Rep. Mike Rogers (R-MI) tore into HHS Secretary Kathleen Sebelius for putting millions of Americans’ personal data at risk via Healthcare.gov’s lack of end-to-end security testing prior to its launch.
Rogers detailed Healthcare.gov’s security problems: “So let me tell you what you did. You allowed the system to go forward with no encryption on back-up systems. They had no encryption on certain boundary crossings. You accepted a risk on behalf of every user of this computer that put their personal financial information at risk because you did not even have the most basic end-to-end test on security of this system. Amazon would never do this. Proflowers would never do this. Kayak would never do this. This is completely an unacceptable level of security, and here’s the scary part, we found out after the contractors last week that an end-to-end test hadn’t been conducted on security, not functionality, because if it’s not functioning, you know it’s not secure. Your ongoing hot patches without end-to-end tests. The private contractors told us it would take a very thorough two months just for an integrated end-to-end security test, which hasn’t happened, because you’re constantly adding new code every night to protect the functionality of the system. You have exposed millions of Americans because you all, according to your memo, believed it was an acceptable risk. Don’t you think you had the obligation to tell the american people that we’re going to put you in this system, but beware, your information is likely to be vulnerable?”
Rogers asked Sebelius to shut Healthcare.gov down until its security issues could be addressed, but she refused.
UPDATE: The AP reports that it has obtained an internal government document detailing concerns over the lack of security testing with Healthcare.gov.
The Sept. 27 memo to Medicare chief Marylin Tavenner said a website contractor wasn’t able to test all the security controls in one complete version of the system.
Insufficient testing “exposed a level of uncertainty that can be deemed as a high risk,” the memo said.
The memo recommended setting up a security team to address risks, conduct daily tests, and a full security test within two to three months of going live.
At a congressional hearing, Health and Human Services Secretary Kathleen Sebelius said the site’s security certification is temporary, but asserted consumers’ personal information is secure.
Clearly, that was not accurate.