Four Days Before Launch Health Care Website Had ‘Inherent Security Risks’

View Comments
An internal government memo obtained by The Associated Press shows administration officials were concerned that a lack of testing posed a "high" security risk for President Barack Obama's new health insurance website. (Photo by Chip Somodevilla/Getty Images)

An internal government memo obtained by The Associated Press shows administration officials were concerned that a lack of testing posed a “high” security risk for President Barack Obama’s new health insurance website. (Photo by Chip Somodevilla/Getty Images)

Latest News

Get Breaking News First

Receive News, Politics, and Entertainment Headlines Each Morning.
Sign Up

WASHINGTON (CBS DC) – Just four days before the healthcare.gov site went live, a Center for Medicare and Medical Services (CMS) memo indicated that the site had “inherent security risks” because security testing on the site was only partially completed.

Written to CMS chief Marilyn Tavenner from her Consortium Administrator for Health Plan Operations James Kerr and the Deputy Chief Information Officer Henry Chao, the memo states that only a partial Security Control Assessment (SCA) was completed “due to system readiness issues.”

The website had “inherent security risks” because all of the computer code had not been “tested in a single environment” and the system “requires rapid development and release of hot fixes and patches so it is not always available or stable during the duration of testing” the memo notes.

Parts of the system that were not tested due to the ongoing development “exposed a level of uncertainty that can be deemed as a high risk for the Federally Facilitated Marketplace (FFM)” from a security perspective.

The law requires that FFM systems successfully undergo a complete SCA.

CBS News reported that Tavenner signed the authority for HealthCare.gov to operate for six months while a mitigation plan was implemented including establishing a security team that provides progress reports weekly.  Also, the team must conduct a full security assessment within 60 to 90 days of going live.

Wednesday Rep. Mike Rogers suggested to Health and Human Services (HHS) Secretary Kathleen Sebelius  that personal data of Americans who sign up through the site is at risk because of the lack of a full security assessment.

“You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system,” Rogers said. “Amazon would never do this, ProFlowers would never do this, Kayak would never do this. This is completely an unacceptable level of security.”

“You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk,” Rogers explained.

Sebelius followed up by stating that Americans’ personal information is secure and that the site is operating with a temporary security certificate until full testing is completed.

View Comments
blog comments powered by Disqus
Follow

Get every new post delivered to your Inbox.

Join 1,651 other followers