Midway through Tuesday’s testimony Health and Human Services Secretary Kathleen Sebelius was grilled by Republican lawmakers over concerns that the faulty website does not have adequate security or privacy protections.
Rep. Mike Rogers (R., Mich.) quoted a Sept. 27 report addressed to Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner that read in part, “the security contractor has not been able to test all of the security controls in one complete version of the system. […] Due to system readiness issues the security and control assessment was only partly completed […] this constitutes a risk that must be accepted before the marketplace day one operations.”
“You accepted a risk on behalf of every user of this computer, that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system,” Rogers said to Sebelius. “This is completely an unacceptable level of security.”
Of concern is the practice of “hot swapping” codes in order to improve functionality of the website, a practice that Sebelius said occurs “periodically during the hours of one and five,” but not nightly as Rogers suggested.
Hot swapping is to “pull out a component from a system and plug in a new one while the main power is still on.”
The security risk in that comes from the fact the new codes are continuously being added to Healthcare.gov. If each new code is untested, the quantity and frequency of them exposes the system to numerous risks.
“Has each piece of that code that has been introduced in the system been security tested?” Rogers asked.
Sebelius said she did not know if each piece had been tested, but “security is an ongoing operation that as code is loaded you need to retest.”
When asked if an end-to-end security test had been preformed since the Oct.1 launch of Healthcare.gov, Sebelius said continuous testing was occurring, but she was not sure what kind and would get that information for the committee.
Sebelius declined Roger’s request “to shutdown the system” in order to allow it to undergo end-to-end testing, saying that “daily, weekly” testing and scans were going on.
“This document discusses mitigation and strategies for security that are ongoing and upgraded and an authorization to operate on a permanent basis will not be signed until these mitigation strategies are satisfied,” Sebelius said. “It is underway right now, but daily, weekly monitoring and testing is underway.”
Rogers, who is the chairman of the House Intelligence Committee, said that the website was not secure enough to protect individuals private information.
Sebelius faced questions about an additional privacy concern pertaining to a non-public source code, which was first reported by the Weekly Standard.
The code includes language that says users have “no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system,” and that any information can be used by the government for lawful purposes.
“It is my understanding that that is boilerplate language that should not have been in this particular contract because there are — the highest security standards in place and people have every right to expect privacy,” Sebelius said to Rep. Joe Barton (R., Texas).
Sebelius assured Barton that the language would be removed saying, “we have had those discussions with CGI [Federal] and it is underway. I do absolutely commit to protecting the privacy of the American public and we have asked them to remove that statement.”