Issa: HHS downplayed site security risks

House Oversight Chairman Darrell Issa (R-Calif.) said Tuesday that documents he obtained through a subpoena show that the Department of Health and Human Services (HHS) downplayed key security vulnerabilities ahead of the Oct. 1 launch of HealthCare.gov.

Issa did not release the documents that have been at the center of a bitter dispute with the Obama administration.

ADVERTISEMENT
Issa said he was withholding “sensitive technical details,” but that a handful of findings indicate the online healthcare portal was vulnerable to attackers, who may be able to obtain private consumer information.

“Of the 28 separate security vulnerabilities identified in the October 11 report, MITRE reported that 19 remained unaddressed,” Issa wrote. “Among the unaddressed security risks that went live on October 1, MITRE indicated eleven ‘will significantly impact the confidentiality, integrity and/or availability of the system or data ... ’ if the technical or procedural vulnerability is exploited.”

HHS spokeswoman Joanne Peters disputed the notion that HHS ignored key vulnerabilities ahead of the launch.

“Each piece of the live Healthcare.gov system that was going into operation October 1st had been tested by an independent security control assessor and testing was completed prior to October 1, 2013 with no high findings,” she said. “All high-, moderate-, and low-security-risk findings…that launched on October 1st were either fixed, or have strategies and plans in place to fix the findings that meet industry standards.”

In addition, she said that all of operational components of the website are compliant with federal requirements.

“To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site,” she continued, adding that “security testing is conducted on an ongoing basis using industry-best practices to appropriately safeguard consumers’ personal information.”

Issa also announced Tuesday he would meet with HHS Secretary Kathleen Sebelius over the administration’s security concerns about sensitive documents he obtained through the subpoena.

Issa’s attempt to obtain physical copies of six reports prepared by contractors that outline security vulnerabilities with HealthCare.gov has sparked a bitter battle with the administration.

The Obama administration has allowed Issa’s office to view the documents in a controlled setting, but sought to keep him from physically obtaining the documents through a congressional subpoena.

Once MITRE Corp. and another ObamaCare contractor complied with the subpoenas, the administration said that it tried to set up meetings with Issa to ensure the safeguarding of the data, but that the California Republican refused.

“Contrary to the assertion made by the White House, neither I nor anyone on my staff has expressed an unwillingness to meet with you for a discussion about both the ongoing security vulnerabilities noted in the MITRE documents as well as the rationale for proceeding on October 1, 2013,” Issa wrote in a letter to Sebelius on Tuesday.

“Indeed, my staff repeatedly has told your staff that it would welcome a page by page discussion of the MITRE documents and any concerns about the public release of any information once the documents were properly and fully produced to the Committee,” he added.

The feud came to a head on Monday, when the White House general counsel and seven top Democrats went around Issa in a letter to Speaker John Boehner (R-Ohio), asking him to intervene to ensure the chairman wouldn’t leak the documents to the press. 

The administration says it’s concerned about the MITRE documents leaking because they “include software code and other technical information that is highly sensitive” and could give hackers “a roadmap to compromise the security of the website and the personal information of American citizens.”

Rep. Elijah Cummings (D-Md.), the ranking member on the oversight committee, launched a frequent Democratic complaint against Issa, saying that he selectively released data in a misleading way, and may have violated House rules by releasing subpoenaed documents.

“Chairman Issa’s letter cherry-picks from the documents, mischaracterizes the status of the website, and appears to violate House Rules that prohibit the unilateral release of documents under subpoena,” he said in a statement. “The Chairman’s actions are a reckless and transparent attempt to frighten Americans away from the Heathcare.gov website and deny them health insurance to which they are entitled. This has become an unfortunate and well-known pattern with Chairman Issa, and in this case, one we warned against repeatedly over the last several days.”

--This report was updated at 4:29 p.m.