HHS cybersecurity chief expressed concerns over health exchange site
WASHINGTON – The top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch of the Obama administration's health care website.
But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.
"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition. Excerpts of his testimony were provided to The Associated Press by the House Oversight and Government Reform Committee.
Charest and Teresa Fryer -- another government cybersecurity professional who also had qualms -- were to testify before the panel Thursday.
Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the HealthCare.gov website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama's signature program.
The panel's senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.
With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.
As chief information security officer for HHS, Charest offered a look an insider concerns during the weeks and days before the website went live. Technical problems developed immediately and many potential customers were frozen out. The site seems to be working well now, but the administration's signup campaign hasn't fully recovered its momentum.
"I get paid to be paranoid," Charest said in the transcript. "And so I wanted to understand the exact controls in place, what environment, what procedures, what policies."
But the Centers for Medicare and Medicaid Services -- the departmental division running the health care rollout -- wasn't sharing.
"I was frustrated by a number of requests I made that I did not receive," Charest said. The requests were not just related to security, he said, but other operational issues as well.
He said he came to believe that CMS -- as the division is known-- was deliberately keeping information to itself. "I can't explain it," he said.
While he did not have direct chain-of-command authority over the rollout, "I have responsibility for incident control," Charest testified. "Putting my bad-guy hat on, this would be something I would think would be desirable for someone to want to attack."
HealthCare.gov has two major components: an electronic "back room" that got full operational and security certification and a consumer-facing "front room" that was temporarily certified Sept. 27.
The back room, known as the federal data services hub, pings government agencies to verify applicants' personal information. It does not store data.
But the front room does. That's where consumers in the 36 states served by the federal website create and save their accounts. Individual components of the front room did undergo security testing. But the system as a whole could not be tested because it was being worked on until late in the process -- and it was also crashing.
Charest testified that security testing usually takes place on a fully built, stable system that represents real-world functionality.
The path followed by HealthCare.gov was "not typical," he said. "In a perfect world, the system is completely done when you test it."
Charest testified that he did not get to review a key outside contractor's security evaluation until November, a month into the rollout. He found out only through media reports that the consumer-facing part of the website had been issued a provisional six-month operational and security certificate.
Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over the added vigilance and testing measures put in place to reduce risks.
"I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk," he told the committee.
Fryer, who is the CMS chief information security officer, has testified that she recommended against issuing a full certification for the consumer-facing part of the website. She put her concerns in a Sept. 24 memo, but it was never sent.