CMS sets new deadline to fix two dozen HealthCare.gov cyber shortfalls

The Centers for Medicare and Medicaid Services has until Nov. 15 to close real and potential cybersecurity holes in the HealthCare.gov website. Marilyn Tavenner, the CMS administrator, promised House lawmakers Thursday that the site would be better protected when open enrollment begins in two months. The Government Accountability Office found in a report released Sept. 16 that CMS had problems with its information security and privacy program and its technical security architecture, specifically around access controls and configuration management. Tavenner testified before the House Oversight and Government Reform Committee that the majority of GAO’s findings already have been addressed, and the rest are in the process of being fixed. “Let me start with the 22 technical recommendations — 19 of those have been resolved, fully mitigated or will be further reviewed prior to open enrollment. So those will be handled. Of the six, we are in the process of completed those or have completed those prior to open enrollment,” Tavenner said. When asked by Rep. Michelle Grisham (D-N.M.) if she is confident that the fixes will be implemented and tested before Nov. 15, Tavenner said she is sure it will happen. “We will never quit continuing to improve the process. Our work with DHS, GAO and OIG will always be looking for improvements,” Tavenner said. Basic cyber hygiene missing Ann Barron-DiCamillo, director of the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US CERT) said DHS is in talks with CMS to provide more support for the Affordable Care Act website. She didn’t offer details on what that support would entail, however. But despite a lot of good work CMS has done to secure the site and keep data private over the last few years, the agency missed doing some basic cyber hygiene, said Greg Wilshusen, GAO’s director of information security issues, at the hearing. “CMS didn’t fully or effectively implement key technical security controls to sufficiently safeguard the confidentiality, integrity and availability of the federally facilitated marketplace and its information,” Wilshusen said. “For example, CMS didn’t always require or enforce strong password controls, did not sufficiently restrict systems from accessing the Internet and did not consistently implement patches in a timely manner.” He added CMS also fell short with information security and privacy management plan and didn’t test all relevant controls All of these and more shortcomings leave CMS and HealthCare.gov at greater risk of data loss and cyber attack. The question that came up at the hearing several times is whether the risk CMS accepted is too much compared to other federal systems, and whether citizen data has been stolen by hackers — the latest attack happened in July. Barron-DiCamillo said the malware attack in July was unsuccessful and mitigated. “The malware is to use the resource of the server as part of this botnet, so it wasn’t targeting the server. It was using the resource of the server for another victim,” she said. “The breach was discovered by CMS. It was alerted to us. We looked at the images provided. There was no exfiltration of data. There was no loss of personal identifiable information due to the segmentation of the network. This was a test network separate from the production network. There was no lateral movement into the production network associated with this activity.” Best practices ignored? This was the committee’s 29th hearing on the Affordable Care Act and sixth on the website itself. The hearing presented two differing points of view about CMS actions to secure the website: The Republicans pointed out HealthCare.gov continued to have cyber vulnerabilities, despite being around for almost a year. The Democrats said no personal data has been lost from the site and there are bigger fish to fry in the cyber world, including recent data breaches at Home Depot, Target and even federal contractor USIS. But Rep. Darrell Issa (R-Calif.), chairman of the committee, asked why, a year later, is CMS still struggling to do some basic cybersecurity actions? He said CMS didn’t have strong passwords, advanced lock-out systems or detection and reporting capabilities. “There are techniques that if they would’ve been in place, they would have been more secure?” Issa asked GAO’s Wilshusen. “So what you found a year into your site was they weren’t using best practices?” Wilshusen responded, “The weaknesses we identified all can be corrected and resolved almost immediately. We identified several weaknesses that increased the risk and unnecessarily increased preventable risk.” Rep. Gerry Connolly (D-Va.) asked Tavenner if IT got the short shrift during the planning stages of HealthCare.gov. Tavenner said CMS recognized what went wrong and has since fixed those problems. “Some of the lessons learned and changes we’ve made early on in year one and definitely for year two, we needed a systems integrator. We needed someone to help with the coordination. We needed a clear point of accountability. We needed better communication,” she said. “You’re right there was probably more time spent on the non-technical components, and we didn’t realize the technology was a difficult as it was.” Tavenner added that today there is nothing more important to her and CMS than the security of the portal. She said the agency holds weekly meetings and has a 24/7 security team using continuous monitoring and intrusion prevention and detection tools. Subpoena for former White House CTO issued Aside from this committee, there still are other concerns about the security of the website. The House Science Subcommittee on Oversight voted Sept. 17 to subpoena former federal chief technology officer and Department of Health and Human Services CTO Todd Park to find out more about the site’s cybersecurity. The subcommittee says the subpoena would require the White House to provide documents and emails pertaining to Park’s role in development of the website. It will also oblige Park to appear before the subcommittee to provide testimony under oath. At the same time, Issa also issued a report detailing past and current concerns about the security of the site. Despite the sometimes contentious nature of the hearing, Issa said the reason for the oversight and tough questions was only about making HealthCare.gov stronger and more resilient. RELATED STORIES: Hackers break into Healthcare.gov 3 takeaways from Healthcare.gov cyber hearing Federal IT officials shirk responsibility for Healthcare.gov problems

Comments

Sign up for breaking news alerts