HHS cybersecurity chief says health care website tests didn't follow security 'best practices'
WASHINGTON (AP) — The top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch of the Obama administration's health care website.
"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition. Excerpts of his testimony were provided to The Associated Press by the House Oversight and Government Reform Committee.
Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama's signature program.
The panel's senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.
With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.
As chief information security officer for HHS, Charest offered a look an insider concerns during the weeks and days before the website went live. Technical problems developed immediately and many potential customers were frozen out. The site seems to be working well now, but the administration's signup campaign hasn't fully recovered its momentum.
But the Centers for Medicare and Medicaid Services — the departmental division running the health care rollout — wasn't sharing.
He said he came to believe that CMS — as the division is known— was deliberately keeping information to itself. "I can't explain it," he said.
While he did not have direct chain-of-command authority over the rollout, "I have responsibility for incident control," Charest testified. "Putting my bad-guy hat on, this would be something I would think would be desirable for someone to want to attack."
But the front room does. That's where consumers in the 36 states served by the federal website create and save their accounts. Individual components of the front room did undergo security testing. But the system as a whole could not be tested because it was being worked on until late in the process — and it was also crashing.
The path followed by HealthCare.gov was "not typical," he said. "In a perfect world, the system is completely done when you test it."
Charest testified that he did not get to review a key outside contractor's security evaluation until November, a month into the rollout. He found out only through media reports that the consumer-facing part of the website had been issued a provisional six-month operational and security certificate.
"I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk," he told the committee.
Fryer, who is the CMS chief information security officer, has testified that she recommended against issuing a full certification for the consumer-facing part of the website. She put her concerns in a Sept. 24 memo, but it was never sent.