Documents and testimony show that healthcare.gov still has “serious security vulnerabilities” ABC News is reporting.
There have been “two high findings” of risk – the most serious level of concern – in testing over the past few weeks, the top Centers for Medicare and Medicaid Services (CMS) cybersecurity official told the House Oversight Committee on Tuesday in a private transcribed interview.
CMS chief information office Teresa Fryer told the Oversight Committee there was a “vulnerability in the system,” but that “They shut the module down, so this functionality is currently shut down.”
The federal contractor, MITRE Corporation, that oversees security of the website defines a “high finding” as a risk of “significant political, financial and legal damage” if the technical vulnerability is exploited. One high finding was reported in November, the other earlier this week, Fryer said.
Fryer also recommended the site not launch on October 1, due to security issues.
“It was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with [CMS technology chief Tony Trenkle] on this and told him that my evaluation of this was a high risk,” Fryer told the committee of her assessment days before the portal was to go live.
Fryer said she gave the same warning on Sept. 20 – 10 days before launch – to two other top HHS officials. She says all three expressed an awareness of her concerns, but proceeded against her advice.
“What would your recommendation have been?” a committee interviewer asked.
“My recommendation was a denial of an ATO,” she said, referring to an Authority to Operate license necessary for HealthCare.gov to go online for public access.
The new security risks were discovered as the administration is on an enrollment push, trying to boost the number of participants in the program before the deadline.