one of those insiders voiced concern about the vulnerabilities and complained about “cover ups” masking the severity of the problems.
The findings run counter to claims by Obama administration officials who have long insisted there’s no reason for any concern regarding the website’s security.
The news comes in advance of a House Oversight and Government Reform Committee hearing at 11 a.m. today examining the security vulnerabilities. GAO Director of Information Security Issues Greg Wilhusen will testify. His report concludes, “Until these weaknesses are addressed, the systems and the information they contain remain at increased risk of unauthorized use, disclosure, modification, or loss.”
Missing Information
As the GAO performed its security investigation, it did not receive full information from the government, according to Oversight Chairman Darrell Issa, R-Calif. He says that government officials refused to provide GAO with reports on 13 HealthCare.gov security incidents.
“What vulnerabilities to sensitive personal information is CMS still so intent on hiding from an independent government auditor?” said Issa in a statement issued Wednesday.
The GAO found that the Centers for Medicare and Medicaid Services (CMS), which runs HealthCare.gov, failed to “analyze privacy risks associated with HealthCare.gov systems or identify mitigating control.” The GAO also faulted officials for not performing comprehensive security testing and not ensuring that security plans contained all required information, “which makes it harder for officials to assess the risks involved in operating those systems.”
According to the GAO, the Department of Health and Human Services, which oversees CMS, agreed or partially agreed with GAO’s six recommendations “to fully implement its information security program” and “concurred with all 22 of the recommendations to resolve technical weaknesses in security controls, describing actions it had under way or planned related to each of them.”
Warnings Ignored
Serious security problems with HealthCare.gov were exposed in stories I reported for CBS News in November and December of 2013. They revealed that Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services, explicitly recommended the website should not be launched Oct. 1, 2013, due to security concerns, but was overruled by her superiors.
“I am tired of the cover ups,” a government security chief said of HealthCare.gov problems.
Fryer said she had warned, both verbally and in a briefing, that the website carried “high [security] risks” and possible exposure to “attacks.” Fryer also said that she refused to put her name on a letter recommending the website be given a temporary authority to operate while the issues were sorted out.
Additionally, Henry Chao, the CMS project manager in charge of building the website, was apparently kept in the dark about serious security failures. Those included “high-risk” issues, flagged by the government’s security testing firm, which indicated “the threat and risk potential [to the system] is limitless.”
‘Tired of the Cover Ups’
Meantime, internal documents newly released by Republicans on the Oversight Committee detail agency infighting and secrecy efforts surrounding the troubled launch of HealthCare.gov.
Fryer indicated that she was frustrated by fellow CMS officials who were not providing a true picture of security testing prior to the launch.
“I am tired of the cover ups,” she emailed a colleague, stating that she intended to give “a truthful update of exactly what was going on” to an official at Health and Human Services who had asked for a status report.
When CMS’ independent security testing prior to launch produced negative results, documents indicate one CMS official sought to have the report changed.
“We need to hit the pause button on this report,” wrote CMS’ Thomas Schankweiler, “and have an internal meeting about it. … It is very possible that this report will be reviewed at some point by [the Office of the Inspector General], and could see the light in other ways.”
In an Oct. 5, 2013, email, CMS Administrator Marilyn Tavenner forwarded a subordinate a complaint from a White House adviser and then instructed, “Please delete this email.” Issa says that instruction violates federal record-keeping rules.
Tavenner is scheduled to testify at today’s Oversight Committee hearing.