The recent breach a Healthcare.gov test server might not have put users’ personal information at risk, but a congressional oversight hearing Thursday revealed that early glitches during the site’s launch did.
Testifying in front of the House Oversight and Government Reform Committee, Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner said in her opening statement that no personally identifiable information was lost in the denial of service attack that occurred in July. However, Greg Wilshushen, director of information security issues with the Government Accountability Office, testified that his agency received a written response that “there was certain [personally identifiable information] that was compromised or disclosed to an individual…due to a technical glitch.”
Tavenner maintained that the malicious attack reported in September didn’t cause any vulnerabilities, which led Committee Chairman Rep. Darrell Issa, R-Calif., to accuse her of “wordsmithing” to cover the truth.
“So if you screw up and put the public’s information out there it’s okay, because it wasn’t a malicious attack?” he questioned. When Healthcare.gov initially launched, Issa explained, users could easily access others’ records, often by accident. “That wouldn’t have been malicious — I guess, except that if somebody were doing it to see what they’d get, that would be a little malicious. What you’re saying is you don’t know how much [information] was lost, you just believe that the definition of malicious wasn’t met.”
Issa and other Republicans on the committee grilled Tavenner with questions about her agency’s transparency in the aftermath of what they called a botched launch. Wilshushen’s testimony didn’t help much, claiming that CMS made GAO’s audit anything but easy.
“In this case there were delays initially in providing certain documents that we had requested,” Wilshushen said. “In addition, CMS attempted to put certain restrictions on some of the documents. They indicated that they were worried about the security of the sensitive information. We elevated the issue within GAO and the department, and we reached an agreement.”
Continuing to question her about transparency, Florida Republican Rep. John Mica brought up an instance where Tavenner was believed to have deleted emails, which would put her in violation of the Federal Records Act.
Upon reading the correspondence, which had some information redacted, Tavenner said, “This email is from me. I asked she delete it because it involved the president’s schedule, which I think is part of what is redacted.” Issa found that hard to believe because the president’s schedule is usually well-known, he said.
The remainder of the questioning, though, focused mostly on the inadequate security measures of the Healthcare.gov marketplace, which Wilshushen said persist and have existed since its launch.
“Testing of Healthcare.gov and its systems has not been comprehensive,” he said, adding that many risks like weak passwords still exist. “I would say that a majority of incidents that occur within the federal government could be resolved, perhaps prevented, if agencies practiced strong cybersecurity. There’s always going to be a risk that you come across some entity that has very sophisticated techniques that may be difficult to protect against. But by and large, many security incidents could be corrected and prevented if agencies practiced strong security controls.”
In a 78-page report released Tuesday, GAO found 28 different security vulnerabilities it recommended CMS resolve before the launch of Healthcare.gov’s second enrollment period. Wilshushen said those weaknesses “can be corrected and resolved almost immediately.”
Before bringing the hearing to a close, Issa did recognize the difficulty and magnitude Tavenner and CMS were undertaking with the Healthcare.gov website. All he and his committee want, he said, is “the highest level of best practices.”