On the cusp of what many believed would be another contentious hearing on Capitol Hill about the security and rollout of HealthCare.gov, the Centers for Medicare and Medicaid Services delivered some reassurance to lawmakers about the site.
CMS Administrator Marilyn Tavenner told House Oversight and Government Reform Committee members on Nov. 14 that HealthCare.gov’s cybersecurity posture is in good shape.
“No person or group has maliciously accessed personally identifiable information from the site,” Tavenner wrote in a letter to committee chairman Rep. Darrell Issa (R-Calif.) and ranking member Rep. Elijah Cummings (D-Md.). “CMS will continue to strengthen the security of HealthCare.gov throughout its second open enrollment period.”
Tavenner’s letter comes about two months after the Government Accountability Office found 22 potential and real technical problems with the site’s cyber posture. She said during a September committee hearing that CMS would fix all of the problems by Nov. 15.
In her letter to Issa, Tavenner said CMS completed that effort on time.
“We appreciate the GAO’s work in this area and are using industry best practices to appropriately safeguard consumer’s personal information,” she wrote.
A Hill staff member, who requested anonymity, said CMS did not provide any verification that the cyber problems were fixed, which causes some concern.
GAO’s review and the committee’s hearing came after the Department of Health and Human Services confirmed HealthCare.gov suffered a cyber attack in July when hackers installed malicious software that could have been used to launch an attack on other websites from the federal insurance portal.
But the Homeland Security Department said at the September hearing that the portal didn’t suffer any data loss or impact the production environment.
Five invitations and a subpoena
Rep. Scott Peters (D-Calif.) used the letter Wednesday during a House Science, Space and Technology Subcommittee on Oversight as part of the evidence counter the majority’s allegations that the site is unsecure.
The committee forced via a subpoena former federal chief technology officer Todd Park to testify after five separate invitations were rejected by the White House.
Republican committee members sought more details on Park’s role in overseeing the development and security of HealthCare.gov.
But this most hearing on the security of site failed to shine a much brighter light on Park’s involvement, and what he knew and when leading up to the October 2013 launch. Many experts agree the rollout of HealthCare.gov was a debacle.
Two different perspectives emerged at the hearing.
Republicans made their case that Park was deeply involved and played a major role in the oversight of the Affordable Care Act portal, and therefore should be held responsible for the site’s failings.
Democrats said he may have been part of the oversight team, but really from a 50,000-foot level and dove into the weeds only on occasion. Democrats says he had little real power to change the direction of the failed launch.
And Park, for his part, time and again rebutted claims that he knew about site’s problems or played a larger role then he’s described in the past.
“In the highlighted sections in one of your subpoenaed emails dated June 26, 2013 sent to Marilyn Tavenner, [former CMS chief operating officer] Michelle Snyder and [deputy director of CMS information services] Henry Chao about ‘a deep dive sessions with Henry Chao.’ Specifically you wrote, ‘Marilyn, I’m also going to visit with Henry and team for one of our evening deep dive sessions to get up to speed on the latest status of IT and testing. There’s no substitute for an evening deep dive,'” said Rep. Paul Broun (R-Ga.), the subcommittee chairman. “Mr. Park, please explain to me how you define deep detailed knowledge and contrast with a deep dive experience with Mr. Chao that lasts several hours?”
Park said the difference between taking a deep dive and having deep detailed knowledge is the position you’re in. He said typically a project manager has the deep detailed knowledge.
“What’s happening here is that on a few occasions I spent time with the folks who were actually running the project, asked a series of questions and got information, but that level of knowledge pales in comparison to the really deep detailed comprehensive knowledge that you would have as the project manager running the thing on an ongoing basis,” Park said. “That’s a role I served in my private sector life on a variety of projects, but that was not the role I was serving on the federal facilitated marketplace. That was CMS’s responsibility.”
Dueling reports on involvement
Broun’s example was one of several emails Republicans highlighted from Park to CMS or other officials talking about detailed briefings or cybersecurity challenges.
