HealthCare.gov website security was at 'high risk' before launching

A government memorandum signed off on by Centers for Medicare & Medicaid services administrator Marilyn Tavenner reveals that she allowed HealthCare.gov to launch without final security testing.

The memo, sent by two Department of Health and Human Services staffers working on the site to Tavenner (pictured right) on September 27, states that due to "system readiness issues," a security control assessment was only partly completed as of that date.

"This constitutes a risk that must be accepted and mitigated to support Marketplace Day 1 operations," the memo states. "As with all new systems ... there are inherent security risks with not having all code tested in a single environment. "

Namely, the memo recommended a security team, weekly server testing, daily scans and a full security assessment within 60 to 90 days of launch.

Contesting the memo, Reuters reports that HHS secretary Kathleen Sebelius said Wednesday in her testimony before Congress that "steps to mitigate security concerns" on healthcare.gov have been implemented since then.

The memo came up during Sebelius's testimony about technical problems that have plagued the website. Sebelius confirmed the main points of the memo, and said the plan to ensure security was underway.

Sebelius said that the site had a temporary "authority to operate" certificate for the Oct. 1 launch and that the agency would issue a permanent certificate once security concerns are alleviated and full testing has been completed, according to Reuters.

At the hearing Sebelius and other HHS spokesmen once again harped on the security of the data hub--the controversial centerpiece of the insurance exchange website--saying users' information is safe.

Although President Obama tapped one of his economic advisers and communications giant Verizon to start fixing the troubled site, the site isn't trouble-free yet. On Oct. 27, parts of the site were down due to a Verizon Terremark data center crash, and HHS scrambled to get it fixed quickly.

To learn more:
- see the memo, posted by Ars Technica
-
read the Reuters article

Related Articles:
Sebelius fields accusations, questions on HealthCare.gov in testimony
Another day, another HealthCare.gov glitch
Healthcare reform controversy surrounds Sebelius
Healthcare.gov update: Contractors, insurers discuss exchange problems
Jeff Zients to head Obama's 'tech surge' team fixing HealthCare.gov
HHS Secretary Sebelius to discuss exchange problems before House panel

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.