Top Obama administration officials knew just how vulnerable HealthCare.gov was to malicious security breaches when it launched, leaving data at risk to hackers that have already breached the website at least once.
According to documents obtained by government oversight nonprofit Judicial Watch, Centers for Medicare and Medicaid Services (CMS) officials knew about the depth of HealthCare.gov’s security problems but didn’t stop to fix them before the launch, as many reports have previously indicated. But while it tried to fix security problems after the website was operating, it was still focusing on the political ramifications of a successful attack on the website as much as the vulnerability of customers’ private information.
In its months-late Security Control Assessment, CMS had security contractor MITRE gauge security vulnerabilities not only by the damage to customer privacy, but by the political problems a flub would spark. The “high” risk rating warns that “significant political” damage is likely to result from a security breach; the moderate risk rating concerns itself with “public embarrassment” to CMS if vulnerabilities allow the confidentiality and integrity of HealthCare.gov data.
CMS opened HealthCare.gov without a complete assessment because the administration was running behind and refused to delay Obamacare’s launch. The security assessment wasn’t completed until December, when HealthCare.gov had launched and been (kind of) operating for almost three months. Turns out while MITRE was trying to ensure that private data already being traded in the system was secure, it was also gauging what political embarrassment a hack would cause the Obama administration.
The administration knew the threat of hackers inserting malicious code into the website was severe, just weeks before HealthCare.gov went live. Top information technology official Tony Trenkle warned of an attack involving malicious macros in a memo from September 2013, less than one month before HealthCare.gov’s launch. The configuration of the website’s system allowed code to execute automatically, according to Trenkle’s findings. With that set-up, “the threat and risk potential is limitless,” Trenkle wrote.
He recommended developing a method to scan uploaded documents for malicious inserts — but didn’t expect CMS officials to get it up and running until May 31, 2014 — almost eight months after the website began operating and customer information was put at risk.
A whole list of security flaws were discovered in the month before HealthCare.gov launched. The list undercut “the confidentiality, integrity and availability of data,” according to another September 2013 memo. Not only were individual security measures ineffective, but the system that CMS uses to keep track of security flaws so they can be fixed was also ineffective.
That oversight wasn’t slated to be finished until Feb. 7, 2014 — over fourth months after launch. Trenkle gave the okay to proceed with opening HealthCare.gov anyway.
It may be especially disturbing to Americans who have taken advantage of the federal health-care exchange, as HealthCare.gov has already been successfully hacked into at least once. Officials found out just weeks ago that a hacker breached an unsecured HealthCare.gov server over the summer and inserted malicious code into the website, which supported attacks on other websites. No personal data was extracted from the website itself, this time. (RELATED: Hacker Hits HealthCare.gov)