Expand search form

HHS’ Own Security Concerns about HealthCare.gov

Hearing Description: The Oversight and Government Reform Committee met to question security experts from Health and Human Services about the integrity of the website, Healthcare.gov. There have been no successful malicious attacks and only a handful of instances where personal information was accidentally disclosed.

Hearing Date: January 16, 2014

Hearing Summary: Prepared for AAPS by the Market Institute

The Oversight and Government Reform committee recently met to question representatives from Health and Human Services’ security team to ascertain how secure citizens’ private data is. Chairman Darrell Issa (R-CA) said in his opening statement it was the committee and Congress’ responsibility to investigate fundamental problems with the website’s security. They need to know if best practices were followed and if not, were decision makers aware of it? Through subpoena, they have learned that there were apparent problems with the system prior to the launch that should have alerted leaders within HHS. Rep. Elijah Cummings (D-MD) said in his opening statement that the hearing is important because they need to get the system right, but the law itself is working, helping millions of rural and urban Americans obtain quality healthcare. It is important however, that they highlight all aspects about the website, and not cherry pick specific things to drive a political narrative.

The first witness, Kevin Charest, Chief Information Security Officer at HHS testified in his opening statement that the vast majority of the Department’s IT resources are tied directly to the appropriations and statutory authorities Congress provides directly to our
programs and Operating Divisions. HHS has dedicated teams of experts who work around the clock to identify, manage, and mitigate suspected or potential breaches of personally identifiable information (PII). In the event PII is breached, protocol is to inform those that were affected and quickly resolve the security issue.

The second witness, Teresa Fryer, Chief Information Security Officer at Centers for Medicare and Medicaid testified in her opening statement that HHS has a long track record of securing massive IT systems. The projections put into place have successfully thwarted any attacks and no one has successfully hacked the system. Ongoing vulnerability assessments are gauging the security defense of the website. On December 18th, a complete security assessment was completed and the system passed the test.

The last witness, Frank Baitman, Chief Information Officer at HHS testified in his opening statement that his department does not have much oversight over the website’s development. The vast majority of IT resources are tied to appropriations and an operating division. The business owner of the website was CMS and his office had no control over the system. It would not have been appropriate for him to make operational recommendations during the development of the website.

In response to questioning, Kevin Charest said:

  • There is always a level of risk in defending a website
  • Personal information has been inadvertently shared with someone it should not have been

In response to questioning, Teresa Fryer said:

  • Independent testing of the system prior to launch made her uncomfortable due to lack of complete end-to-end testing
  • There are many tools in place to detect anomalies and attacks

In response to questioning, Frank Baitman said:

  • There was discussion of a Beta Launch of the website instead of a full roll-out
  • He had no specific concerns with the website and talk about a Beta Launch was purely based on his experience with large IT systems

Hearing Website:
http://oversight.house.gov/hearing/hhs-security-concerns-healthcare-gov/

Links to Testimony

Mr. Kevin Charest
Chief Information Security Officer
U.S. Department of Health & Human Services

Click to access Charest-Testimony2.pdf

Ms. Teresa Fryer
Chief Information Security Officer, Director, Enterprise Information Security Group
Centers for Medicare & Medicaid Services
[link not available]

Frank Baitman
Chief Information Officer, HHS
[link not available]

Previous Article

2014: Seeking PPACA Answers

Next Article

Social Media Snapshot: week of 1/20/2014