Documents provided to the House Committee on Government Oversight and Reform reveal that the Obama administration knew of security vulnerabilities within Healthcare.gov prior to Oct. 1, but launched the website anyway.
Chairman Darrell Issa (R., Calif.) said Health and Human Services (HHS) officials showed a “disturbing lack of judgment” by going ahead with the site’s launch and putting Americans’ personal information at risk.
Results of a security assessment conducted by a contractor on the site, MITRE Corporation, found that 19 security vulnerabilities remained unaddressed on Oct. 1.
Eleven of the 19 vulnerabilities “significantly impact the confidentiality, integrity and/or availability of the system data,” MITRE said.
“The American people have a right to know the risks they face on Healthcare.gov when they submit personal information such as their Social Security number and income,” Issa wrote in a letter to HHS Secretary Kathleen Sebelius on Wednesday. “The full context of MITRE’s assessment, which the department had in its possession prior to the Oct. 1 launch date, shows that [the Center for Medicare and Medicaid Services] and HHS knew that Healthcare.gov was vulnerable, yet your statements have not given the American people a fair and accurate assessment of known risks.”
Issa said he is withholding details of the documents that could be used by hackers to gain insight into compromising Healthcare.gov.
He did disclose details from the assessment that revealed one security finding summary that said, “any malicious user having knowledge of this can perform unauthorized functions.”
“The attacker is able to see and edit [personally identifiable information] PII of the victim,” the assessment also said.
Furthermore, the full extent of security weaknesses is unknown because the website was not completely built when it launched. MITRE was “forced to omit significant portions” of the security assessment of Healthcare.gov “due to software still being developed.” HHS said 30 to 40 percent of the website had yet to be built in November.
“MITRE was unable to adequately test the confidentiality and integrity of the [health insurance exchange] HIX system in full,” a summary of the assessment said. “The majority of the MITRE’s testing efforts were focused on testing the expected functionality of the application.
“Complete end to end testing of the HIX application never occurred,” it said.
“These documents show a disturbing lack of judgment by HHS officials, who decided to go forward with the launch of Healthcare.gov despite warnings of security vulnerabilities that placed sensitive information of website users at risk,” Issa said.
HHS has also backed away from a meeting proposed by the White House between Chairman Issa and Secretary Sebelius.
The White House said Sebelius requested a meeting between herself and the chairman after his committee obtained the sensitive documents detailing the security assessment on Dec. 13.
The committee was not made aware of the proposed meeting until a letter from the White House dated Dec. 15. However, Counsel to the President Kathryn Ruemmler said in the letter, “I understand that the secretary’s invitation was refused.”
“Contrary to the assertion made by the White House, neither I nor anyone on my staff has expressed an unwillingness to meet with you for a discussion about both the ongoing security vulnerabilities noted in the MITRE documents as well as the rationale for proceeding on Oct. 1,” Issa said in his letter to Sebelius on Dec. 17. “Indeed, my staff repeatedly has told your staff that it would welcome a page by page discussion of the MITRE documents and any concerns about the public release of any information once the documents were properly and fully produced to the committee.”
Issa changed his schedule to arrange a meeting this week.
“While I was scheduled to be in my congressional district office this week I am willing and prepared to meet with you in my Washington office either today, or tomorrow, Wednesday, Dec. 18, to discuss both of our concerns,” Issa said,
In response to Issa on Wednesday, HHS did not mention meeting with Sebelius, only that the agency was “prepared to make cyber security experts available to brief the committee on the security risks and mitigation steps discussed in the MITRE documents at [Issa’s] convenience.”
“Chairman Issa is disappointed that HHS has apparently reneged on the White House’s offer to make Secretary Sebelius available to discuss concerns about HealthCare.gov security,” a committee spokesperson said. “It’s difficult to have a serious dialogue when the other party walks back an offer after we’ve said yes.”
Experts have warned Americans to stay away from Healthcare.gov because it lacks fundamental security safeguards. According to “white hat hacker” David Kennedy, the website is constantly under attack. In fact, the most popular searches on Healthcare.gov were hack attempts in the beginning days of the launch.
HHS said thus far there have been no “successful” security attacks on the website, in its response on Wednesday.