Three days before the new online health insurance marketplace went live, Obama administration officials were warned that security testing on the website was only “partly completed,” creating a “level of uncertainty that can be deemed as a high risk.”
“The security contractor has not been able to test all of the security controls in one complete version of the system,” two federal IT administrators wrote to Center for Medicare and Medicaid Services chief Marilyn Tavenner on Sept. 27 in a memo obtained by ABC News. The memo was penned by CMS staffers James Kerr, consortium administrator for Medicare health plans operations, and Henry Chao, deputy chief information officer.
“There are inherent security risks with not having all code tested in a single environment,” their memo says. Those risks include potential exposure of consumers’ personal information, such as Social Security and credit card numbers, to interception or hacking.
Formally acknowledging the risks, Tavenner signed the document, thereby green-lighting the Marketplace launch for Oct. 1. The memo instituted a risk “mitigation plan” of a “dedicated security team” to monitor the site and “perform weekly testing,” among other steps, until a full test of the “security controls” could be completed within 60 to 90 days.
Rep. Mike Rogers, R-Mich., today sounded the alarm about the incomplete testing, accusing Health and Human Services Secretary Kathleen Sebelius, who oversees CMS, of putting Americans at unnecessary risk.
“You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of the system,” Rogers said in a hearing before the House Energy and Commerce Committee. “Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security.”
Sebelius defended the decision to proceed with the launch, pointing to “weekly testing of all border devices, including interface testing daily, weekly scans are going on.”
The document warning of the risks “is a document signed by Administrator Tavenner, which discusses mitigation strategies for security that are ongoing and upgraded, and an authorization to operate on a permanent basis will not be signed until these mitigation strategies are satisfied,” she said. “It is underway right now. But daily and weekly monitoring and testing is underway.”
Since the Oct. 1 launch, several tech bloggers examining the website’s code have identified the potential for security breaches, though the administration says there is no evidence that one has occurred.
Asked about one such scenario, Sebelius said, “We immediately corrected that problem. So there wasn’t — it was a theoretical problem that was immediately fixed. I would tell you, we are storing the minimum amount of data because we think that’s very important.”
HHS spokeswoman Joanne Peters wrote ABC News to say that insurance exchange users “can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”
She noted that in early 2014 the new marketplace system will be migrated to the “CMS Virtual Data Center” — a platform that has already been fully tested for electronic security.