Expand search form

Security of HealthCare.gov

Hearing Description:
The Oversight and Investigations Subcommittee held a hearing to examine the security of Healthcare.gov. They questioned Henry Chao, a key figure at CMS as well as contractors whose scope is to monitor the security of the website. The witnesses testified that no major attacks on the website have been successful and the system is secure, but there will always be hacks who will still probably find a way in.

Hearing Date: November 19th, 2013

Hearing Summary: Prepared for AAPS by the Market Institute

The House Committee on Energy and Commerce Subcommittee on Oversight and Investigations met to examine the security concerns of Healthcare.gov. Chairman Tim Murphy (R-PA) said in his opening statement that the trainwreck that was the roll-out of Healthcare.gov was entirely foreseeable. Rep. Diana DeGette (D-CO) said in her opening statement that CMS has complied with every security standard with an army of contractors.

The first witness on the first panel, Henry Chao, Deputy CIO at Centers for Medicare and Medicaid Services testified in his opening statement a key feature of the Marketplace IT is the stringent privacy and security controls. All IT systems related to the ACA and federal/state exchanges must adhere to standard and mandated rules and regulations. The Federal Hub was authorized to operate on September 6, 2013. The Hub and Marketplace are protected by several layers of security, mitigating risk. The Marketplace is compliant with FISMA and NIST guidelines and CMS will continue to monitor operations and mitigate any potential risk. Various system operations have been vastly improved since launch, most notably the process of creating an account on Healthcare.gov. They expect to see a vast improvement in the website for the majority of users by the end of November.

In response to questioning, Henry Chao said:

  • There have been no successful attempts to breach the system
  • They work with key partners, including states and DHS, to assess vulnerabilities
  • 30-40% of the system that has yet to be developed will best tested like they have done with the current system
  • He was working out of CGI’s office from early September to late October
  • He has no insight into how Jeffrey Zients and other “tech surge” guys are being compensated

The first witness on the second panel, Jason Providakes, Senior VP at MITRE Corporation testified in his opening statement that his organization serves an independent, objective adviser to CMS. MITRE assists CMS with the modernization of technology and the implementation of the health care law. The organization was asked to conduct security assessments of Healthcare.gov, but MITRE has no overall view of security testing of the site.

The second witness on the second panel, Maggie Bauer, Senior VP of Health Services at Creative Computing Solutions (CCSi) testified in her opening statement that her company was contracted to provide security monitoring for CMS. Maintaining system integrity and detecting malicious software are within the scope of their work, but the company has nothing to do with the design or implementation of the website.

The third witness on the second panel, David Amsler, President and CIO at Foreground Security testified in his opening statement that his company is a subcontractor to CSSi for a number of objectives related to the Affordable Care Act. His company was responsible for creating a security monitoring environment. It is important to note that his company has nothing to do with the design or performance of Healthcare.gov, rather they are just one member of the security team. To date, Foreground Security has fulfilled all obligations to CMS in time and under budget.

In response to questioning, Jason Providakes said:

  • He is comfortable putting his personal information on Healthcare.gov

In response to questioning, Maggie Bauer said:

  • Everything under their purview was working on October 1st
  • The scope of their contract includes continued security monitoring
  • There has been nothing of note that has been brought to her attention regarding malicious security attacks
  • A smaller system launch would have had a lower risk

In response to questioning, David Amsler said:

  • There are technical controls that they asked to implement, but are not available
  • Hackers will always try to attack websites, no matter what the content or security is

Hearing Website: http://energycommerce.house.gov/hearing/security-healthcaregov

Links to Testimony:

Mr. Henry Chao
Deputy Chief Information Officer and Deputy Director of the Office of Information Services Centers for Medicare and Medicaid Services (CMS)

Mr. David Amsler
President and Chief Information Officer Foreground Security, Inc

Ms. Maggie Bauer
Senior Vice President, Health Services Creative Computing Solutions, Inc. (CCSi)

Mr. Jason Providakes
Senior Vice President and General Manager Center for Connected Government MITRE Corporation (MITRE)

Previous Article

AAPS Warns Patients to Beware of ‘ObamaCare’ Exchanges

Next Article

Examining Federal Regulation of Mobile Medical Apps and Other Health Software