WASHINGTON (CBS DC) – Just four days before the healthcare.gov site went live, a Center for Medicare and Medical Services (CMS) memo indicated that the site had “inherent security risks” because security testing on the site was only partially completed.
Written to CMS chief Marilyn Tavenner from her Consortium Administrator for Health Plan Operations James Kerr and the Deputy Chief Information Officer Henry Chao, the memo states that only a partial Security Control Assessment (SCA) was completed “due to system readiness issues.”
The website had “inherent security risks” because all of the computer code had not been “tested in a single environment” and the system “requires rapid development and release of hot fixes and patches so it is not always available or stable during the duration of testing” the memo notes.
Parts of the system that were not tested due to the ongoing development “exposed a level of uncertainty that can be deemed as a high risk for the Federally Facilitated Marketplace (FFM)” from a security perspective.
The law requires that FFM systems successfully undergo a complete SCA.
CBS News reported that Tavenner signed the authority for HealthCare.gov to operate for six months while a mitigation plan was implemented including establishing a security team that provides progress reports weekly. Also, the team must conduct a full security assessment within 60 to 90 days of going live.
Wednesday Rep. Mike Rogers suggested to Health and Human Services (HHS) Secretary Kathleen Sebelius that personal data of Americans who sign up through the site is at risk because of the lack of a full security assessment.
“You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system,” Rogers said. “Amazon would never do this, ProFlowers would never do this, Kayak would never do this. This is completely an unacceptable level of security.”
“You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk,” Rogers explained.
Sebelius followed up by stating that Americans’ personal information is secure and that the site is operating with a temporary security certificate until full testing is completed.