FACT SHEET: HealthCare.gov Launch: Security Vulnerabilities and Lack of Testing Put Personal Information of Site Users at Risk - United States House Committee on Oversight and Accountability

CMS top security official testified that she recommended denying the authority to launch HealthCare.gov but other officials decided to go ahead anyway. Teresa Fryer, The Chief Information Security Officer (CISO) at the Centers for Medicare and Medicaid Services (CMS), testified in a transcribed interview with House Oversight and Government Reform Committee investigators that she recommend denying the authority to operate (ATO) for HealthCare.gov, which was necessary to launch the site. Fryer cited incomplete testing and unknown risks, which she believed constituted a high security risk to the system as the basis of her recommendation and warning.

The decision to cast aside security warnings and proceed came as officials were obsessed with meeting the administration’s arbitrary October 1 launch date.

From July 20, 2013, e-mail from HealthCare.gov project leader Henry Chao to his team:

“I wanted to share this with you so you can see and hear that both [CMS Administrator] Marilyn [Tavenner] and I under oath stated we are going to make October 1^st. I would like you [to] put yourself in my shoes standing before Congress, which is essence is standing before the American public, and know that you speak the tongue of not necessarily just past truths but the truth that you will make happen, the truth that is a promise to the public that millions of people depend on for us to make happen.”

Chao testified that top officials were cited President Obama in underscoring the importance of the October 1^st deadline:

Q Do you recall who made those statements about it being the President’s number one priority and the importance of October 1st?

A One of the first meetings I went to which was in cross‑agency when I was still in the OCIO organization, we had a kick‑off meeting with IRS in which Zeke Emanuel attended, and he just kind of kicked off the meeting to set the tone, and I think that is one of the things that he said.

Q Anyone else?

A I think Marilyn has said it on occasion. I can’t remember exactly when, but I am pretty sure she said it.

Q Marilyn Tavenner?

A Yes.

And HHS Secretary Kathleen Sebelius aptly demonstrated her agency’s unhealthy obsession with October 1 when she falsely claimed that law mandated the October 1 launch – per the Associated Press:

“Misstating the health care law she is responsible for administering, Kathleen Sebelius has asserted that the law required health insurance sign-ups to start Oct. 1, whether the system was ready or not. In fact, the decision when to launch the sign-up website was hers.”

So it’s difficult to have a mitigation plan when you don’t do the testing and aren’t sure what the risks are? “Yes,” CMS’ top cyber security expert responded when asked this question by Congressional investigators. She also stated that, “usually a mitigation plan or remediation plan is put into place after findings are discovered.” While Fryer testified that CMS did come up with “extra protections” for the site as a whole, she noted, “we couldn’t mitigate or remediate those unknown risks.”

“There is also no confidence that Personal Identifiable Information will be protected.” Fryer told investigators an unsent memo she wrote just days before launch outlined her concerns about launching HealthCare.gov:

“[HealthCare.gov] does not reasonably meet the CMS security requirements … There is also no confidence that Personal Identifiable Information will be protected.”

- “[HealthCare.gov] was not ready to test and did not complete a comprehensive security control assessment (SCA).”

- “Complete end-to-end testing of [HealthCare.gov] never occurred. The majority of testing efforts were focused on testing the expected functionality of the application – not security.”

- “Other known factors supporting a no-confidence level are items such as …”

The top cyber security official at CMS knew about plans to mitigate risk, but still made clear she did not support launch. Contrary to claims by Congressional Democrats and some left-wing fringe voices in the press, Fryer did consider the mitigation plan created after raising her initial concern on September 20 and testified that even after considering the plan she made her recommendation against launch known to other officials on September 27 when she signed a document noting the mitigation plan and security risks:

Q And why did you sign this document?

A Again, they were asking ‑‑ it was being asked that the CISO acknowledge the level of risk that was identified with this system.

Q So, by signing this, you were acknowledging the level of risk. You were not acknowledging that you agreed with the decision to proceed with the ATO?

A Yes.

Q Did you make it clear that you were not agreeing with the decision to ‑‑ for the ATO when you signed this document?

A Yes. This actually went through a vetting process, and this language was drafted by myself, this language on this page. So there were many ‑‑ it was a vetting process for this letter.

“My recommendation was a denial of an ATO [Authority to Operate HealthCare.gov].” Fryer responded when asked if she agreed with CMS’ decision to add extra security and proceed with launch:

Q So this recommendation in slide 5, “Follow the mitigation plan and issue an interim ATO,” do you know whose recommendation that is?

A No, I don’t.

Q Is that your recommendation?

A No, it’s not.

Q Would it have been your recommendation?

A No.

Q What would your recommendation have been?

A My recommendation was a denial of an ATO.

An October 11, 2013, report by CMS security contractor MITRE outlined numerous risks. Fryer said this testing and the security flaws raised by contractors contributed to her decision to recommend denying authority to launch the site. These documents, obtained by the Oversight Committee, contain sensitive technical details and have not been released, but they include disturbing information:

“Any malicious user having knowledge of this can perform unauthorized functions.”
“The attacker is able to see and edit PII [personal identifiable information] of the victim …”
“MITRE was unable to adequately test the Confidentiality and Integrity of the HIX [Health Exchange] system is full. The majority of MITRE’s testing efforts were focused on testing the expected functionality of the application. Complete end to end testing of the HIX application never occurred. Several factors contributed to the limited effectiveness of this SCA.

Of the 28 separate security vulnerabilities identified in the October 11 report, MITRE reported that 19 remained unaddressed. While some of these risks may be more routine and present in other systems, some are highly specific for HealthCare.gov.

HealthCare.gov contractor e-mail shows internal lack of confidence in security. E-mail between contractors Deloitte and Blue Canopy include the following:

“Within CMS, there is a confidence issue with the security of the ACA … some the issues were documented in the MITRE report and then the CISO [Chief Information Security Officer] wouldn’t endorse the ATO. Then the CIO [Chief Information Officer] would not either …”

“Not sure of you saw the TV report entitled ‘the ACA, a hacker’s dream’ …… Anyway, what needs to be avoided is reputation damage if the funding is not adequate that results in a ‘less than full’ SCA [Security Control Assessment] that in turn gets ‘hacked’ and the blame game leads to our front door.”

HHS knows HealthCare.gov security failures are actually happening. On December 17, 2013, top CMS security expert Teresa Fryer testified that recent security testing has uncovered multiple significant security problems. In one instance, a problem actually resulted in an incident that wrongfully disclosed a site user’s personal information to an unauthorized party. While Administration officials have tried to downplay the significance of these security failures, they have provided no evidence that these problems have been fixed.