Critic of Healthcare.gov Security Now Says All Is A-OK

WASHINGTON – A government cybersecurity expert who initially criticized what she considered to be inadequate protections on the Obamacare website is now giving the system a clean bill of health.

Teresa Fryer, the chief information security officer for the Centers for Medicare & Medicaid Services, the agency charged with overseeing the site, told the House Oversight & Government Reform Committee on Thursday that recent tests revealed healthcare.gov has not bowed to any cyber assaults and that all appears safe.

“The protections that we have put in place have successfully prevented attacks,” Fryer said. “While no serious security professional will ever guarantee that any system is hack-proof, I am confident, based on the recent security controls assessment and additional security protections, that it is secure.”

"The testing was successfully completed,” she said. “It had good results.”

Fryer, in a memo written in September before the official October launch of healthcare.gov, asserted that the site failed to meet security standards and expressed doubt that the personal information entered by consumers in 36 states hoping to gain the information necessary to purchase health insurance would be properly protected.

She furthermore expressed doubt that the site, created as a marketplace for those looking to fulfill the requirements of the Affordable Care Act, was ready for public use.

That last fear proved prophetic – the tip-off of healthcare.gov proved disastrous, with consumers frequently unable to call up the site and take advantage of its services. Most of those shortcomings have been addressed and now Fryer is offering assurances that it is secure.

Fryer told the panel that security testing is ongoing and that thus far “the protections we have put in place have successfully prevented attacks.” Given that experience, she said she would recommend that the site be granted the authority to operate once the current authorization expires in March. Last September she recommended that the ATO – which was required to launch healthcare.gov -- not be signed, advice that wasn’t heeded by officials in the Department of Health and Human Services.

Regardless, committee Republicans, led by Rep. Darrell Issa (R-Calif.), the panel’s chairman, expressed doubt over the website’s security and raised questions regarding why it was allowed to launch in the first place when there was an issue about its vital protections.

Issa insisted that healthcare.gov remains “questionable in its security” and characterized potential vulnerabilities as “very serious” since the database contains reams of personal data.

Issa noted the problems encountered by Target, the Minnesota-based department store chain, which recently experienced a cyber-attack that resulted in the hacking of personal information for millions of consumers.

“The difference between Target and other companies who dealt with hackers is that we don't have to deliver that information -- we have the choice of paying cash, we have the choice of not registering,” Issa said. Meanwhile, the Affordable Care Act requires every American to obtain health insurance or face a fine, meaning contact with healthcare.gov is unavoidable for millions of consumers.

Issa and other committee Republicans also questioned why the Obama administration proceeded with the launch when so many questions about the site’s security – including the issues cited by Fryer – existed, jeopardizing the release of private information.

Fryer noted that her memo was never completed nor circulated because of fast-moving events. She said her concerns were eventually addressed satisfactorily. Another witness, Frank Baitman, the assistant secretary of information technology in the Department of Health and Human Services, told panel members that he was never convinced that a “red flag” had been raised over security concerns

Rep. Elijah Cummings (D-Md.), the ranking member, expressed frustration with GOP tactics, asserting that Issa was “cherry picking” information in an underhanded way to convince the public that concerns about the site’s security exist despite assurances from experts.

“Republicans are still obsessed with killing this law,” Cummings said. “After more than 40 votes in the House, they shut down the government in an unsuccessful attempt to defund the law. Now they have shifted to a new tactic — hot off the press — scaring people away from the healthcare.gov website.”