Anda di halaman 1dari 3

Exclusive: Security Risks Seen at HealthCare.

gov Ahead of
Sign-Up Deadline
Nearly three months after its launch and as millions of Americans log on to shop for health plans,
HealthCare.gov has still had serious security vulnerabilities, according to documents and testimony
obtained by ABC News.
There have been "two high findings" of risk - the most serious level of concern - in testing over the
past few weeks, the top Centers for Medicare and Medicaid Services (CMS) cybersecurity official
told the House Oversight Committee on Tuesday in a private transcribed interview.
It's a "vulnerability in the system," CMS chief information security officer Teresa Fryer told the
committee of one of the issues. "They shut the module down, so this functionality is currently shut
down."
The exact description of the issue was redacted from the transcript so as not to further compromise
security, a committee official told ABC News.
The federal contractor, MITRE Corporation, that oversees security of the website defines a "high
finding" as a risk of "significant political, financial and legal damage" if the technical vulnerability is
exploited. One high finding was reported in November, the other earlier this week, Fryer said.

In the interview, Fryer said that "several layers of security" are in place and that there have been
"no successful breaches" of the website. CMS told ABC News on Friday that the issues identified as
"high risk" have now been resolved.
"In one case, what was initially flagged as a high finding was proven to be false," the agency said in
a statement. "In the other case, we identified a piece of software code that needed to be fixed and
that fix is now in place. Since that time, the feature has been fully mitigated and verified by an
independent security assessment, per standard practice."
The administration maintains that no components of the website were allowed to go live after Oct. 1
with "open [unresolved] high findings."
The revelation comes as the federal online insurance marketplace faces a surge in traffic ahead of
the Dec. 23 sign-up deadline for coverage to take effect on Jan. 1. CMS says there have been more
than 39 million unique visitors to the site since Oct. 1, with graphic design more than a million this
week alone.

Healthcare.gov/ABC News
While administration officials insist there have been no known violations of HealthCare.gov security
or misuse of personal information, the acknowledgement of high-risk issues in recent testing is
significant. Top CMS staff had previously testified to Congress that the absence of such findings
meant the site is safe and secure.
Health and Human Services spokeswoman Joanne Peters said that "risk mitigation strategies" are in
place for all high, moderate and low security risk findings on the website. "Security testing is
conducted on an ongoing basis using industry best practices to appropriately safeguard consumers'
personal information," she told ABC News.
Still, Republicans leading the politically-charged inquiry into the website's management say the
Obama administration has been reckless from the start.
Portions of the CMS cybersecurity chief's testimony provided to ABC News show that she
recommended that HealthCare.gov not launch on Oct. 1 because of serious security concerns.
"It was during the security testing when the issues were coming up about the availability of the
system, about the testing in different environments. I had discussions with [CMS technology chief
Tony Trenkle] on this and told him that my evaluation of this was a high risk," Fryer told the
committee of her assessment days before the portal was to go live.

Fryer said she gave the same warning on Sept. 20 - 10


days before launch - to two other top HHS officials. She
says all three expressed an awareness of her concerns, but
proceeded against her advice.
"What would your recommendation have been?" a
committee interviewer asked.

"My recommendation was a denial of an ATO," she said, referring to an Authority to Operate license
necessary for HealthCare.gov to go online for public access.
The website ultimately went live on Oct. 1 without ever having undergone complete end-to-end
security testing.
"If they were able to do the testing in a single environment and on the same version, there would
have been...less uncertainty and less unknown risk," Fryer said. "Every system is going to have
unknown risk, but because the testing wasn't conducted in a single environment dedicated, there
was more unknown risk."
A slide prepared by Fryer for a Sept. 23 briefing of high-level HHS officials said that risk included
the possibility that applications may not be able to "withstand attack" and and that "code being
released into production and available to the public" not being "functionally complete."
The warnings of the CMS cybersecurity chief apparently fell on deaf ears.
HHS Secretary Kathleen Sebelius testified before Congress last month that despite the security
concerns, "no one, I would say, suggested that the risks outweighed the importance of moving
forward."
Democrats on the Oversight Committee note that Fryer did not pro-actively object to CMS IT chief
Tony Trenkle's decision on Sept. 27 to launch the website with risk mitigation strategies in place.
"That was his decision, to move forward with this plan," she told the committee.
"So you didn't tell him he was doing the wrong thing?" the interviewer asked.
"No," she said.
Separately, however, Fryer told the committee that when she signed an internal document
acknowledging the risks she made it clear that she was "not agreeing with the decision" to authorize
the ATO.
House Oversight Committee chairman Darrell Issa, R-Calif., and Sebelius agreed this week to meet
one-on-one to discuss security concerns in a private meeting that has yet to be scheduled.
The ranking Democrat on the committee, Rep. Elijah Cummings, D-Md., has accused Issa of a
"reckless pattern of leaking partial and misleading information" about the website operations.
"The very same witness interviewed by the Committee also said there have been absolutely no
security breaches of the website and that she is satisfied with the current security testing,"
Cummings said in a statement responding to the release of Fryer's testimony. "This effort to leak
cherry-picked information is part of a deliberate campaign to scare the American people and deny
them the quality affordable health insurance to which they are entitled under the law."
This post has been updated to include an expanded response from CMS and a statement from the
ranking member of the House Oversight Committee.