View all Articles
Commentary By Avik Roy

Key Memo Details 'Limitless' Privacy Risks To Obamacare's Website

One of the most underappreciated, but important, problems with Obamacare’s troubled health insurance exchanges are their inadequate safeguards against identity theft and misuse of private information. We’ve now learned that an important government report detailing "high risks" to the security of the Obamacare website was concealed from a key official, Henry Chao. The concealment misled Chao to believe that there were no longer any high security risks to the launch of the federal exchange, prompting him to recommend the approval of healthcare.gov. "I’m not even copied on this," exclaimed Chao in a November 1 interview with the House Oversight Committee, where he was presented with the security report for the first time. "It is disturbing…This is…a fairly non-standard way to document a decision."

It’s not clear whether or not the concealment was intentional. "I don’t want to think the worst of people," Chao told investigators. But he acknowledged that it was "kind of strange" that he wasn’t included on the email that contained this critical information, given that there were people that report directly to him that were included on it, along with his direct superiors. "Why I’m surprised is that [Teresa Fryer, the Chief Information Security Officer] had me do this, file this process, but [didn’t] copy me on the [Authorization to Operate] letter. I mean, wouldn’t you be surprised if you were me?"

A review of Obamacare’s IT org chart

The organizational chart at the Office of Information Services at the Centers for Medicare and Medicaid Services—the group tasked with overseeing the construction of the Obamacare exchange—is substantial, as you might expect. The group was headed until recently by Tony Trenkle; last week, Trenkle—a career official—left CMS in a management shakeup. Trenkle reported to the head of CMS, Marilyn Tavenner.

Henry Chao serves as the Deputy Director and Deputy Chief Information Officer of CMS. Teresa Fryer, the group’s Chief Information Security Officer, "is in charge of…the operations of the agency’s information systems security program," said Chao. Fryer was responsible for conducting the security control assessment of healthcare.gov, in order to make sure that there wouldn’t be any risks to participants’ private information.

CMS: ‘Unacceptable’ security issues present ‘limitless’ risk potential

In August, I wrote about the serious emerging problems with Obamacare’s privacy safeguards. The Privacy Act of 1974 prohibits government agencies from sharing private individuals’ information, without written consent, outside of twelve specific exceptions. In addition, the Federal Information Security Management Act of 2002, or FISMA, obliges the executive branch to ensure that Americans’ private records are adequately protected from misuse and security breaches.

An August report from the Office of the Inspector General of the Department of Health and Human Services found that "several critical tasks remain to be completed in a short period of time," and stated that CMS might not have the legal authority to issue the "go" order to launch the exchanges. That "go" order, in CMS-ese, is called an "ATO" order, which stands for "Authorization to Operate."

It appears that the Inspector General’s concerns were well-founded. In a September 3 memo from Tony Trenkle—the memo that Chao never received—CMS officials disclosed that "the threat and risk potential is limitless" from a redacted security issue, and that "non-compliance with…CMS Minimum Security Requirements (CMSR) without continuous monitoring presents an unacceptable risk."

Elsewhere, the memo describes "the possibility that the [Obamacare exchange] security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity, and availability of data and present a risk to the CMS enterprise." Other problems "can lead to controls not being appropriately implemented and [to] a lack of accountability."

Chao kept in the dark about ‘high findings’ of security risk

A number of these issues were considered "open high findings"—the most serious category of security concerns. In Chao’s testimony to the Oversight Committee, Chao stated that he only recommended that the exchange launch go forward because there were no high findings of security issues.

A "high finding," explained Chao, is a serious security issue that leaves a website highly vulnerable to hackers. "I’ll give you a real-world example," Chao told investigators. "If you don’t establish [an] https secure software connections, that means that you are not sitting inside of a private encrypted tunnel between the client machine and the system. So if you are sending user ID and password in a nonencrypted session, people can intercept that. So that would be a high finding."

"In the world of FISMA," said Chao about the key law that governs federal IT privacy issues, having the highest degree of security and privacy protection means that the exchange "passes those security controls without any high findings. That’s the practical interpretation of ‘highest level of security.’ It meets FISMA requirements."

"I was mainly concerned with whether there were any high findings," Chao continued. "I believe, a week later, there were no high findings—that constituted for me a complete security control assessment," one that would allow the exchange launch to go forward.

This puzzled investigators, because the investigators had obtained the Trenkle memo from September 3 that documented several high findings. It turned out that Chao was never sent the memo. "I have to look into this. This is the first time I have actually seen this. So don’t mind that I’m kind of taking my time reading [as I answer your questions]."

Who knew what when?

So here are the questions that remain unanswered about this episode. First: Did Tony Trenkle intentionally conceal this critical information about high security risks from Henry Chao, or was it an accident? Second: Would Chao have recommended that the exchange go forward if he had been aware of high findings? Third: Did Marilyn Tavenner—the head of CMS—know about these issues when she issued the final go-ahead authorization? Fourth: Now that this information is public, why is the Obama administration encouraging people to enter their sensitive personal data into the non-secure healthcare.gov website?

It’s astounding that Marilyn Tavenner—who promised in Congressional testimony that "we will have the highest degree of security and privacy protection"—would sign off on a website that is vulnerable to identity theft and hacking. But that appears to be what she did.

On Wednesday, November 13, the House Oversight Committee is holding another hearing on this topic. It will be interesting to see what further revelations are before us.

This piece originally appeared in Forbes

This piece originally appeared in Forbes