In a hearing focused on Healthcare.gov’s safeguards, chief members of the House Oversight Committee on security charged virtually opposite assessments of whether the American people should be resting easy or panicking.

At the meeting, which was cut short due to a unanimous vote to enter into executive session, Chairman Rep. Darell Issa (R-Calif.) and Elijah Cummings (D-Md.), ranking member, did not pull punches on “security glitches.”

During the “A Roadmap for Hackers” hearing, Issa explained that President Barack Obama and health officials have been less than forthcoming in providing vital documents to the Committee. He notes that administration continues to lie about vulnerabilities, and referenced documents obtained by a subpoena that security officials at CMS [Centers for Medicare & Medicaid Services] had recommended that the “site be delayed, not launched or launched in-part.”

MITRE Corporation was hired to conduct security control assessments. Per the federal government’s request, not-for-profit organization MITRE operates federally funded research and development centers or FFRDCs. MITRE is working with CMS and the Department of Health and Human Services to help modernize healthcare through its alliance with the federal agencies.

Today, while charging that the administration did not launch security testing 11 months after the site’s initial launch, Issa explains that MITRE found in its follow-up assessment that the site allowed “exposure of privileged information to unauthorized individuals.”

Issa says the administration is asking for MITRE's testing document to not be released because they contain sensitive information.

“The administration cannot have it both ways. They can’t say these documents represent completely mitigated vulnerabilities, and then say but they are a pathway so they can’t be released,” Issa said. “It is this committee’s intent to air on the side of the assumption that administration continues to lie about the site being safe and secure.”

He adds: “I don’t use the word lie without real forethought.”

Department of Health and Human Services Chief Information Officer Kevin Charest, and Milton Shomo, a principal information systems engineer from MITRE, were present to testify.

Today, Cummings adds that in the 23rd hearing on the ACA, the American people have not been swindled by an insecure online health marketplace.

Under ACA, health insurance companies are now prevented from “discriminating” against individuals who have pre-existing conditions, cancer and diabetes, Cummings said. He notes that “millions of people are now receiving free preventative care” as a result of the program.

Actually, with about 800,000 new sign ups in January, U.S. Health Secretary Kathleen Sebelius and a HHS Department spokesperson confirmed that three million people have enrolled in private health plans under ACA. At the end of March, which closes the first enrollment period, the Obama administration predicts that seven million people would sign up to healthcare.gov .  

Earlier this month, documents disclosed that CMS did not have faith in CGI Federal to complete its work on time for Healthcare.gov. As a result, Accenture was selected as the new contractor in a no-bid $90 million-plus contract.

Despite the changes in Healthcare.gov contractors, Cummings reiterated December 2012 comments offered by CMS Chief Information Security Officer Teresa Fryer that note “there have been no successful security attacks on the FFM [Federally Facilitated Marketplace], and no person or group has maliciously accessed personally identifiable information.”

He adds that Fryer is “confident based on the recent security controls assessment and the additional security protections in place that the FFM is secure.”

Both MITRE and HHS warned that security testing documents contain sensitive information that “could provide a roadmap for hackers and others seeking to do us harm,” Cummings said.

“Even when specified vulnerabilities identified by security testing have been addressed, these experts warn that publicly disclosing the Security Control Assessments could still jeopardize Healthcare.gov and other CMS data networks,” Cummings stated this morning.

The Committee followed with a unanimous vote to enter into closed session.

Register or login for access to this item and much more

All Employee Benefit News content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access