PJ Media

'I Would Say the Website Is Either Hacked Already or Will Be Soon'

WASHINGTON – House Republicans continue to pummel the Obama administration for failing to anticipate the glitches that have dogged HealthCare.gov since its rollout and for potential security issues on the website.

A House Energy and Commerce Subcommittee held a hearing Tuesday to look at some of the security issues on HealthCare.gov, the new federal health insurance marketplace.

Lawmakers from both parties agree that there are serious concerns about the website.

“The exchanges need to be fixed, and they need to be fixed fast,” Rep. Diana DeGette (D-Colo.) said.

She said, however, her fear was that the hearing was less about the facts and more about “political points and undermining the ACA.”

“We should not create smoke if there’s no fire,” she added.

She and other Democrats on the panel complained that their Republican colleagues handed over new documents about the botched rollout to the press before giving them to Democrats.

“We have, clearly, a violation of the practices and traditions in history of this committee,” said Rep. John Dingell (D-Mich.), the longest-serving member of Congress. “I speak as a member who’s done more investigations than anybody in this room, including probably more than all of them put together.”

The Washington Post, which received the document from the House Energy and Commerce Committee, reported the White House and Health and Human Services officials were warned earlier this year in a report by McKinsey & Co, a private consulting group, about the significant problems with the website.

Rep. Joe Barton (R-Texas), who compared the complaints to a scene from the movie Casablanca, said he found them amusing.

“It is interesting and amusing that the past master of running this committee, Mr. Dingell, would be shocked, shocked and amazed that something was given to the Washington Post yesterday,” he said. “Now I’m not saying that it was, I don’t know, but if it did happen it wouldn’t be the first time in this committee’s history that documents were given to the press at the same time they were distributed” to other members of the committee.

Deputy Chief Information Officer of the Centers for Medicare and Medicaid Services (CMS) Henry Chao said that even though he was in charge of the website oversight for CMS, he never saw the final report.

“I knew that McKinsey had been brought in to conduct some interviews and assessments and report to our administrator,” he said. “But I was not given the final report.”

Top administration officials, including HHS Secretary Kathleen Sebelius and then-Acting CMS administrator Marilyn Tavenner, attended briefings on the report in late March and early April. White House Technology Officer Todd Park, Obama health policy adviser Jeanne Lambrew, and then-White House Deputy Chief of Staff Mark Childress were also briefed on the McKinsey analysis around the same time.

The report foreshadowed many of the issues that have plagued the website since its rollout. It also warned that the federal government largely depended on contractors to construct the online marketplace and that it lacked an “end-to-end operational” view of the system to ensure that its different components worked well together.

Chao said a significant portion of the website – 30 to 40 percent of it – has yet to be constructed. The consumer part of the website, including account registration, and enrollment functions will not be affected by the ongoing site construction effort, he said.

“That 30 percent represents the payment aspects and the accounting aspects of making payments in the marketplaces, for all marketplaces, not just federally facilitated marketplaces,” Chao said. “And that functionality has to be in place for the January 1 effective date enrollments.”

The unfinished part of the website includes portions responsible for paying out consumers’ tax subsidies directly to insurance companies.

Chao said Americans should not worry about the security of their personal information on the website, citing his agency’s experience overseeing Medicare, Medicaid, and the Children’s Health Insurance Program.

“Because of CMS’s experience running trusted secure programs, our fulfillment of federal security standards and constant and routine security monitoring and testing, the American people can be confident in the privacy and security of the marketplace,” he said.

But at a separate hearing Tuesday, David Kennedy, CEO of information security firm TrustedSec, warned the House Science, Space, and Technology Committee that there are critical flaws and exposures on the website “that hackers could use to extract sensitive information.”

“I would say the website is either hacked already or will be soon,” he said. “There’s not a lot of security built into the site.”

Kennedy, a prominent “white hat hacker,” has been hired by major companies to hack into their systems to test security flaws.

He demonstrated how hackers are trying to exploit the website’s vulnerabilities and security exposures to access personal information and even potentially hacking into the users’ computers.

“We can actually enable their webcam, monitor their webcam, listen to their microphone, steal passwords,” Kennedy explained, while running a demonstration of an actual hacking attack on the website. “Anything that they do on their computer we now have full access to.”

Though the website does not store medical records, it does integrate information from other websites and includes ecommerce information that could be targeted by hackers.

All of the tech experts testifying before the committee said they would not have launched the website on Oct. 1. Three of the four witnesses agreed that the Obama administration should take the site offline and fix the security flaws.

“There’s no doubt that compared to a private system that goes live, this system has more problems than you would expect to see,” said Avi Rubin, technical director of Johns Hopkins University’s Information Security Institute. “It’s actually the most far behind in terms of security.”

The tech experts told the committee that addressing the security concerns could take months, or even years, and that to do so might require taking down the website entirely. They all agreed the website would not be secured by Nov. 30 – the deadline by which the Obama administration has said the website will be working properly and “running smoothly for the vast majority of users.”

HealthCare.gov contains 500 million lines of code and sees about 500,000 unique visitors each day. In comparison, Facebook has nearly 30 million lines of code and the Microsoft Windows 8 operating system has an estimated 50 to 80 million. This would put the website among some of the most complex applications ever written.

“The massive amount of personal information collected by the HealthCare.gov website creates a tempting target for scam artists,” said Rep. Lamar Smith (R-Texas), chairman of the committee. “The Obama administration has a responsibility to ensure that the personal and financial data collected by the government is secure. Unfortunately, in their haste to launch the website, it appears the administration cut corners.”

After the hearing, Smith issued a statement calling on President Obama to take down the website in order to ensure the security and privacy of the personal data of Americans who have used the site.