During a Senate committee hearing on Tuesday, CMS Administrator Marilyn Tavenner acknowledged lawmakers' concerns about the security of the federal health insurance exchange website but said there have been "no serious issues" related to security so far, the Wall Street Journal reports.
Details of Hearing
During the Senate Health, Education Labor and Pensions Committee hearing, committee Chair Tom Harkin (D-Iowa) said, "There has to be absolute assurance that [the exchange] is secure." He added, "Security is paramount. I think that's something we all agree on here."
Tavenner assured lawmakers that the federal exchange website is secure and undergoing constant testing and upgrades.
However, she acknowledged a recent error in which a North Carolina man logged in to his HealthCare.gov account and discovered the eligibility letter for a South Carolina man. She did not say what caused the problem or whether similar cases had been reported.
Tavenner said, "These systems are inherently high risk," adding "We treat it as a high-risk system and monitor it continuously" (Schatz, Wall Street Journal, 11/5).
She said, "Security testing never ends and will never end for this system or for any large system" (Meyers, Politico, 11/5).
Memo Shows CMS Knew of Security Risks
In related news, the House Oversight Committee has released internal documents that show CMS administrators were aware that the federal exchange website was a "high [security] risk" when it launched on Oct. 1 because of incomplete testing (Viebeck, "Healthwatch," The Hill, 11/5).
The documents show that the part of the exchange website that stores personal information was not fully tested before open enrollment began and only was given a temporary six-month security certification (Alonso-Zaldivar, AP/Sacramento Bee, 11/6).
Tavenner signed off on a memo dated Sept. 27 that states, "From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk for federally facilitated marketplace systems" (Ritger, National Journal, 11/5).
The memo also outlines a mitigation plan that includes:
- Ongoing monitoring and testing; and
- An eventual full security control assessment.
However, an accompanying document -- signed by three top CMS officials -- states that the mitigation plan "does not reduce the risk to the ... system itself going into operation on Oct. 1."
During the hearing Tuesday, Tavenner testified that the entire system could not be fully tested because it was being worked on up until open enrollment began (AP/Sacramento Bee, 11/6).
She added that HHS Secretary Sebelius was unaware of the security issues mentioned in the memo (National Journal, 11/5).
Reaction to Memos
In response to the memos, House Intelligence Committee Chair Mike Rogers (R-Mich.) said," The responsible thing to do is to shut down [HealthCare.gov] and do a complete security test."
Senate Intelligence Committee Chair Dianne Feinstein (D-Calif.) said she also previously suggested that federal officials take the website offline "until it was right" (Politico, 11/5).