Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
New security issues surface for health website
Friday - 11/1/2013, 11:42am EDT
WASHINGTON (AP) -- President Barack Obama claimed "full responsibility" Wednesday for fixing his administration's much-maligned health insurance website as a new concern surfaced: a government memo pointing to security worries, laid out just days before the launch.
On Capitol Hill, Health and Human Services Secretary Kathleen Sebelius apologized to frustrated people trying to sign up, declaring that she is accountable for the failures but also defending the historic health care overhaul. The website sign-up problems will be fixed by Nov. 30, she said, and the gaining of health insurance will make a positive difference in the lives of millions of Americans.
Obama underscored the administration's unhappiness with the problems so far: "There's no excuse for it," he said during a Boston speech to promote his signature domestic policy achievement. "And I take full responsibility for making sure it gets fixed ASAP."
The website HealthCare.gov was still experiencing outages as Sebelius faced a new range of questions at the House Energy and Commerce Committee about a security memo from her department. It revealed that the troubled website was granted a temporary security certificate on Sept. 27, just four days before it went live on Oct. 1.
The memo, obtained by The Associated Press, said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month "mitigation" program, including ongoing monitoring and testing.
Security issues raise major new concerns on top of the long list of technical problems the administration is grappling with.
"You accepted a risk on behalf of every user ... that put their personal financial information at risk," Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security."
Sebelius countered that the system is secure, even though the site's certificate, known in government parlance as an "authority to operate," is of a temporary nature. A permanent certificate will be issued only when all security issues are addressed, she stressed.
Spokeswoman Joanne Peters added separately: "When consumers fill out their online ... applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."
The security certificate is required under longstanding federal policy before any government computer system can process, store or transmit agency data. The temporary certificate was approved by Medicare chief Marilyn Tavenner, the senior HHS official closest to the rollout. No major security breaches have been reported.
The memo said, "From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."
It recommended setting up a security team to address risks and conduct daily tests, and said a full security test should be conducted within two to three months of the website going live.
A separate page stated that "the mitigation plan does not reduce the risk to the (website) itself going into operation on October 1, 2013. However, the added protections do reduce the risk to the overall Marketplace operations and will ensure that the ... system is completely tested within the next 6 months."
That page was signed by three senior technical officials below Tavenner at the Centers for Medicare and Medicaid Services. All the officials deal with information security issues.
Republicans opposed to Obama's health care law are calling for Sebelius to resign. She apologized to people having trouble signing up but told the committee that the technical issues that led to frozen screens and error messages are being cleared up on a daily basis.
Sebelius' forthright statement about her ultimate accountability for problems with the sign-up rollout came as Rep. Marsha Blackburn, R-Tenn., peppered her with questions about the "debacle."
"Hold me accountable for the debacle," Sebelius responded. "I'm responsible."
Rep. Henry Waxman of California, the ranking Democrat on the committee, scoffed at Republican "oversight" of a law they have repeatedly tried to repeal.
"I would urge my colleagues to stop hyperventilating," said Waxman. "The problems with HealthCare.gov are unfortunate and we should investigate them, but they will be fixed. And then every American will have, finally have, access to affordable health insurance."
The website HealthCare.gov was intended to be the online gateway to coverage for millions of uninsured Americans, as well those who already purchase their policies individually. Many people in the latter group will have to get new insurance next year, because their policies do not meet the standards of the new law.