website security was at 'high risk' before launching

A government memorandum signed off on by Centers for Medicare & Medicaid services administrator Marilyn Tavenner reveals that she allowed to launch without final security testing.

The memo, sent by two Department of Health and Human Services staffers working on the site to Tavenner (pictured right) on September 27, states that due to "system readiness issues," a security control assessment was only partly completed as of that date.

"This constitutes a risk that must be accepted and mitigated to support Marketplace Day 1 operations," the memo states. "As with all new systems ... there are inherent security risks with not having all code tested in a single environment. "

Namely, the memo recommended a security team, weekly server testing, daily scans and a full security assessment within 60 to 90 days of launch.

Contesting the memo, Reuters reports that HHS secretary Kathleen Sebelius said Wednesday in her testimony before Congress that "steps to mitigate security concerns" on have been implemented since then.

The memo came up during Sebelius's testimony about technical problems that have plagued the website. Sebelius confirmed the main points of the memo, and said the plan to ensure security was underway.

Sebelius said that the site had a temporary "authority to operate" certificate for the Oct. 1 launch and that the agency would issue a permanent certificate once security concerns are alleviated and full testing has been completed, according to Reuters.

At the hearing Sebelius and other HHS spokesmen once again harped on the security of the data hub--the controversial centerpiece of the insurance exchange website--saying users' information is safe.

Although President Obama tapped one of his economic advisers and communications giant Verizon to start fixing the troubled site, the site isn't trouble-free yet. On Oct. 27, parts of the site were down due to a Verizon Terremark data center crash, and HHS scrambled to get it fixed quickly.

To learn more:
- see the memo, posted by Ars Technica
read the Reuters article

Related Articles:
Sebelius fields accusations, questions on in testimony
Another day, another glitch
Healthcare reform controversy surrounds Sebelius update: Contractors, insurers discuss exchange problems
Jeff Zients to head Obama's 'tech surge' team fixing
HHS Secretary Sebelius to discuss exchange problems before House panel


The Real Payback of Healthcare Analytics

Tuesday, April 6 | 2pm ET / 11am PT

With the unpredictability of healthcare today, organizations are sharpening their focus on analytics to make more data-informed decisions. Join us for a roundtable session in which thought leaders will discuss how they are maximizing their analytics investments.