HealthCare.gov Security Fixes PromisedCMS Administrator Pledges Completion by Nov. 15
The Centers for Medicare and Medicaid Services will carry out 28 recommendations made by a government watch-dog agency to improve the security of HealthCare.gov before the next open enrollment period for Obamacare begins Nov. 15 (see GAO: HealthCare.gov Has Security Flaws).
CMS Adminstrator Marilyn Tavenner made that promise during questioning by members of the House Committee on Oversight and Government Reform at a Sept. 18 hearing into the security of HealthCare.gov. CMS is the unit of the Department of Health and Human Services responsible for implementing the Affordable Care Act, also known at Obamacare, including HealthCare.gov. That website supports a federally facilitated marketplace for health insurance on behalf of 36 states.
The 22 technical and six executive action recommendations for addressing HealthCare.gov security weaknesses were cited in a Sept. 16 report from the Government Accountability Office. The watch-dog agency in recent months had received multiple Congressional requests to review the security of the Obamacare insurance exchange site and systems after the botched launch of HealthCare.gov last fall.
Tavenner testified that CMS has already implemented 19 of the 22 technical recommendations and is "in the process" of implementing all six executive recommendations made by GAO. That includes a recommendation that Oversight Committee Chair Darrell Issa, R-Calif., noted as being most important - "a full system test."
"Our intent is to complete a full end-to-end [security test] later this month or October," Tavenner testified. The lack of end-to-end security testing before the launch of HealthCare.gov last Oct. 1 had been a sore point focused on during at least six hearings that the Oversight Committee has held about the website. In total, the committee has held 29 hearings about the Affordable Care Act, noted committee member Jackie Speier, D-Calif.
The author of the GAO report, Greg Wilshusen, the office's director of information security issues, testified that when CMS conducts its end-to-end security assessment of HealthCare.gov "testing how applications interact with operating platforms and infrastructure is critical ... [including] looking at firewalls, routers and switches." Those "layers" could potentially create vulnerability and risk, he said.
Ranking member Elijah Cummings, D-Md., who only minutes earlier thanked Tavenner and her CMS team for withstanding so much criticism over the last year while the troubled HealthCare.gov site helped to sign up 7.2 million individuals for health insurance coverage, pleaded with Tavenner to ensure that the GAO recommendations are implemented.
"Just do that, please," Cummings said. Tavenner agreed "to let the committee know" when the recommendations were implemented.
Tavenner also testified "that to date, there have been no malicious breaches or breaches of personal information" on the HealthCare.gov site and systems.
HHS recently revealed a hacking attack against a HealthCare.gov test server that had been uploaded with malicious software. "This type of malware is not designed to extract information and there is no indication that any data was compromised as a result of this intrusion," testified Ann Barron-DiCamillo, director of the Computer Emergency Readiness Team at the Department of Homeland Security, which worked with HHS to investigate the incident.
"The malware was dropped to try to create a botnet for a DDoS [distributed-denial-of-service] attack," she said. "The test server had no PII. [The server] had an out-of-box configuration without the password being changed. DDoS [attacks] happen every day across the globe and Internet."
Among key findings by the GAO in its review of HealthCare.gov was that CMS is not always requiring or enforcing strong password controls or consistently implementing software patches and properly configuring an administrative network.
"The weaknesses we identified can all be corrected and resolved immediately," Wilshusen testified. Those weaknesses created "unnecessary risk," he added.
GAO's executive action recommendations for CMS are:
- Ensuring that the system security plans for the federally facilitated marketplace and data hub contain all the information recommended by National Institute of Standards and Technology;
- Ensuring that all privacy risks associated with Healthcare.gov are analyzed and documented in impact assessments,
- Developing separate computer matching agreements with the Office of Personnel Management and the Peace Corps to govern the data that is being compared with CMS data for the purposes of verifying eligibility for the advance premium tax credit and cost-sharing reductions;
- Performing a comprehensive security assessment of the federally-facilitated marketplace, including the infrastructure, platform and all deployed software elements;
- Ensuring that the planned alternate processing site for the systems supporting Healthcare.gov is established and made operational in a timely fashion;
- Establishing detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the FFM and its supporting infrastructure are effective.
GAO noted in the report, and Wilshusen testified, that specifics of the 22 technical recommendations were not widely disclosed because of concerns about adversely affecting security.
Wilshusen also testified that CMS isn't the only government agency to struggle with security issues. A 2013 GAO study found "18 out of 24 agencies reported weaknesses in security," he testified. "It's a major challenge."
Common Security Challenges
Commenting on the GAO's findings, Dan Berger, CEO of security consulting firm Redspin, tells Information Security Media Group: "The report highlights some of the difficulties in securing highly complex Web applications and their supporting infrastructure. Security is often thought of a 'known state' rather than a dynamic, ongoing process that must be administered accordingly."
The security-related challenges faced by CMS in the launch last year of HealthCare.gov were similar to the issues that private sector organizations face with complex systems, he contends.
"In their response [to the GAO report], CMS acknowledges the need for continuous monitoring and re-evaluation, but I think what the GAO was pointing to is that [when] the launch occurred, these processes were not in place," Berger says.
"This is not unlike the tension that exists in some businesses with developers and business unit managers pushing to get software released while the security team insists on best practices and lowering risk. It [appears] the GAO wants security evaluations to at least hold as much weight as release dates."