HealthCare.gov had "inherent security risks" 4 days before launch
Updated 1:15 p.m. ET
An internal Center for Medicare and Medicaid Services (CMS) memo dated Sept. 27 - four days before the HealthCare.gov website went live - indicates the government decided to go forward with launching the site even though there were "inherent security risks."
The memo is written to CMS chief Marilyn Tavenner from her Consortium Administrator for Health Plan Operations James Kerr and the Deputy Chief Information Officer Henry Chao.
The memo says the law requires that Federally Facilitated Marketplace (FFM) systems successfully undergo a Security Control Assessment (SCA) but that "due to system readiness issues, the SCA was only partly completed. This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."
The memo states that all computer code has not been "tested in a single environment" and that poses "inherent security risks." It says the system "requires rapid development and release of hot fixes and patches so it is not always available or stable during the duration of testing."
It says that from a security perspective, aspects of the system that were not tested due to the ongoing development "exposed a level of uncertainty that can be deemed as a high risk for FFM (Federally Facilitated Marketplace)."
Tavenner signed the authority for HealthCare.gov to operate for six months while a mitigation plan was implemented. The mitigation included establishing a dedicated security team, providing weekly progress reports and conducting a full security assessment within 60 to 90 days of going live.
Rep. Mike Rogers, R-Mich., pointed out the lack of a full security assessment to Health and Human Services (HHS) Secretary Kathleen Sebelius at a House Energy and Commerce Committee hearing Wednesday, suggesting that the personal data of Americans who sign up through the site is at risk.
"You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system," Rogers said. "Amazon would never do this, ProFlowers would never do this, Kayak would never do this. This is completely an unacceptable level of security."
"You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk."
Sebelius assured Rogers that the site is secure, that Americans' personal information is secure and that it's operating with a temporary security certificate until full testing can be completed.
An HHS official pointed out that Security Control Assessments of the enrollment and eligibility functions of the Marketplace and the datahub have been conducted and that "We continue to conduct security testing on an ongoing basis as we add new functionality."
HHS spokeswoman Joanne Peters added, "When consumers fill out their online Marketplace applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."
