MORE SEVERE SECURITY RISKS FOUND AT HEALTHCAREDOTGOV AFTER LAUNCH



By: John Hayward
12/20/2013 10:41 AM

The other other shoe still waiting to drop on ObamaCare is the first large-scale hacker raid of private information from the laughably insecure website, which is like a dream come true for identity thieves. You may rest assured we won’t find out about this until long after it happens, and incalculable damage has been done, because the Administration has never stopped working to cover up the extent of the site’s security flaws.
But the truth keeps dribbling out, and ABC News has uncovered some more testimony and documents we weren’t supposed to know about:
Nearly three months after its launch and as millions of Americans log on to shop for health plans, HealthCare.gov has still had serious security vulnerabilities, according to documents and testimony obtained exclusively by ABC News.
There have been “two high findings” of risk – the most serious level of concern – in testing over the past few weeks, the top Centers for Medicare and Medicaid Services (CMS) cybersecurity official told the House Oversight Committee on Tuesday in a private transcribed interview.
It’s a “vulnerability in the system,” CMS chief information security officer Teresa Fryer told the committee of one of the issues. “They shut the module down, so this functionality is currently shut down.”
But… but… everything’s fixed now. They told us so on Thanksgiving weekend. A billion people per hour are now using Healthcare.gov.
The exact description of the issue was redacted from the transcript so as not to further compromise security, a committee official told ABC News.
The federal contractor, MITRE Corporation, that oversees security of the website defines a “high finding” as a risk of “significant political, financial and legal damage” if the technical vulnerability is exploited. One high finding was reported in November, the other earlier this week, Fryer said.
Political damage is a consideration in risk assessments? I’m starting to think politicizing every aspect of American life might have been a mistake.
CMS told ABC News on Friday that the issues identified have now been resolved.
In one case, what was initially flagged as a high finding was proven to be false,” the agency said in a statement. “In the other case, we identified a piece of software code that needed to be fixed and that fix is now in place. Since that time, the feature has been fully mitigated and verified by an independent security assessment, per standard practice.”
Luckily, nobody was entering sensitive personal information into Healthcare.gov during some kind of “enrollment surge” while the flawed code was running, so no biggie. There were also reportedly a raft of moderate and low-severity flaws uncovered as well, but I suppose it would be churlish to ask what risks they posed, and probably unrealistic to expect an informed response.
ABC places the latest news in the context of the long-running security concerns about the untested, revised-on-the-fly ObamaCare system:
Health and Human Services spokeswoman Joanne Peters said that “risk mitigation strategies” are in place for all high, moderate and low security risk findings on the website. “Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information,” she told ABC News.
Still, Republicans leading the politically-charged inquiry into the website’s management say the Obama administration has been reckless from the start.
Portions of the CMS cybersecurity chief’s testimony provided to ABC News show that she recommended that HealthCare.gov not launch on Oct. 1 because of serious security concerns.
“It was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with [CMS technology chief Tony Trenkle] on this and told him that my evaluation of this was a high risk,” [Chief Information Security Officer Teresa] Fryer told the committee of her assessment days before the portal was to go live.
Fryer said she gave the same warning on Sept. 20 – 10 days before launch – to two other top HHS officials. She says all three expressed an awareness of her concerns, but proceeded against her advice.
“What would your recommendation have been?” a committee interviewer asked.
“My recommendation was a denial of an ATO,” she said, referring to an Authority to Operate license necessary for HealthCare.gov to go online for public access.
The website ultimately went live on Oct. 1 without ever having undergone complete end-to-end security testing.
In other words, the Republicans “leading the politically-charged inquiry into the website’s management” have been absolutely correct about the Administration’s recklessness. And they’re still lying through their teeth about it. In what universe is launching a website without complete testing, in defiance of red-alert do-not-launch warnings from cybersecurity experts, consistent with “industry best practices to appropriately safeguard consumers’ personal information?” It looks like the bumbling fools who created Healthcare.gov left their test sites accessible to the public, which might prove useful to hackers looking for ways into the live system. Anyone want to explain how that’s consistent with industry best practices? It’s the kind of negligent oversight that would get you flunked out of basic system design courses.
These people are a full-scale national embarrassment. And it’s going to be a lot more than just “embarrassing” when the American people suffer for their incompetence.
CBS News adds that cybersecurity chief Fryer – who sounds like one of the conscientious professionals who got steamrolled in the mad dash to dump ObamaCare on America by the political hacks running the show – refused to sign off on “a letter recommending a temporary ATO be granted for six months while the issues were sorted out.” The chief information officer of CMS, Tony Trenkle, was also reluctant to sign off on the security of the system. He resigned from his job in mid-November and refused to talk with CBS reporters.
It looks like HHS Secretary Kathleen Sebelius has been caught lying to Congress again, which used to be a crime, before the Obama regime seized power. From the CBS report:
This is the first time a government insider has gone on record challenging the administration’s insistence that there were no worrisome security concerns. On Oct. 30, Rep. Gus Bilirakis, R-Fla., asked Health and Human Services (HHS) Secretary Kathleen Sebelius in testimony to Congress whether “any senior department officials” advised delaying the rollout of HealthCare.gov.
“I can tell you that no senior official reporting to me ever advised me that we should delay,” Sebelius answered. “We have testing that did not advise a delay. So not — not to my knowledge.”
But Fryer says she briefed Sebelius’ top information officers at HHS in a teleconference on Sept. 20, recommending the website’s launch be delayed for security reasons. Fryer testified that the call included HealthCare.gov’s chief project manager Henry Chao, HHS chief information security officer Kevin Charest and HHS Deputy Assistant Secretary for Information Technology Officer Frank Baitman. Fryer says she learned three days later that her advice was not going to be followed.
While we wait for someone in Washington to stand up for the rule of law, we can wonder what sort of mischief hackers have wrought with an easily exploited gateway to systems even more sensitive than the health care database:
House Oversight Committee chairman Rep. Darrell Issa, R-Calif., who personally interviewed Fryer, told CBS News that there are potential risks to every facet of the system tied into HealthCare.gov and the public information stored within.
“This is not about your application being compromised. This is about an exchange portal that lets me go into the Department of Homeland Security, that lets me go into the IRS, lets me go into an array, Social Security…that’s the vulnerability,” Issa said.
Maybe the Imperial President should issue a royal decree delaying all hacker attacks and data theft for a year.

http://www.humanevents.com/2013/12/2...-after-launch/