Cybersecurity official: Health care website passed recent vulnerability tests


WASHINGTON — Cybersecurity concerns over President Barack Obama’s health care website have been cleared up through testing, a government security professional who initially had qualms about the system assured lawmakers Thursday.

But a congressional hearing featuring three senior technology experts from within the Health and Human Services Department also revealed a broader internal debate before the hapless launch of HealthCare.gov last fall.

One of the witnesses, HHS Chief Information Officer Frank Baitman, said he personally brought security issues to the attention of the department’s second-in-command, Bill Corr, as well as another senior official. It’s unclear what, if anything, Secretary Kathleen Sebelius and White House officials were told.

The maddening technical problems that frustrated consumers for weeks as they tried to sign up for health insurance would pale in comparison if a serious security breach compromised the names, Social Security numbers, incomes and other personal information of millions of Americans.

Republicans on the House Oversight and Government Reform Committee are trying to build a case that the administration recklessly ignored security concerns to meet a self-imposed Oct. 1 deadline for flipping the switch. The administration — and Democratic lawmakers— say all issues were addressed through special vigilance instituted just before the launch. While Republicans have raised questions, they have yet to find a smoking gun.

Officials told the committee no attempted attack by hackers has succeeded, although a shadowy group calling itself “Destroy Obamacare” has tried. There have been 13 known inadvertent exposures or disclosures of information.

The root of the controversy is that the health care site did not get full security testing, as is the usual practice with federal systems before they are put into use. The technology was getting constant tweaks that precluded a final assessment. It also was prone to crashing.

However, Medicare’s top cybersecurity official testified Thursday that the revamped website passed full security tests Dec. 18, easing her earlier concerns about vulnerabilities. Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, had initially balked at the site going live.

She said Thursday she would now recommend full operational and security certification for the site, which currently has what amounts to a six-month permit. The Medicare agency is responsible for expanding coverage to the uninsured under the health care law.

Shortly before the launch, Fryer had told other top officials that she could not recommend going ahead because security testing had not been completed.

She drafted a formal memo expressing her concerns, but never sent it, partly because more senior officials had already determined to proceed with additional safeguards to address potential risks. “There is also no confidence that personal identifiable information will be protected,” she said in her unsent memo.

The formal go-ahead to operate the system was signed Sep. 27 by Medicare chief Marilyn Tavenner, who usually does not adjudicate technology disputes.

Testing since then seems to have settled the internal debate.

“The testing was successfully completed. It had good results,” Fryer told the committee. She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that healthcare.gov now has “a clean bill of health.”