Obama administration may have broken federal data-security laws to launch on Oct. 1
LAS VEGAS — It’s official: Any personal data you give to the State of Nevada’s Obamacare website may be at risk from potential hackers and other security problems.
As Associated Press reporter Sandra Chereb reported in September, the state exchange website — “Nevada Health Link” — must synchronize your input with Obamacare’s federal “hub,” to access your personal data at the Internal Revenue Service, Social Security Administration and U.S. Department of Homeland Security.
Earlier today, however, AP reported that an “internal government memo” it had obtained revealed that administration officials were concerned that inadequate testing posed a “‘high’ security risk for President Barack Obama's new health insurance website.”
Later in the day, CNN provided such a memo, which was internal to the Centers for Medicare and Medicaid Services (CMS). “Due to system readiness issues, the SCA (security control assessment) was only partly completed,” it said. “This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.”
The memo goes on to explain that CMS would create a “dedicated security team” to monitor the risk, conduct weekly scans and, within 60 to 90 days after the website went live, “conduct a full-scale SCA test.”
CMS administrator Marylin Tavenner had promised Congress in July that she would protect “the security and privacy of the consumers participating in” Obamacare by “applying all the appropriate laws, regulations, and business agreements.”
On Sept. 11, 2013, the administration’s Chief Technology Officer, Todd Park, publicly announced that “after over two years of work, [healthcare.gov] is built and ready for operation, and we have completed security testing and certification to operate.”
Today, however, the AP report revealed that a Sept. 27 Obama administration memo to Tavenner — over two weeks after Park’s public announcement — warned that a website contractor had been unable “to test all the security controls in one complete version of the system.”
The memo said that insufficient testing meant “a level of uncertainty that can be deemed as a high risk.”
Yesterday, the 11 Republican members of the U.S. Senate’s Finance Committee released a letter to Health and Human Services Secretary Kathleen Sebelius seeking to learn whether the federal Obamacare website “met all Federal privacy and security standards before going live on October 1 …”
The letter raised the specter of numerous federal laws that the Obama administration may have broken in its attempt to finally meet the Oct. 1 deadline after three years:
It is our understanding that each Centers for Medicare & Medicaid Services (CMS) system is required by law to obtain an Authority to Operate (ATO) certification that attests the system has met all testing requirements before it is placed into operation. CMS’ own internal procedures require that “. . . security controls be operational, effective, managed, and continuously monitored. Controls must meet mandatory requirements, as defined in the current CMS Information Security Acceptable Risk Safeguards (ARS) CMS Minimum Security Requirements (CMSR).” Additionally, as the head of the Department of Health and Human Services (HHS), you are responsible for ensuring that your agency’s information systems, including the website, fully comply with security requirements imposed by the Federal Information Security Management Act of 2002 (FISMA). The website must also comply with the Office of Management and Budget’s (OMB) implementing policies including Appendix III of OMB circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.
The senators asked Sebelius to:
- Describe in detail the security testing that was completed on all aspects of the healthcare.gov website before October 1, 2013.
- Provide all timelines, dashboards or other tracking mechanisms developed to track the testing requirements.
- Inform them if CMS/HHS had granted a Privacy Act exemption by the Office of Management and Budget (OMB) for the website or any related applications.
- Inform them whether any other security testing exemptions had been granted for the website or any related applications by OMB.
- Inform them whether all testing completed met the standards set forth by the FISMA.
- Inform them whether a Privacy Impact Assessment (PIA) had been completed by CMS prior to the website going live.
The full letter — available at the Senate website of Utah Sen. Orrin Hatch — ends with a request to receive “all information by no later than December 3, 2013.”
CNN reported that Sebelius told that network, in an exclusive interview last week, “that Obama didn't know of the problems with the Affordable Care Act's website until after its troubled launch on October 1. This was despite the fact that insurance companies had been complaining and the site crashed during a prelaunch test run.”