Healthcare.gov testing eases fears, official says

WASHINGTON - Cybersecurity concerns about President Barack Obama’s health-care website have been cleared up through testing, a government security professional who initially had qualms about the system assured lawmakers Thursday.

But a congressional hearing featuring three senior technology experts from within the Health and Human Services Department also revealed a broader internal debate before the hapless launch of healthcare.gov in the fall.

Also Thursday, the House backed a bill that would require the Obama administration to report weekly on how many Americans have signed up for health-care coverage as Republicans maintain an election-year spotlight on the troubled law.

One of the witnesses in the congressional hearing, Health and Human Services Department Chief Information Officer Frank Baitman, said he personally brought security issues to the attention of the department’s second-in-command, Bill Corr, as well as another senior official. It’s unclear what, if anything, Secretary Kathleen Sebelius and White House officials were told.

The maddening technical problems that frustrated consumers for weeks as they tried to sign up for health insurance would pale in comparison if a serious security breach compromised the names, Social Security numbers, incomes and other personal information of millions of Americans.

Republicans on the House Oversight and Government Reform Committee are trying to build a case that the administration recklessly ignored security concerns to meet a self-imposed Oct. 1 deadline for flipping the switch. The administration - and Democratic lawmakers - say all issues were addressed through special vigilance instituted just before the launch. While Republicans have raised questions, they have yet to find a smoking gun.

Officials told the committee no attempted attack by hackers has succeeded, although a shadowy group calling itself “Destroy Obamacare” has tried. There have been 13 known inadvertent exposures or disclosures of information.

The root of the controversy is that the health-care site did not get full security testing, as is the usual practice with federal systems before they are put into use. The technology was getting constant tweaks that precluded a final assessment. It also was prone to crashing.

However, Medicare’s top cybersecurity official testified Thursday that the revamped website passed full security tests Dec. 18, easing her earlier concerns about vulnerabilities. Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, had initially balked at the site going live.

She said Thursday that she would now recommend full operational and security certification for the site, which currently has what amounts to a six-month permit. The Centers for Medicare and Medicaid Services is responsible for expanding coverage to the uninsured under the health-care law.

Shortly before the launch, Fryer had told other top officials that she could not recommend going ahead because security testing had not been completed.

She drafted a formal memorandum expressing her concerns but never sent it, partly because more senior officials had already determined to proceed with additional safeguards to address potential risks. “There is also no confidence that personal identifiable information will be protected,” she said in her unsent memorandum.

The formal go-ahead to operate the system was signed Sept. 27 by Medicare chief Marilyn Tavenner, who usually does not adjudicate technology disputes.

Testing since then seems to have settled the internal debate.

“The testing was successfully completed. It had good results,” Fryer told the committee. She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that healthcare.gov now has “a clean bill of health.”

But Republicans sought to turn the focus to the administration’s decision to launch before testing was complete.

Baitman, the Health and Human Services Department’s chief information officer, testified that he relayed the concerns of Fryer and others to senior levels of the department, telling second-in-command Corr and Assistant Secretary for Administration E.J. “Ned” Holland.

Baitman said he was not personally convinced the security worries were a “red flag.” While Baitman testified that he made no operational recommendations, he said in response to questioning from lawmakers that phasing in big,complicated technology projects is usually more manageable.

Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the website, contends the administration risked Americans’ personal information to avoid postponing the president’s signature program. “It seems to defy common sense that a website plagued with functional problems was in fact perfectly secure,” said Issa.

The panel’s senior Democrat, Rep. Elijah Cummings of Maryland, said Republicans are “cherry-picking partial information to promote a political narrative that is inaccurate.”

Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.

With the health-care law remaining a polarizing issue in the midterm congressional elections, both political parties are at battle stations.

In a private deposition before the hearing, top Health and Human Services Department cybersecurity officer Kevin Charest said he, too, was concerned about potential vulnerabilities ahead of the launch. But he told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.

“I would say that it didn’t follow best practices,” Charest said in a Jan. 8 deposition.

REPORT BILL PASSES

The House vote on the sign-up reports was 259-154, with 33 Democrats breaking ranks and joining the GOP majority in supporting the legislation. The four representatives from Arkansas all voted for the measure.

The bill would require the administration to report weekly on the number of visits to the government healthcare website, the number of Americans who applied and the number of enrollees by ZIP code, as well as other statistics. It stands no chance in the Democratic-led Senate.

The administration has reported monthly on enrollment, announcing last week that 2.2 million signed up through the end of December and nearly 4 million had been deemed eligible for Medicaid.

Those reports are insufficient, Republicans argued.

“We know the president’s health-care law is driving up costs for middle-class families, making it harder for small businesses to hire, and hurting the economy - but there’s still a lot we don’t know,” said House Speaker John Boehner, R-Ohio, contending that the administration “hasn’t provided a clear picture of where enrollment stands.”

Democrats countered that the Republicans were adding onerous requests and disrupting administration efforts to sign up millions of Americans for health-care coverage.

“This is just an attempt to pile on so many requirements on the administration,” said Rep. Frank Pallone, D-N.J., who pointed to recent administration reports. He said the data disclosed are consistent with what the government releases monthly on Medicare.

Republicans who steadfastly opposed the law have led the charge in the House, which voted more than 40 times last year to repeal, replace or undo parts of the law. The GOP campaigned last year on a promise to repeal and replace the law, but the party hasn’t offered an alternative.

Boehner said Republicans will hold their annual retreat in another week and a half, and health care is on the agenda.

“I think you’ll see Republicans come forward with a plan to replace ‘Obamacare,’ a plan that will actually reduce costs for the American people and make health insurance more accessible,” Boehner said at a news conference.

Information for this article was contributed by Donna Cassata of The Associated Press.

Front Section, Pages 1 on 01/17/2014

Upcoming Events