HealthCare.gov is ripe for cyberattacks targeting personal information, the chairman of the House Homeland Security Committee charged Wednesday.
The site is vulnerable because the federal agency charged with ensuring the security of government websites played virtually no part in its development, Rep. Michael McCaul (R-Texas) said.
“DHS had effectively no input into the security of HealthCare.gov, despite it being arguably the most significant federal website ever constructed,” the Texas Republican said during a hearing of the panel.
Upon logging onto the website, consumers looking for coverage are prompted to input personally identifying information, including their social security number, immigration status, household income and details about their health.
While the system does not store the information, McCaul said it could exist for as long as 10 years on federal and state exchanges set up under the Affordable Care Act.
“All of this information is a tempting target for hackers, identity thieves and other malicious actors,” he said.
Under questioning, Roberta “Bobbie” Stempfly, associate director of the DHS Office of Cybersecurity and Communications, said the office is investigating roughly 16 reports from agencies about possible attacks and is aware of one unsuccessful “denial-of-service” attack seeking to shut the site down.
Stempfly stressed that it would be atypical for an agency to involve the DHS prominently in the development of an application, and said agencies retain primary responsibility for securing and defending their own networks.
The panel’s top Democrat said GOP criticism over DHS involvement is misplaced.
“Some of my colleagues have indicated that DHS should assure the safety and security of the personal information on HealthCare.gov,” Rep. Bennie Thompson (D-Miss.) said. “While this is in interesting proposition, there is no law requiring DHS to play such a role.”
Rather, Thompson said, the DHS has broader responsibility of observing, reporting and responding to threats and assuring that agencies follow regulations under the Federal Information Security Management Act.
Still, Stempfly testified that the security department was contacted by the CMS in August about services the agency might be able to provide in relation to the heathcare law.
The two agencies enetered into general discussions to refine the request for assistance and the DHS gave the CMS descriptions of specific capabilities and services the agency could offer.
The CMS has not followed up with a specific request, and Stempfly’s office has not provided technical assistance relative to HealthCare.gov, she said.