But for each email a lawmaker highlighted, Park responded with a reason or explanation about his participation to demonstrate the level of his involvement.
But the hearing showed a few things — Park did have a bigger role than he first talked about in the November 2013 hearing where he, former Federal CIO Steven VanRoekel and HHS CIO Frank Baitman testified about their minor roles in the program development.
Park said he briefed President Barack Obama and other senior White House officials at least twice, and participated in multiple meetings, reviewing results of red teams and a report by McKinsey and Company highlighting risks and possible ways to address those risks.
Rep. Bill Johnson (R- Ohio) joined the chorus from his party in pressing Park about his role and calling his answers “disingenuous.”
“You are the nation’s CTO, appointed by the President to ensure safety and security of our networks. You can’t just say, ‘this was CMS’s responsibility.’ And let me remind you can delegate responsibility to people who do the actual coding, to project managers and program managers, but you can’t delegate accountability,” Johnson said. “You are responsible. You are accountable to the President and to the American people. You testified this morning that you briefed the President several times, did you ever once tell the President that you had concerns about the security of the system in your role as chief technical [sic] officer?”
Park said there is a fundamental misunderstanding about his role as CTO where cyber operations wasn’t a focus.
Johnson interrupted Park, pointing that he did have responsibility as a co- chairman of a steering committee to oversee the program.
“I was one of three co-chairs on a committee organized by OMB and there was a privacy and security subgroup, as you have mentioned. That was staffed and led by industry personnel. It was really self-propelled and driven by them,” Park said. “The point of us as co-chairs was to find a neutral venue where agencies could get together to do that work.”
No documents exist
Democrat committee members came to Park’s defense several times.
Rep. Eric Swalwell (D- Calif.) said the hearing was more like a trial and the majority’s allegations against Park could place him in legal jeopardy.
Swalwell said the minority staff report makes a strong argument that Park’s role was indeed one of advisor and not one of deep, detailed and intimate involvement in the site’s development.
“If he was playing such a role, there should be monthly progress reports from contractors that show progress against deliverables and requirements, costs of work, a critical path analysis that identifies where problems threaten a successful launch and a discussion of the integration process for the site across an army of contractors for the site,” Swalwell said. “None of these documents have been produced because Mr. Park was not the day-to-day manager on the project, nor are there any kind of documents that any of the contractors could produce doing the actual work could possess, which would include a discussion of code, performance and testing results. Those documents can be found at CMS, which managed this complex acquisition among the contractors. I believe Mr. Park’s job was about trying to push technology and I think the record and evidence supports that.”
Park also pushed back against lawmakers, saying on several occasions that he is not a cyber expert, never claimed to be one and relied on CMS and other experts to inform him on the system’s status.
“I provided assistance to CMS in a few different capacities. For example, I served as one of three co-chairs of an interagency steering committee, organized by the Office of Management and Budget and which focused on providing a neutral venue in which agencies like CMS, IRS, SSA and others could work through interagency items — primarily in support of the data services hub, which ended up going live quite successfully,” he said. “I assisted with a ‘red team’ exercise in early 2013 that helped identify actions to improve project execution, as well as some associated follow-on work that summer. From time to time, I helped connect people to each other, served as a spokesperson of sorts, and provided help on particular questions.”
In the end, Republican committee members were less than satisfied with Park’s responsiveness.
“Mr. Park, I find your and the White House’s lack of transparency intolerable and an obstruction to this committee’s efforts to conduct oversight. It took a subpoena to get you here. It took another subpoena to compel your documents from the White House,” Broun said. “But even with that, we have yet to receive all of your documents in compliance with our subpoena issued on Sept. 19, exactly two months ago. As a gesture of good faith, many staff have engaged in multiple in- camera reviews with White House lawyers, yet there are still documents being withheld from the committee without a claim of a legally recognized privilege.”