Oversight Committee Fact Sheet: Officials Warned It Was Not Ready To Launch and ObamaCare Web Site Still Not Safe For User Personal Security Info...

ObamaCare Web Site Still Not Secure...

The House Committee On Oversight and Government Reform said today that despite Obama administration officials downplaying of security failures at the Affordable Care Act web site, "...they have provided no evidence that these problems have been fixed..." and the Committee released contents of emails that show administration officials were warned that the site was not ready for "launch" in October, but that Health and Human Services Secretary, Kathleen Sebelius, opened the site anyway.

The "Fact Sheet" included information that has been released to date about the vulnerabilities of the ObamaCare web site and provides insight into how the web site was launched without concern for security, and that security flaws have not been fixed:

"...CMS top security official testified that she recommended denying the authority to launch HealthCare.gov but other officials decided to go ahead anyway.  Teresa Fryer, The Chief Information Security Officer (CISO) at the Centers for Medicare and Medicaid Services (CMS), testified in a transcribed interview with House Oversight and Government Reform Committee investigators that she recommend denying the authority to operate (ATO) for HealthCare.gov, which was necessary to launch the site.  Fryer cited incomplete testing and unknown risks, which she believed constituted a high security risk to the system as the basis of her recommendation and warning The decision to cast aside security warnings and proceed came as officials were obsessed with meeting the administration’s arbitrary October 1 launch date...."

A 20 July, 2013 email from HealthCare.gov project leader Henry Chao, states:

"...“I wanted to share this with you so you can see and hear that both [CMS Administrator] Marilyn [Tavenner] and I under oath stated we are going to make October 1st.  I would like you [to] put yourself in my shoes standing before Congress, which is essence is standing before the American public, and know that you speak the tongue of not necessarily just past truths but the truth that you will make happen, the truth that is a promise to the public that millions of people depend on for us to make happen.”

The committee's statement today says that Chao testified that top officials cited President Obama in underscoring the importance of the October 1st deadline.

Among the points cited in the Fact Sheet was an October 11, 2013 report by CMS security contractor MITRE which outlined numerous risks:

"...[Chief Information Security Officer (CISO) at the Centers for Medicare and Medicaid Services (CMS) ] ...  Fryer said this testing and the security flaws raised by contractors contributed to her decision to recommend denying authority to launch the site.  These documents, obtained by the Oversight Committee, contain sensitive technical details and have not been released, but they include disturbing information:
“Any malicious user having knowledge of this can perform unauthorized functions.”“The attacker is able to see and edit PII [personal identifiable information] of the victim …”“MITRE was unable to adequately test the Confidentiality and Integrity of the HIX [Health Exchange] system is full.  The majority of MITRE’s testing efforts were focused on testing the expected functionality of the application.  Complete end to end testing of the HIX application never occurred.  Several factors contributed to the limited effectiveness of this SCA.Of the 28 separate security vulnerabilities identified in the October 11 report, MITRE reported that 19 remained unaddressed.  While some of these risks may be more routine and present in other systems, some are highly specific for HealthCare.gov.
HealthCare.gov contractor e-mail shows internal lack of confidence in security.  E-mail between contractors Deloitte and Blue Canopy include the following:
“Within CMS, there is a confidence issue with the security of the ACA … some the issues were documented in the MITRE report and then the CISO [Chief Information Security Officer] wouldn’t endorse the ATO. Then the CIO [Chief Information Officer] would not either …”“Not sure of you saw the TV report entitled ‘the ACA, a hacker’s dream’ …… Anyway, what needs to be avoided is reputation damage if the funding is not adequate that results in a ‘less than full’ SCA [Security Control Assessment] that in turn gets ‘hacked’ and the blame game leads to our front door.”

At the end of December House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) issued a statement on the departure of CMS’ Chief Operating Officer and Supervisor of Obamacare Rollout, Michelle Snyder, stating:

"...Documents and interviews indicate Michelle Snyder’s involvement in bypassing the recommendation of CMS’ top security expert who recommended delaying the launch of HealthCare.gov after independent testers raised concern about serious vulnerabilities from a lack of adequate security testing. Americans seeking health insurance are left to shoulder the risk of a website that’s still an all-around work in progress because of the cult like commitment officials had to the arbitrary goal of launching on October 1..."

See the "Fact Sheet" HERE