Obamacare website security at 'high risk' before launch -memo


By Jim Finkle

BOSTON, Oct 30 (Reuters) - The security of the Obamaadministration's healthcare website was at "high risk" becauseof lack of testing before it opened for enrollment on Oct. 1,according to a government memorandum reviewed by Reuters onWednesday.

The HealthCare.gov site collects a trove of sensitive datasuch as social security numbers, email addresses, phone numbersand birth dates that could be used by criminals in an array ofschemes.

A government spokeswoman said on Wednesday that steps tomitigate security concerns have been implemented since the memowas written on Sept. 27 and that consumer data is secure.

"From a security perspective, the aspects of the system thatwere not tested due to the ongoing development exposed a levelof uncertainty that can be deemed as a high risk," said the memo from Department of Health and Human Services officialsJames Kerry and Henry Chao.

The memo recommended the creation of a dedicated securityteam, weekly testing of servers, daily scans and a full securityassessment within 60 to 90 days of launch. It provided for atemporary, six-month authority to operate the system.

According to the document, the recommendation was approvedby Marilyn Tavenner, administrator of the Centers for Medicareand Medicaid Services, the lead agency at HHS managing the 2010Affordable Care Act, commonly called Obamacare.

The law, Obama's signature domestic policy, was passed inhis first term and upheld by the U.S. Supreme Court last year.It mandates everyone have health insurance or pay a fine andcreated online marketplaces for people to choose plans.

The Sept. 27 memo came up during a U.S. House ofRepresentatives hearing on Wednesday to question HHS SecretaryKathleen Sebelius about technical problems that have stalledaccess to the website for millions of consumers. Sebeliusconfirmed its main points and said the plan to ensure securitywas underway.

Sebelius said that the site had a temporary certificate,known as an "authority to operate" and that the agency wouldissue a permanent certificate once security concerns werealleviated.

Yet HHS spokeswoman Joanne Peters said that during theinterim the public need not worry about the security of dataentered on the site, which helps them identify and enroll inhealth insurance plans.

"When consumers fill out their online Marketplaceapplications, they can trust that the information they'reproviding is protected by stringent security standards and thatthe technology underlying the application process has beentested and is secure," she said.

"Security testing happens on an ongoing basis using industrybest practices," she said.

View Comments (73)