Government memo warned of high security risk at health care website

[Jake <jake () riskbasedsecurity com>]

http://www.cnn.com/2013/10/30/politics/obamacare-website-warning-memo/index.html

Washington (CNN) -- An internal government memo written just days
before the start of open enrollment for Obamacare warned of a "high"
security risk because of a lack of testing of the HealthCare.gov
website.

Related: Administration warned about site a month before launch

"Due to system readiness issues, the SCA (security control assessment)
was only partly completed," said the internal memo from the Center for
Medicare and Medicaid Services. "This constitutes a risk that must be
accepted and mitigated to support the Marketplace Day 1 operations."

The memo, which was provided in response to a request from the House
Oversight Committee, goes on to explain that CMS would create a
"dedicated security team" to monitor the risk, conduct weekly scans
and within 60 to 90 days after the website went live, "conduct a
full-scale SCA test."

Read the memo (http://i2.cdn.turner.com/cnn/2013/images/10/30/2013-90-27.cms.memo.signed.by.tavenner.pdf?hpt=hp_t1)

The memo did not detail the security concerns. It was written by IT
officials at CMS, and was sent to and signed by the agency's director,
Marilyn Tavenner, who testified on Capitol Hill on Tuesday that she
thought the website was ready to go when it began its crash-riddled
rollout on October 1.

"We had tested the website and we were comfortable with its
performance," Tavenner told lawmakers, although she added the caveat,
"we knew all along there would be, as with any new website, some
individual glitches we would have to work out."

Republican lawmakers referred to the document Wednesday as they raised
concerns at a House Energy and Commerce Committee grilling of Health
and Human Services Secretary Kathleen Sebelius, Tavenner's boss.

Sebelius also testified that she thought the website, which has been
prone to crashing, was ready to be rolled out on October 1.

She compared the early rollout to a sort of early beta test and said
the system was secure because data is stored in the same systems used
by the Internal Revenue Service and Department of Homeland Security.

Contractors blame government for Obamacare website woes

But lawmakers said the system should have been more thoroughly vetted,
since it asks purchasers of health insurance to provide personal
information.

"You accepted a risk on behalf of every person that used this computer
that put their personal and financial information at risk because you
did not even have the most basic 'end-to-end' test on security of this
system," Rep. Mike Rogers, R-Michigan, told Sebelius. "Amazon would
never do this. ProFlowers would never do this. Kayak would never do
this," he said.

CNNMoney had earlier in the week profiled an Arizona software tester
who said the system was vulnerable and could be hacked. He was able to
reset users' passwords without much difficulty. But the Department of
Health and Human Services told CNN that particular issue had been
addressed.



--
Chief Information Security Officer
Risk Based Security
804-482-1337 / 855-RBS-RISK
jake () riskbasedsecurity com
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.