During a Thursday hearing before the House Oversight and Government Reform Committee, Marilyn Tavenner was quick to defend the data security practices of healthcare.gov, the infamous insurance website run through her agency, the Centers for Medicare and Medicaid Services. The CMS administrator noted that no one’s personal data has been compromised to date in any “malicious attack” on the site, such as the one that occurred in August.
Her statement was technically true, but so clearly calculated to deceive that it brought out the angry side of Chairman Darrell Issa, R-Calif.
“So if you just screw up and put the public’s information out there, it’s okay,” Issa asked sarcastically, “because it wasn’t a ‘malicious attack?’ ”
Tavenner had to concede the point. For when healthcare.gov was first launched, Issa said in the hearing, the site’s data security was so bad that users could easily obtain other users’ personal data by slightly altering their browser URL while logged in. Miraculously, few people figured this out or stumbled upon it accidentally before it was corrected. But there were at least 13 breaches of users’ personal information, and understandably, Tavenner did not want to utter the whole truth before the committee.
The jaw-dropping simplicity and scale of this security screw-up confirms the impression that the Obama administration was so hell-bent on launching the website by last year’s Oct. 1 deadline, it threw aside all reasonable precautions. And Tavenner’s casuistry in talking around the problem confirms another unflattering impression — that those defending and running this program will say or do anything to hide their mistakes, even if it brings them within inches of committing perjury.
Most of the front-end problems with healthcare.gov and its basic functionality were eventually resolved (at great expense) after the disastrous launch. Yet the Government Accountability Office, the federal government’s independent watchdog agency, states in a new report this week that many security problems with user data on the site persist.
Gregory Wilshusen, GAO’s director of information security, discussed his findings in Thursday’s hearing. Tavenner’s agency “did not fully or effectively implement key technical security controls to sufficiently safeguard the confidentiality, integrity, and availability of the federally facilitated marketplace and its information,” he said in his testimony.
Wilshusen’s report confirmed that the agency had failed to run important security tests on many of the system’s components before launching it. This was the main reason the agency’s Chief Information Security Officer — Teresa Fryer, who is now a whistleblower — refused to sign off on the site ahead of its launch. To circumvent her security-related objections, Tavenner simply signed off on it herself instead.
According to the GAO report, “CMS has not fully addressed security and privacy management weaknesses” even now, nearly a year after healthcare.gov was launched.
With the political crisis of healthcare.gov long behind it, President Obama’s appointees apparently feel much less urgency about dealing with healthcare.gov’s ongoing problems.
