Americans using the Obamacare website HealthCare.gov can be assured that the site has undergone numerous cybersecurity evaluations – and passed – but should know also that no website is 100-percent secure, cybersecurity experts testified today.
The Obama administration’s much-criticized new website for enrolling Americans in Obamacare meets federal cyber standards, they said. It also passed 18 “security control assessments,” six of those in the weeks just prior to its launch. Virtually all the “high risk” areas that were identified were fixed before the site went live, the experts responsible for HealthCare.gov security told a congressional subcommittee.
Even so, those assessments evaluated the website while its software system was still in development – not when its various pieces were fully assembled and the entire site was up and running, those experts noted. Additionally, about 30 percent of the site – the payment portion – will be completed only by next month and so its security has not yet been assessed as part of the overall system.
That uncertainty about the overall security of the live website was more than enough to cause Republicans on the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee to express deep consternation during the hearing examining HealthCare.gov security.
“How can the public trust a hastily thrown together system in which meeting a deadline was more important for the administration than conducting complete end-to-end testing of the site’s security,” asked Rep. Fred Upton (R) of Michigan. “We’d like to know how the delays and rushed implementation have affected or complicated the ability to perform the security work for the website.”
Democrats on the committee, while expressing concern about the website performance overall, suggested that the hearing was mainly a partisan attempt to raise public fears about the website’s security – despite a lack of significant problems with it – in order to deflate public interest in the Affordable Care Act.
“I find it intolerable that this committee is running around fishing for trouble where none exists,” said Rep. John Dingell (D) of Michigan. “I have seen no evidence of any complaints or any evidence of misbehavior with regard to information that is controlled by the government.”
Henry Chao, deputy chief information officer at the Centers for Medicare and Medicaid services (CMS), who was largely in charge of the website project management, testified under oath that the site had indeed been built as required to exacting federal cybersecurity standards.
While admitting the website’s overall performance had seen major delays, the website’s security was built to the same standards as CMS’s Medicaid and Medicare websites, he said.
“CMS also protects the federal marketplace through intensive and stringent security testing,” he said. “While the federal marketplace has had some performance issues ... I want to be clear that we have conducted extensive security testing for the systems that went live on Oct. 1st. We continue to test for security on a daily and a weekly basis and any new functions or code prior to its launch.
“Consumers should feel confident in trusting [the HealthCare.gov site] with their personal information,” he said.
Several Republicans, however, questioned whether due diligence had been done, asking representatives of three cybersecurity providers that had contracts to secure the website how they could be sure the site is secure.
“If you design a part for a car, and you know your part’s working, would you like to know if the cars work?” asked Rep. Tim Murphy (R) of Pennsylvania. Each of the three said they would – but did not know the big picture, only their part of the pie, which they said was secure.
Rep. Diana DeGette (D) of Colorado noted that the contracts of each security provider present stipulated that they check for specific areas of the whole – and did not request an “end-to-end” check because it would not have been possible until the site was complete anyway.
“So your job was to assess risk with different components of HealthCare.gov, to work with CMS, address those concerns and report on the findings and the results. Is that correct?” she asked.
“Yes,” replied Jason Providakes an official representing Mitre Corporation, which conducted the 18 security evaluations. “Almost all” of the high risks identified by Mitre were eliminated by CMS before the website went live, he said.
“What’s your personal view of the overall safety and security of the HealthCare.gov site?” Ms. Degette asked.
“It’s my personal perspective,” Mr. Providakes said, “They [CMS] do a very solid job in terms of securing their systems, historically.”
Congressman Murphy, who conducted the hearing, as well as other Republican members of the committee, repeatedly sought to link an internal “red team” management study conducted of website development earlier this spring. The study had found a number of problems in the site’s development at that time – but apparently little specifically concerning security problems.
“Have there been any attempts ... to hack into the system that you can tell?” Murphy asked David Amsler, president and chief information officer of Foreground Security, Inc., whose company monitors the site for cyberattacks.
“Congressman, the simple answer is ‘yes,’ ” Mr. Amsler replied. “The longer answer is: I don’t have an environment [in any of the systems his company monitors] where it’s not being attacked today.”
“Is this system now, are you saying that it’s fully secure from external hackers trying to get in?” Murphy responded.
“We live in a world of not if, but more when – that’s the nature of the world we live in today,” Amsler responded. “So I can never give you a guarantee that someone’s not going to get in. It’s probably going to happen at some point. But we have designed it to limit the damage and identify it as quick as possible.”
“So we cannot sign off at this point and say this system is fully secure,” Murphy asked, “It’s an ongoing process you’re saying?”
“It’s always an ongoing process,” Amsler said. “Today I feel comfortable about the capabilities we have put in place. But I’m always striving for more.”
Maggie Bauer, senior vice president for Creative Computing Solutions, which along with Amsler’s company provides much of the site security, agreed.
“From our perspective, right now today, the system is secure,” she said. “We are confident.”
“What I’m hearing from you is nobody can give a 100 percent guarantee that this website is secure with regard to the data it has, the personally identifiable information,” Murphy said in his follow up. “As people put those things in, nobody can guarantee that some hacker isn’t going to try and get into it and that they will continue to try and probe until they get through. Is that what you’re saying?”
“I also would say the same about Facebook or any banking website as well,” Amsler responded. “It’s just an unfortunate part of the world we live in today.”