HHS officials questioned on HealthCare.gov security at hearing

Rep. Darrell Issa (R-Calif.) continued his quest for answers on the security of HealthCare.gov before its launch this fall today at a Committee on Oversight & Government Reform meeting, where he facilitated the questioning of three high level staff members of the U.S. Department of Health & Human Services.

The subject of Thursday's hearing included subpoenaed contractor documents detailing early security gaps within HealthCare.gov, which Rep. Elijah Cummings (D-Md.), ranking member of the House Oversight & Government Reform Committee, accused committee chairman Issa (pictured right) of mishandling, NextGov reports. Cummings said he's worried if the documents get into the wrong hands, they would be a "roadmap for hackers" into HealthCare.gov. Issa brushed off Cumming's worries as a "distraction" for him and other Republican representatives looking into security for HealthCare.gov.

At the hearing, Kevin Charest, chief information security officer for HHS, explained at length the governance in place to inform users of any possible security breach on HealthCare.gov, which he insured has not had any successful hacking attempts yet.

Teresa Fryer, chief information security officer at the Centers for Medicare & Medicaid Services, faced questions on why she drafted a memo shortly before the launch of HealthCare.gov that it wasn't ready and end-to-end security testing wasn't complete. Fryer said she never sent the memo because security testing ended up being complete before the launch. 

Frank Baitman, chief information officer for HHS, also was questioned about the validity of security testing and safety of HealthCare.gov.

Democratic members present at the hearing compared potential breaches to HealthCare.gov to the recent Target and Neiman Marcus breaches, in which hackers stole millions of individual credit card numbers, phone numbers, and email and mailing addresses.

"The difference between Target and HealthCare.gov is we don't have to put our credit card in the machine at Target," Issa said. "We do not have the choice to do that here."

Rep. Jackie Speier (D-Calif.) asked Fryer if she could say with certainty that testing was completed in a stable environment before the launch, to which Fryer responded yes.

"Do you have any reason to believe this info is not secure based on testing?" Speier asked, to which Fryer and Charest answered no.

"So this is like giving the system a clean bill of health, knowing full well that companies like Target and Neiman Marcus get hacked, knowing that it could be hacked, but at this point in time, we can say the system is not subject to being breached," Speier said.

Fryer said there is always risk of a breach, but testing results were good. Speier also pointed out that the government handles Medicaid and the Children's Health Insurance Program (CHIP), which have not faced any major breaches.

"There are always vulnerabilities, there's always some level of risk," Charest said. "And I agree, no site is perfect and we need to be vigilant. That's why we have layers of security. There are constant attempts."

Last week, the House of Representatives passed a bill to bolster security for HealthCare.gov, requiring the government to alert users of data breaches involving their personal information entered into the site within two days of any incident. The bill, H.R. 3811, passed by a vote of 291-122; it aims to protect patients entering their personal data into the exchanges when signing up for healthcare, according to its sponsors.

Rep. Joe Pitts (R-Pa.) said this week that the legislation is necessary because of a clear "lack of proper security measures and thorough testing" of HealthCare.gov before it was launched, referring to the government memorandum signed off on by CMS Administrator Marilyn Tavenner which showed that she allowed HealthCare.gov to launch without final security testing, revealed in October.

To learn more:
- read the NextGov article