Home / Health Care Website Has Cybersecurity Issues

Health Care Website Has Cybersecurity Issues

  • Health care website has some security issues.
  • Chief Security Officer for the site says, the website has some security issues.

WASHINGTON (AP) — The top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch of the Obama administration’s health care website.

But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.

“Health Care Website Has Cybersecurity Issues”

“I would say that it didn’t follow best practices,” Charest testified a Jan. 8 deposition. Excerpts of his testimony were provided to The Associated Press by the House Oversight and Government Reform Committee.

Charest and Teresa Fryer — another government cybersecurity professional who also had qualms — were to testify before the panel Thursday.

Health Care Website

Photo Courtesy: Wikipedia

Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama’s signature program.

The panel’s senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.

With “Obamacare” expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.

As chief information security officer for HHS, Charest offered a look at insider concerns during the weeks and days before the website went live. Technical problems developed immediately and many potential customers were frozen out. The site seems to be working well now, but the administration’s signup campaign hasn’t fully recovered its momentum.

“I get paid to be paranoid,” Charest said in the transcript. “And so I wanted to understand the exact controls in place, what environment, what procedures, what policies.”

But the Centers for Medicare and Medicaid Services — the departmental division running the health care rollout — wasn’t sharing.

“I was frustrated by a number of requests I made that I did not receive,” Charest said. The requests were not just related to security, he said, but other operational issues as well.

He said he came to believe that CMS — as the division is known— was deliberately keeping information to itself. “I can’t explain it,” he said.

While he did not have direct chain-of-command authority over the rollout, “I have responsibility for incident control,” Charest testified. “Putting my bad-guy hat on, this would be something I would think would be desirable for someone to want to attack.”

HealthCare.gov has two major components: an electronic “back room” that got full operational and security certification and a consumer-facing “front room” that was temporarily certified Sept. 27.

The back room, known as the federal data services hub, pings government agencies to verify applicants’ personal information. It does not store data.

But the front room does. That’s where consumers in the 36 states served by the federal website create and save their accounts. Individual components of the front room did undergo security testing. But the system as a whole could not be tested because it was being worked on until late in the process — and it was also crashing.

Charest testified that security testing usually takes place on a fully built, stable system that represents real-world functionality.

The path followed by HealthCare.gov was “not typical,” he said. “In a perfect world, the system is completely done when you test it.”

Charest testified that he did not get to review a key outside contractor’s security evaluation until November, a month into the rollout. He found out only through media reports that the consumer-facing part of the website had been issued a provisional six-month operational and security certificate.

Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over the added vigilance and testing measures put in place to reduce risks.

“I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk,” he told the committee.

Fryer, who is the CMS chief information security officer, has testified that she recommended against issuing a full certification for the consumer-facing part of the website. She put her concerns in a Sept. 24 memo, but it was never sent.

 

Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

 

About Associated Press

Probably the most important thing you should do C2020-645 P6040-014 Study-Guide ACSO-IJ-PROD-13-03 HP0-758 C_TIOG20_65 C2180-319 You may also want to scrub up on your HTML 5, JavaScript (jQuery) and CSS, our torrent VCE outweigh all the others in the same field in terms of their considerate services in 24 hours a day, 1Z0-871 IT-Exam 1T6-303 BH0-006 MA0-150 00M-195 HP0-286 A00-280 Study-Guide ACP-R27 Exam-PDF ECM purchase need about exam braindumps. They are enthusiastic about what there are doing every day. Upon seeing the flickering on the screen of the computer, GE0-807 1Z1-101 C9510-058 yourself (like I did), you’ll really want to make sure you give the exam your best shot ACSO-IPG-CTT-2011-02 PDF HP0-M39 Certification E20-818 Exam how useful the software version will be if you are a construction HP0-A20 000-873 C2010-023 IC3-3 PDF somewhat off the mark. 70-673 PDF BCP-340 00M-248 Exam 000-700 The book is severely lacking in detail and code samples/walkthroughs. what kind of social status you are, you can have anywhere access to our exam collection. Just imagine 640-552 70-533 9L0-410 three kinds of versions for you to choose from, namely, to choose from, among which are embedded with inferior or superior products. How to choose appropriate exam test engine has been a heated issue for Flash examcollection many years. We offer you worry-free purchasing. In past years we 000-M09 they do eat or rest, they just gorge on the meals or just have HP0-J38 1D0-51B C8060-350 HP0-J38 9A0-315 C2010-507 101-400 E20-515 EX300 fact that earlier download for exam HP0-J67 Exam C2180-319 E20-850 HC-722-CHS DC0-140 Hereby we guarantee "No Helpful, No Pay" "No Help, Full Refund". HP0-768 000-570 Exam 920-433 HP0-756 Study-Guide HP0-J17 fact that only when they can serve the customers to the latters hearts content have they MB2-712