Faced Security Risks, Feds Were Told - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Policy & Regulation
09:02 AM
Connect Directly
50% Faced Security Risks, Feds Were Told

As HHS secretary Sebelius testified to Congress about the flawed rollout, a memo surfaced that predicted security risks due to inadequate testing.

Officials for the Centers for Medicare and Medicaid (CMS) were alerted four days prior to the launch of that a lack of testing posed security risks for the healthcare insurance website, according to an internal government memo obtained by the Associated Press.

The AP report released Wednesday surfaced just as Department of Health and Human Services (HHS) secretary Kathleen Sebelius testified on Capitol Hill about the fiasco. While Sebelius admitted there should have been more testing, she said security was never an issue.

"Clearly the testing should have been longer and should have been more sufficient," Sebelius said to the House Energy and Commerce committee. "Contractors said, 'we would've loved more testing time, but we're ready to go ahead.'"

The internal HHS memo was sent to CMS chief Marylin Tavenner on Sept. 27 and warned that insufficient testing "exposed a level of uncertainty that can be deemed as a high risk." The sender of the memo was not identified.

The memo said contractors weren't able to test all the security controls before the launch, and recommended setting up a security team to address risks and conduct daily tests, with a full security test to follow within two to three months.

[ There's a lot of blame-shifting going on. See Tech Contractors Reject Blame For Mess. ]

Sebelius said she was not advised to delay the Oct. 1 launch date, even though contractors couldn't perform end-to-end testing until mid-September, after the products and insurance policies were loaded into the system.

The House Oversight and Government Reform committee released other documents Tuesday night, including a monthly status report from CGI Federal, one of the primary contractors for, issued Sept. 6. The report identified a number of open issues that represented potential risks and warned that the time needed to fully test the site "was not adequate" to ensure the site would function completely, according to a Washington Poststory.

Wednesday's hearing was a political showdown at its worst, with Republicans making a fool of Sebelius to prove a point, and Democrats mostly lauding a flawed system.

In her first appearance before lawmakers to publicly explain's failed launch, Sebelius apologized to the American people.

"I am as frustrated and angry as anyone with the flawed launch of," she said. "You deserve better. I apologize. I'm accountable to you for fixing these problems, and I'm committed to earning your confidence back by fixing the site."

Sebelius said CMS and the contractors are working to fix the site by the end of November.

The site's glitches have frustrated more than just millions of consumers; insurance companies aren't too thrilled, either. Because of the problems, "There is no reliable data around enrollment," Sebelius said.

"The system isn't functioning, so we're not getting that reliable data," she said. "We have prioritized that specific fix. Believe me, insurance companies want to get reliable data."

The data insurance companies are looking for are the 834 files that contain enrollment datalike social security numbers, number of dependents and the type of plan customers selected. Without those files, even if a customer successfully registers on, they might encounter major problems when they try to use their insurance after Jan. 1, when the plans go into effect.

"Clearly, looking back, it would've been ideal to do it differently," Sebelius said. "We should have anticipated better, we should have planned better, we should have tested better."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/15/2013 | 9:27:26 AM
An overloaded system is a risky system
Just the fact that the website has been unable to handle the load, becoming overwhelmed with modest levels of traffic, tells you that it wasn't well-designed and is likely to contain other flaws, including security flaws.

CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll