Official: Despite earlier concerns, health care website passed recent security test

By Ricardo Alonso-Zaldivar

Associated Press

Published: Thursday, Jan. 16 2014 1:44 p.m. MST

In this Dec. 11, 2013 file photo, Rosemary Cabelo uses a computer at a public library to access the Affordable Health Care Act website, in San Antonio.

Eric Gay, Associated Press

Enlarge photo»

WASHINGTON — Medicare's top cybersecurity official says the Obama administration's health care website recently passed full security tests, easing her earlier concerns about vulnerabilities.

Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, told Congress at a hearing Thursday that she would now recommend full operational and security certification for the website known as HealthCare.gov.

The Medicare agency is responsible for expanding coverage to the uninsured under President Barack Obama's health care law.

Shortly before the website's disastrous launch Oct. 1, Fryer told other top officials that she could not recommend going live because full security testing had not been completed. She drafted a formal memo expressing her concerns, but never sent it, partly because more senior officials had already determined to proceed with additional safeguards to address the potential risks.

"The testing was successfully completed. It had good results," Fryer told the House Oversight and Government Reform committee. She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that the system now has "a clean bill of health."

But Republicans sought to turn the focus to the administration's decision to launch the site on Oct. 1, before full security testing was complete.

The concerns of Fryer and others were relayed to senior levels of the department, Assistant Secretary of Information Technology Frank Baitman testified. He told the panel he had informed Deputy Secretary Bill Corr, second in line after Secretary Kathleen Sebelius. Baitman said he was not personally convinced the security worries were a "red flag."

Officials said there have been 13 known cases in which personal information has been inadvertently disclosed or exposed to disclosure. But there have been no successful attacks by hackers, including a group calling itself "Destroy Obamacare."

Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama's signature program.

The panel's senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.

With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.

In a closed-door deposition prior to the hearing, the top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch.

But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.

"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition.

HealthCare.gov has two major components: an electronic "back room" that got full operational and security certification and a consumer-facing "front room" that was temporarily certified Sept. 27.

The back room, known as the federal data services hub, pings government agencies to verify applicants' personal information. It does not store data.

Get The Deseret News Everywhere

Subscribe

Mobile

RSS