Is HealthCare.gov secure? In Congress, cyber-experts vouch for Obamacare site.
Americans using the Obamacare website HealthCare.gov can be assured that the site has undergone numerous cybersecurity evaluations 鈥 and passed 鈥 but should know also that no website is 100-percent secure, cybersecurity experts testified today.
The Obama administration鈥檚 much-criticized new website for enrolling Americans in Obamacare meets federal cyber standards, they said. It also passed 18 鈥渟ecurity control assessments,鈥 six of those in the weeks just prior to its launch. Virtually all the 鈥渉igh risk鈥 areas that were identified were fixed before the site went live, the experts responsible for HealthCare.gov security told a congressional subcommittee.
Even so, those assessments evaluated the website while its software system was still in development 鈥 not when its various pieces were fully assembled and the entire site was up and running, those experts noted. Additionally, about 30 percent of the site 鈥 the payment portion 鈥 will be completed only by next month and so its security has not yet been assessed as part of the overall system.
That uncertainty about the overall security of the live website was more than enough to cause Republicans on the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee to express deep consternation during the hearing examining HealthCare.gov security.
鈥淗ow can the public trust a hastily thrown together system in which meeting a deadline was more important for the administration than conducting complete end-to-end testing of the site鈥檚 security,鈥 asked Rep. Fred Upton (R) of Michigan. 鈥淲e鈥檇 like to know how the delays and rushed implementation have affected or complicated the ability to perform the security work for the website.鈥
Democrats on the committee, while expressing concern about the website performance overall, suggested that the hearing was mainly a partisan attempt to raise public fears about the website鈥檚 security 鈥 despite a lack of significant problems with it 鈥 in order to deflate public interest in the Affordable Care Act.
鈥淚 find it intolerable that this committee is running around fishing for trouble where none exists,鈥 said Rep. John Dingell (D) of Michigan. 鈥淚 have seen no evidence of any complaints or any evidence of misbehavior with regard to information that is controlled by the government.鈥
Henry Chao, deputy chief information officer at the Centers for Medicare and Medicaid services (CMS), who was largely in charge of the website project management, testified under oath that the site had indeed been built as required to exacting federal cybersecurity standards.
While admitting the website鈥檚 overall performance had seen major delays, the website鈥檚 security was built to the same standards as CMS鈥檚 Medicaid and Medicare websites, he said.
鈥淐MS also protects the federal marketplace through intensive and stringent security testing,鈥 he said. 鈥淲hile the federal marketplace has had some performance issues ... I want to be clear that we have conducted extensive security testing for the systems that went live on Oct. 1st. We continue to test for security on a daily and a weekly basis and any new functions or code prior to its launch.
鈥淐onsumers should feel confident in trusting [the HealthCare.gov site] with their personal information,鈥 he said.
Several Republicans, however, questioned whether due diligence had been done, asking representatives of three cybersecurity providers that had contracts to secure the website how they could be sure the site is secure.
鈥淚f you design a part for a car, and you know your part鈥檚 working, would you like to know if the cars work?鈥 asked Rep. Tim Murphy (R) of Pennsylvania. Each of the three said they would 鈥 but did not know the big picture, only their part of the pie, which they said was secure.
Rep. Diana DeGette (D) of Colorado noted that the contracts of each security provider present stipulated that they check for specific areas of the whole 鈥 and did not request an 鈥渆nd-to-end鈥 check because it would not have been possible until the site was complete anyway.
鈥淪o your job was to assess risk with different components of HealthCare.gov, to work with CMS, address those concerns and report on the findings and the results. Is that correct?鈥 she asked.
鈥淵es,鈥 replied Jason Providakes an official representing Mitre Corporation, which conducted the 18 security evaluations. 鈥淎lmost all鈥 of the high risks identified by Mitre were eliminated by CMS before the website went live, he said.
鈥淲hat鈥檚 your personal view of the overall safety and security of the HealthCare.gov site?鈥 Ms. Degette asked.
鈥淚t鈥檚 my personal perspective,鈥 Mr. Providakes said, 鈥淭hey [CMS] do a very solid job in terms of securing their systems, historically.鈥
Congressman Murphy, who conducted the hearing, as well as other Republican members of the committee, repeatedly sought to link an internal 鈥渞ed team鈥 management study conducted of website development earlier this spring. The study had found a number of problems in the site鈥檚 development at that time 鈥 but apparently little specifically concerning security problems.
鈥淗ave there been any attempts ... to hack into the system that you can tell?鈥 Murphy asked David Amsler, president and chief information officer of Foreground Security, Inc., whose company monitors the site for cyberattacks.
鈥淐ongressman, the simple answer is 鈥榶es,鈥 鈥 Mr. Amsler replied. 鈥淭he longer answer is: I don鈥檛 have an environment [in any of the systems his company monitors] where it鈥檚 not being attacked today.鈥
鈥淚s this system now, are you saying that it鈥檚 fully secure from external hackers trying to get in?鈥 Murphy responded.
鈥淲e live in a world of not if, but more when 鈥 that鈥檚 the nature of the world we live in today,鈥 Amsler responded. 鈥淪o I can never give you a guarantee that someone鈥檚 not going to get in. It鈥檚 probably going to happen at some point. But we have designed it to limit the damage and identify it as quick as possible.鈥
鈥淪o we cannot sign off at this point and say this system is fully secure,鈥 Murphy asked, 鈥淚t鈥檚 an ongoing process you鈥檙e saying?鈥
鈥淚t鈥檚 always an ongoing process,鈥 Amsler said. 鈥淭oday I feel comfortable about the capabilities we have put in place. But I鈥檓 always striving for more.鈥
Maggie Bauer, senior vice president for Creative Computing Solutions, which along with Amsler鈥檚 company provides much of the site security, agreed.
鈥淔rom our perspective, right now today, the system is secure,鈥 she said. 鈥淲e are confident.鈥
鈥淲hat I鈥檓 hearing from you is nobody can give a 100 percent guarantee that this website is secure with regard to the data it has, the personally identifiable information,鈥 Murphy said in his follow up. 鈥淎s people put those things in, nobody can guarantee that some hacker isn鈥檛 going to try and get into it and that they will continue to try and probe until they get through. Is that what you鈥檙e saying?鈥
鈥淚 also would say the same about Facebook or any banking website as well,鈥 Amsler responded. 鈥淚t鈥檚 just an unfortunate part of the world we live in today.鈥
