HealthCare.gov launched with security risks, documents show

Chao tells Congress the site's authority to operate was granted in a 'fairly nonstandard way.'

Henry Chao, testifying before Congress in July 2013

Centers for Medicare and Medicaid Services Deputy CIO Henry Chao, shown here testifying before Congress in July 2013, told the House Oversight and Government Reform Committee more recently that he was not informed of HealthCare.gov security risks before he recommended granting an authority to operate.

Henry Chao, a leading IT official involved in the HealthCare.gov rollout, told congressional investigators he was out of the loop on a memo that authorized a key component of the federal insurance marketplace system to launch despite at least two high-risk findings in security assessments.

In a Sept. 3 memo, Tony Trenkle, CIO of the Centers for Medicare and Medicaid Services (CMS), authorized the Federally Facilitated Marketplace to go online when the open enrollment period launched Oct. 1. The FFM, which determines insurance eligibility under the 2010 health care law and allows users to shop for plans, performed poorly because of software bugs, lack of capacity and hardware problems. Trenkle's resignation as CIO was announced last week.

Repairs to the site and other HealthCare.gov components are ongoing, and the administration hopes to make the site workable by the end of this month. Behind the scenes, however, it appears that the site launched with security vulnerabilities that could render personal information prone to capture.

A heavily redacted attachment to the Sept. 3 memo, released by the House Oversight and Government Reform Committee, lists high-risk problems, with suggested remedies and deadlines that must be met before an authority to operate can be granted. One finding warns that "the threat and risk potential is limitless," although because of the redactions the threats themselves are not detailed.

Under questioning from a committee attorney, Chao -- who is CMS' deputy CIO -- said he was "surprised" that he wasn't copied on the memo. He also said that had he known about the risks, he would have mentioned them in a Sept. 27 memo that went out under his signature to CMS Administrator Marilyn Tavenner recommending she sign a six-month authority to operate for the FFM.

"It is disturbing. I mean, I don't deny that this is, kind of, a fairly nonstandard way to document a decision to make a recommendation to proceed in [an authority to operate]," Chao said.

Chao also acknowledged not personally drafting much of the memo, which he signed along with James Kerr, now acting deputy director of operations in the Center for Consumer Information and Insurance Oversight at CMS. According to Chao, that memo was written by Teresa Fryer, chief information security officer at CMS, and the individual authorized by federal computer security rules to conduct testing on the HealthCare.gov components before they went live, including the FFM and the data hub.

Chao is scheduled to testify Nov. 13 before the committee alongside federal CIO Steve VanRoekel, Frank Baitman, CIO of the Department of Health and Human Services, Dave Powner of the Government Accountability Office, and federal CTO Todd Park. The committee issued a subpoena to Park on Nov. 8 after he declined an invitation to testify. Park is currently immersed in the “tech surge” to fix HealthCare.gov, an effort led by former Obama administration official Jeff Zients and aided by several Presidential Innovation Fellows and developers from private sector companies including Google, Oracle and Red Hat.

In a letter to the committee, a White House official wrote that Park "is central to the work to improve the healthcare.gov shopping experience as quickly as possible, and he is devoting nearly all of his attention and expertise to assisting CMS in that critical effort," and that the distraction of preparing for sworn testimony would be "highly disruptive."

Committee Chairman Rep. Darrell Issa (R-Calif.) has accused Park of a "pattern of interference and false statements" related to the performance and testing of HealthCare.gov.

On Nov. 11, Reps. Elijah Cummings (D-Md.) and Gerry Connolly (D-Va.) requested that Issa withdraw the subpoena of Park. "We believe the Committee should focus instead on areas of common ground, such as federal information technology (IT) acquisition reform initiatives," they wrote.