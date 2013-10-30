By Jim Finkle
BOSTON Oct 30 The security of the Obama
administration's healthcare website was at "high risk" because
of lack of testing before it opened for enrollment on Oct. 1,
according to a government memorandum reviewed by Reuters on
Wednesday.
The HealthCare.gov site collects a trove of sensitive data,
such as Social Security numbers, email addresses, phone numbers
and birth dates that could be used by criminals in an array of
schemes.
A government spokeswoman said on Wednesday that steps to
mitigate security concerns have been implemented since the memo
was written on Sept. 27 and that consumer data is secure.
"From a security perspective, the aspects of the system that
were not tested due to the ongoing development exposed a level
of uncertainty that can be deemed as a high risk," said the
memo from Department of Health and Human Services officials
James Kerry and Henry Chao.
The memo recommended the creation of a dedicated security
team, weekly testing of servers, daily scans and a full security
assessment within 60 to 90 days of launch. It provided for a
temporary, six-month authority to operate the system.
According to the document, the recommendation was approved
by Marilyn Tavenner, administrator of the Centers for Medicare
and Medicaid Services, the lead agency at HHS managing the 2010
Affordable Care Act, commonly called Obamacare.
The law, Obama's signature domestic policy, was passed in
his first term and upheld by the U.S. Supreme Court last year.
It mandates everyone have health insurance or pay a fine and
created online marketplaces for people to choose plans.
The Sept. 27 memo came up during a U.S. House of
Representatives hearing on Wednesday to question HHS Secretary
Kathleen Sebelius about technical problems that have stalled
access to the website for millions of consumers. Sebelius
confirmed its main points and said the plan to ensure security
was underway.
Sebelius said that the site had a temporary certificate,
known as an "authority to operate" and that the agency would
issue a permanent certificate once security concerns were
alleviated.
Yet HHS spokeswoman Joanne Peters said that during the
interim the public need not worry about the security of data
entered on the site, which helps them identify and enroll in
health insurance plans.
"When consumers fill out their online Marketplace
applications, they can trust that the information they're
providing is protected by stringent security standards and that
the technology underlying the application process has been
tested and is secure," she said.
Meanwhile, Connecticut's state-run online exchange disclosed
on Wednesday that it had experienced five attempted cyber
attacks, including two from a foreign country.
"We had to get the NSA involved," Kevin Counihan, executive
director of the exchange that is known as Access Health CT, told
reporters on a conference call.
A spokeswoman for the National Security Agency declined
comment. Counihan said the exchange had passed cybersecurity
tests before it opened on Oct. 1.