New Documents, Lack of Testing Raise Concerns About Security Of HealthCare.gov

October 31, 2013

WASHINGTON, DC – House Energy and Commerce Committee Leaders today sent letters to Health and Human Services Secretary Kathleen Sebelius and four government contractors involved with implementation of the exchanges regarding rising security concerns surrounding the Federally Facilitated Marketplace. At a hearing of the Energy and Commerce Committee on October 30, committee member and Chairman of the House Intelligence Committee Mike Rogers (R-MI) submitted for the record a document signed by Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner that states “Due to system readiness issues, the [Security Control Assessment] SCA was only partly completed. This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.” The memo explains, “there are inherent security risks with not having all code tested in a single environment.” As technology issues continue, “the system requires rapid development and release of hot-fixes and patches so it is not always available or stable during the duration of the testing.” This lack of complete security testing, and the administration’s acknowledgement of this, raises serious questions about the security of the FFM.

Chairman Upton commented, “It is imperative that everything is being done to protect Americans’ sensitive personal information. But as each day goes by, more concerns are being raised with HealthCare.gov’s security, as well as the administration’s competency to fix the lingering problems. The administration must do whatever it takes to give Americans peace of mind that their personal information will be safe. No excuses.”

In the letters, the committee leaders write, “We are now seeing the results of HHS’ failure to conduct adequate end-to-end performance testing of HealthCare.gov prior to its launch on October 1. Almost one month after open enrollment began, the website continues to suffer from glitches and is often unavailable to the public to shop for plans.” The members request several documents from the administration and the companies “in order to better understand the implementation of the PPACA, including whether the failure to conduce a complete Security Control Assessment increases the risk to the FFM.”

The letters were signed by Chairman Upton, Chairman Emeritus Joe Barton (R-TX), Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA), Health Subcommittee Chairman Joe Pitts (R-PA), Full Committee Vice Chairman Marsha Blackburn (R-TN), Health and Oversight and Investigations Subcommittees Vice Chairman Michael C. Burgess, M.D. (R-TX), Representative Mike Rogers (R-MI), and Representative Bill Johnson (R-OH). The letters were sent to Creative Computing Solutions, Inc., Foreground Security Inc., MITRE Corporation, Verizon Terremark, and the Department of Health and Human Services.

Read the complete letters online here.

###