Security problems still arising on O-Care site, CMS official says

Security vulnerabilities are still arising with HealthCare.gov roughly three months after the site launched, transcripts released by House Republicans suggest.

House Oversight Committee Chairman Darrell Issa (R-Calif.) released partial transcripts Friday of interviews with a top federal tech official who stated that "high" and "moderate" security risks have been discovered on the enrollment site in recent weeks.

ADVERTISEMENT
"There were two high findings," said Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services (CMS). "One high finding was identified in an incident that was reported in November."

Fryer said the functionality in question was currently "shut down," and federal health officials repeated Friday that no "high" findings are currently open.

The committee's interview with Fryer took place Dec. 17, and portions of the transcript that appeared to describe specific site issues were redacted.

Fryer also apparently recommended against launching HealthCare.gov just weeks before the site debuted, telling her boss that her "evaluation of this was a high risk."

The interviews are the latest round of fire between Issa and the administration over the security of HealthCare.gov.

Oversight Committee Democrats blasted Issa's release as incomplete and said Fryer made other statements attesting to strong security at HealthCare.gov.

The CMS officer purportedly told interviewers that she recommended against the site's launch before taking into account additional security measures that were put in place before Oct. 1, the day the site went live.

The site has several layers of security infrastructure to protect against bad actors, she said.

Fryer repeatedly described additional measures for the site's security as exceeding federal standards and "above and beyond" normal best practices.

She also said that it is "very common" for systems to launch with "low" and "moderate" security risks in place, and CMS has plans to address any problems that are discovered.

These remarks were circulated in another partial transcript from committee Democrats, who accused Issa of misleading the public by painting HealthCare.gov as dangerously insecure.

"Chairman Issa’s reckless pattern of leaking partial and misleading information is now legendary for omitting key information that directly contradicts his political narrative,” said committee ranking member Elijah Cummings (D-Md.) in a statement.

"This effort to leak cherry-picked information is part of a deliberate campaign to scare the American people and deny them the quality affordable health insurance to which they are entitled under the law."

Federal health officials insisted Friday the site is safe and that any issues are being quickly addressed.

In response to the transcripts, the CMS stated that the enrollment site complies with federal standards and has not been successfully attacked.

An official also addressed the "high" findings referenced by Fryer, saying one was later proven to be false and the other was immediately fixed.

"Security testing is conducted on an ongoing basis using industry best practices," said an agency spokeswoman.

"In line with federal and industry standards, any open risk findings are being appropriately addressed with risk mitigation strategies and compensating controls."

— This story was updated at 10:23 a.m. and 1:41 p.m.