Nearly three months after its launch and as millions of Americans log on to shop for health plans, HealthCare.gov has still had serious security vulnerabilities, according to documents and testimony obtained by ABC News.
There have been “two high findings” of risk – the most serious level of concern – in testing over the past few weeks, the top Centers for Medicare and Medicaid Services (CMS) cybersecurity official told the House Oversight Committee on Tuesday in a private transcribed interview.
It’s a “vulnerability in the system,” CMS chief information security officer Teresa Fryer told the committee of one of the issues. “They shut the module down, so this functionality is currently shut down.”
The exact description of the issue was redacted from the transcript so as not to further compromise security, a committee official told ABC News.
The federal contractor, MITRE Corporation, that oversees security of the website defines a “high finding” as a risk of “significant political, financial and legal damage” if the technical vulnerability is exploited. One high finding was reported in November, the other earlier this week, Fryer said.
In the interview, Fryer said that “several layers of security” are in place and that there have been “no successful breaches” of the website. CMS told ABC News on Friday that the issues identified as “high risk” have now been resolved.
“In one case, what was initially flagged as a high finding was proven to be false,” the agency said in a statement. “In the other case, we identified a piece of software code that needed to be fixed and that fix is now in place. Since that time, the feature has been fully mitigated and verified by an independent security assessment, per standard practice.”
The administration maintains that no components of the website were allowed to go live after Oct. 1 with “open [unresolved] high findings.”
The revelation comes as the federal online insurance marketplace faces a surge in traffic ahead of the Dec. 23 sign-up deadline for coverage to take effect on Jan. 1. CMS says there have been more than 39 million unique visitors to the site since Oct. 1, with more than a million this week alone.
While administration officials insist there have been no known violations of HealthCare.gov security or misuse of personal information, the acknowledgement of high-risk issues in recent testing is significant. Top CMS staff had previously testified to Congress that the absence of such findings meant the site is safe and secure.
Health and Human Services spokeswoman Joanne Peters said that “risk mitigation strategies” are in place for all high, moderate and low security risk findings on the website. “Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” she told ABC News.
Still, Republicans leading the politically-charged inquiry into the website’s management say the Obama administration has been reckless from the start.
Portions of the CMS cybersecurity chief’s testimony provided to ABC News show that she recommended that HealthCare.gov not launch on Oct. 1 because of serious security concerns.
“It was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with [CMS technology chief Tony Trenkle] on this and told him that my evaluation of this was a high risk,” Fryer told the committee of her assessment days before the portal was to go live.
Fryer said she gave the same warning on Sept. 20 – 10 days before launch – to two other top HHS officials. She says all three expressed an awareness of her concerns, but proceeded against her advice.
“What would your recommendation have been?” a committee interviewer asked.
“My recommendation was a denial of an ATO,” she said, referring to an Authority to Operate license necessary for HealthCare.gov to go online for public access.
The website ultimately went live on Oct. 1 without ever having undergone complete end-to-end security testing.
“If they were able to do the testing in a single environment and on the same version, there would have been…less uncertainty and less unknown risk,” Fryer said. “Every system is going to have unknown risk, but because the testing wasn’t conducted in a single environment dedicated, there was more unknown risk.”
A slide prepared by Fryer for a Sept. 23 briefing of high-level HHS officials said that risk included the possibility that applications may not be able to “withstand attack” and and that “code being released into production and available to the public” not being “functionally complete.”
The warnings of the CMS cybersecurity chief apparently fell on deaf ears.
HHS Secretary Kathleen Sebelius testified before Congress last month that despite the security concerns, “no one, I would say, suggested that the risks outweighed the importance of moving forward.”
Democrats on the Oversight Committee note that Fryer did not pro-actively object to CMS IT chief Tony Trenkle’s decision on Sept. 27 to launch the website with risk mitigation strategies in place.
“That was his decision, to move forward with this plan,” she told the committee.
“So you didn’t tell him he was doing the wrong thing?” the interviewer asked.
“No,” she said.
Separately, however, Fryer told the committee that when she signed an internal document acknowledging the risks she made it clear that she was “not agreeing with the decision” to authorize the ATO.
House Oversight Committee chairman Darrell Issa, R-Calif., and Sebelius agreed this week to meet one-on-one to discuss security concerns in a private meeting that has yet to be scheduled.
The ranking Democrat on the committee, Rep. Elijah Cummings, D-Md., has accused Issa of a “reckless pattern of leaking partial and misleading information” about the website operations.
“The very same witness interviewed by the Committee also said there have been absolutely no security breaches of the website and that she is satisfied with the current security testing,” Cummings said in a statement responding to the release of Fryer’s testimony. “This effort to leak cherry-picked information is part of a deliberate campaign to scare the American people and deny them the quality affordable health insurance to which they are entitled under the law.”
This post has been updated to include an expanded response from CMS and a statement from the ranking member of the House Oversight Committee.