Posted: Friday, 20 December 2013 7:47AM

Security Risks Seen at HealthCare.gov Ahead of Sign-Up Deadline



webphotographeer/Thinkstock(WASHINGTON) -- Nearly three months after its launch and as millions of Americans log-on to shop for health plans, HealthCare.gov still has serious security vulnerabilities, according to documents and testimony obtained exclusively by ABC News.

There have been “two high findings” of risk -- the most serious level of concern -- in security tests over the past few weeks, the top CMS cybersecurity official told the House Oversight Committee on Tuesday in a private interview. 

It’s a “vulnerability in the system,” CMS chief information security officer Teresa Fryer told the committee of one of the issues. “They shut the module down, so this functionality is currently shut down.” 

The exact description of the issue was redacted from the transcript so as not to further compromise security, a committee official told ABC News. 

The federal contractor, MITRE Corporation, that oversees security of the website defines a “high finding” as a risk of “significant political, financial and legal damage” if the technical vulnerability is exploited.  One high finding was reported in November, the other earlier this week.

The revelation comes as the federal online insurance marketplace faces a surge in traffic ahead of Monday’s sign-up deadline for coverage to take effect on Jan. 1.  CMS says there have been more than 39 million unique visitors to the site since Oct. 1, with more than a million this week alone.

While administration officials insist there have been no known breaches of HealthCare.gov security or misuse of personal information, the acknowledgement of high-risk issues in recent testing is significant.  Top CMS staff had previously testified to Congress that the absence of such findings meant the site is safe and secure.

Department of Health and Human Services (HHS) spokeswoman Joanne Peters said that “risk mitigation strategies” are in place for all high, moderate and low security risk findings on the website.

“Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” she told ABC News.

Still, Republicans leading the politically-charged inquiry into the website’s management says the Obama administration has been reckless from the start.

Portions of  the CMS cybersecurity chief’s testimony provided to ABC News show that she recommended that the website not be launched on Oct. 1 because of serious security concerns.

“It was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with [CMS technology chief Tony Trenkle] on this and told him that my evaluation of this was a high risk,” Fryer told the committee of her assessment days before the portal was to go live.

Fryer said she gave the same warning on Sept. 20 -- 10 days before launch -- to two other top HHS officials.  She says all three expressed an awareness of her concerns, but ultimately proceeded against her advice.

“What would your recommendation have been?” a committee interviewer asked.

“My recommendation was a denial of an ATO,” she said, referring to the Authority to Operate license necessary for HealthCare.gov to go online for public access.

The website went live on Oct. 1 without ever having undergone complete end-to-end security testing.

“If they were able to do the testing in a single environment and on the same version, there would have been…less uncertainty and less unknown risk,” she said. “Every system is going to have unknown risk, but because the testing wasn’t conducted in a single environment dedicated, there was more unknown risk.”

The warnings of the CMS cybersecurity chief apparently fell on deaf ears. HHS Secretary Kathleen Sebelius testified before Congress last month that despite the security concerns, “no one, I would say, suggested that the risks outweighed the importance of moving forward.”

House Oversight Committee Chairman Darrell Issa, R-Calif., and Sebelius agreed this week to meet one-on-one to discuss security concerns in a private meeting that has yet to be scheduled.  

Copyright 2013 ABC News Radio


A   A   A
Share