Menu
SpaceX and Boeing build manned NASA Spaceships

SpaceX and Boeing build manned NASA Spaceships

iOS 8 Download Release is Expected at 10 am PDT

iOS 8 Download Release is Expected at 10 am PDT

Matt Damon is Jason Bourne Again

Matt Damon is Jason Bourne Again

Galaxy Note 4 Screen is the World's Best

Galaxy Note 4 Screen is the World's Best

iPhone 6 Reviews are Glowing

iPhone 6 Reviews are Glowing

Cybersecurity chief had qualms over health website

Jan 16 2014, 2:36am CST | by , in News

 
 

HHS cybersecurity chief says health care website tests didn't follow security 'best practices'

WASHINGTON (AP) — The top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch of the Obama administration's health care website.

But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.

"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition. Excerpts of his testimony were provided to The Associated Press by the House Oversight and Government Reform Committee.

Charest and Teresa Fryer — another government cybersecurity professional who also had qualms — were to testify before the panel Thursday.

Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama's signature program.

The panel's senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.

With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.

As chief information security officer for HHS, Charest offered a look an insider concerns during the weeks and days before the website went live. Technical problems developed immediately and many potential customers were frozen out. The site seems to be working well now, but the administration's signup campaign hasn't fully recovered its momentum.

"I get paid to be paranoid," Charest said in the transcript. "And so I wanted to understand the exact controls in place, what environment, what procedures, what policies."

But the Centers for Medicare and Medicaid Services — the departmental division running the health care rollout — wasn't sharing.

"I was frustrated by a number of requests I made that I did not receive," Charest said. The requests were not just related to security, he said, but other operational issues as well.

He said he came to believe that CMS — as the division is known— was deliberately keeping information to itself. "I can't explain it," he said.

While he did not have direct chain-of-command authority over the rollout, "I have responsibility for incident control," Charest testified. "Putting my bad-guy hat on, this would be something I would think would be desirable for someone to want to attack."

HealthCare.gov has two major components: an electronic "back room" that got full operational and security certification and a consumer-facing "front room" that was temporarily certified Sept. 27.

The back room, known as the federal data services hub, pings government agencies to verify applicants' personal information. It does not store data.

But the front room does. That's where consumers in the 36 states served by the federal website create and save their accounts. Individual components of the front room did undergo security testing. But the system as a whole could not be tested because it was being worked on until late in the process — and it was also crashing.

Charest testified that security testing usually takes place on a fully built, stable system that represents real-world functionality.

The path followed by HealthCare.gov was "not typical," he said. "In a perfect world, the system is completely done when you test it."

Charest testified that he did not get to review a key outside contractor's security evaluation until November, a month into the rollout. He found out only through media reports that the consumer-facing part of the website had been issued a provisional six-month operational and security certificate.

Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over the added vigilance and testing measures put in place to reduce risks.

"I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk," he told the committee.

Fryer, who is the CMS chief information security officer, has testified that she recommended against issuing a full certification for the consumer-facing part of the website. She put her concerns in a Sept. 24 memo, but it was never sent.

Source: AP

You Might Also Like

Updates

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/30" rel="author">Associated Press</a>
The Associated Press (AP) is one of the largest and most trusted sources of independent newsgathering, supplying a steady stream of news to its members, international subscribers and commercial customers.

 

 

Comments

blog comments powered by Disqus

Latest stories

Tim Duncan to be Featured in Punisher Comic
Tim Duncan to be Featured in Punisher Comic
San Antonio Spurs forward Tim Duncan will be featured in an upcoming issue of The Punisher comic book series as announced by the Black Jack Speed Shop Facebook page on Sept. 17.
 
 
Becoming Belle Knox reveals Candid Insights in Adult Movie Industry
Becoming Belle Knox reveals Candid Insights in Adult Movie Industry
Belle Knox aka Duke Porn Star gives a candid look at her adult movie job that pays for her education at Duke University.
 
 
Liza Minnelli had Back Surgery
Liza Minnelli had Back Surgery
Legendary performer Liza Minnelli is recovering from a back surgery. She broke her back a week ago.
 
 
Most Stylish Men of 2014 Ranked
Most Stylish Men of 2014 Ranked
Some of the best dressed stars that wowed the crowd this year had dashing dudes among their ranks. People Magazine's annual list ranked these most stylish men of 2014.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.