Thursday, October 31, 2013

Add Security To The List Of HealthCare.gov Tech Issues

Listen to the Story 2 min 13 sec Playlist Download Transcript   Enlarge image i

Rep. Mike Rogers, R-Mich., asks about website security questions Wednesday at a House Energy and Commerce Committee hearing on problems with HealthCare.gov.

Chip Somodevilla/Getty Images

Rep. Mike Rogers, R-Mich., asks about website security questions Wednesday at a House Energy and Commerce Committee hearing on problems with HealthCare.gov.

Chip Somodevilla/Getty Images

To the long list of problems plaguing HealthCare.gov, add data security. The enrollment site for the new health insurance exchanges had a security flaw that didn't get patched up when the exchange marketplace went live.

An internal government memo obtained by The Washington Post and Associated Press is dated Sept. 27 � four days before the HealthCare.gov website went live. It shows the government decided to go forward with launching the site even though there were "inherent security risks."

The memo says that from a security perspective, aspects of the system that were not tested due to the ongoing development "exposed a level of uncertainty that can be deemed as a high risk for FFM [Federally Facilitated Marketplace]."

Under federal government cybersecurity protocol, someone has to sign off on temporary certifications to operate despite security risks, and in testimony before the House Energy and Commerce panel Wednesday, Health and Human Services Secretary Kathleen Sebelius said that temporary authority was granted because a security risk "mitigation plan" was in place.

All Tech Considered What's A 'Glitch,' Anyway? A Brief Linguistic History All Tech Considered A Diagram Of HealthCare.gov, Based On The People Who Built It Sebelius: Hold Me Accountable For HealthCare.gov Debacle 4 min 15 sec Add to Playlist Download  

"You accepted a risk of every user of this computer that put their personal financial information at risk," said Rep. Mike Rogers, R-Mich., while questioning Sebelius.

The personal information going into HealthCare.gov includes birth date, Social Security number and an estimated income range. Sebelius emphasized that the additional security controls gave the agency confidence in going ahead with the launch, despite the audit showing a security gap.

"They get to make those decisions and those tradeoffs," says Waylon Krush, CEO of LunarLine, a cybersecurity firm that does work with dozens of federal government agencies, including HHS. "[Agency systems] process, store, manage, review a lot more sensitive data than what your general citizen is gonna put on HealthCare.gov, so I would say, from a risk perspective, it's pretty low, actually."

But the agency's technological credibility is dwindling, as programmers rush to fix ongoing issues with the error-riddled system. Now, programmers have to make sure they don't introduce new security risks with each patch.

"I know they're doing simultaneous testing as new code is loaded," Sebelius said Wednesday. Krush says this attention on security presents a good reminder for all of us.

"Everyone should always ask those questions, whether it's commercial or government, 'How are you protecting my data?' " he says.

Share Facebook Twitter Google+ Email Comment More From All Tech Considered TechnologyAdd Security To The List Of HealthCare.gov Tech IssuesDigital LifeTo Keep Your Attention, Airline Safety Videos Up Their GameTechnology(Don't) Pardon Me: One Man's Fight Against Distracted WalkingDigital LifeWeekly Innovation: A Light Bulb That's Also A Flashlight

More From All Tech Considered

Comments   You must be signed in to leave a comment. Sign In / Register

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

Please enable Javascript to view the comments powered by Disqus.

No comments:

Post a Comment