By – Peter A. Finocchio
On Thursday, September 18, the House Oversight and Government Reform Committee examined ObamaCare’s failures in security, accountability, and transparency. The hearing summoned Marilyn Tavenner, Administrator for Department of Health and Human Services’s Centers for Medicare and Medicaid Services (CMS); Ann Barron-DiCamillo, Director of the U.S. Computer Emergency Readiness Team in the Department of Homeland Security; and Greg Wilshusen, Director of Information Security Issues for the U.S. Government Accountability Office, to share their testimonies and answer questions from Committee members.
Tavenner and Barron-DiCamillo defended the Administration’s handling of ObamaCare’s data breaches and efforts to strengthen cyber-security, while Wilshusen testified that there was still much the Administration needs to do to fix these problems and ensure that the personal information of HealthCare.gov users would not be at risk of exposure. “Our solemn responsibility,” Chairman Darrell Issa (R-CA) stressed at the beginning of the hearing, “is to hold government accountable to taxpayers because taxpayers have a right to know what they get from their government.” The hearing was in response to a revelation earlier this month that a hacker had breached HealthCare.Gov in July as well as a long history of incidents that raise doubts about the security of the website, dating back to HealthCare.gov’s ill-fated launch last year.
As at previous ObamaCare-related hearings, Congressional Democrats balked, argued that the hearing was a waste of time, and they accused Republicans of playing politics. “Today’s hearing is our 29th on the Affordable Care Act and our sixth on HealthCare.gov,” remarked Ranking Member Elijah Cummings (D-MD). Representative Cummings held that there was “no indication that any data was compromised” as a result of July’s hacking attempt and said that Republicans on the Committee had been “disregarding much more serious attacks that compromised much more significant information,” citing Target’s credit card breach.
Democrats also attempted to pass the blame to Republicans for ObamaCare’s weaknesses. Congressman Matt Cartwright (D-PA) criticized Republican governors for denying health care to individuals by not expanding Medicaid. During his line of questioning, he asked Ms. Tavenner if she could think of any reason, “other than political posturing,” why Republicans opposed Medicaid expansion, and concluded by hoping that the naysayers would “take advantage of this historic opportunity to provide health care for their citizens.” Democrats thanked Tavenner and Barron-DiCamillo for their work on ObamaCare’s implementation and accused Republicans of being ungrateful for the sacrifices of government workers. “I want to congratulate you,” Congresswoman Jackie Speier (D-CA) remarked to Ms. Tavenner, “You have survived the real life survival hour and an incredible waste of your time.” Ranking Member Cummings added to Representative Speier’s statement, “You may never hear the full ‘thank you’s of people who are going to stay alive because of what you and your colleagues have done.”
While Democrats accused their Republican colleagues of being less concerned about data breaches in big business than they are about ObamaCare, they failed to note that HealthCare.gov is held to a much lower standard of scrutiny than private corporations. Although companies like Target are required by law to notify their customers when their information is put at risk, government agencies face no such requirement. Even when experts had urged the Department of Health and Human Services to include a data-breach provision in its policies for the website, it declined to do so. Futhermore, as Chairman Issa noted, corporate breaches such as Target’s credit card exposure, were being appropriately investigated in the House Financial Services Committee as the Oversight and Government Reform Committee focuses on government, not corporate, negligence.
Wilshusen testified that “the majority of issues in the federal government could be prevented if agencies just practiced strong security controls.” In the case of HealthCare.gov, Wilshusen contended that CMS did not practice those controls. It had neither required nor enforced strong password control, it did not implement patches in a timely manner, its system security plans were missing key information, and it did not fully assess privacy risks. Wilshusen noted that although CMS accepted twenty-two technical recommendations and three of six recommendations for security and privacy controls made by the U.S. Governmental Accountability Office, “weaknesses remain that put this system and the processes they include at risk.” The U.S. Governmental Accountability Office has found that “While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”
Security has been an ongoing concern with ObamaCare’s website. As early as last November, three cybersecurity experts recommended at a House Science, Space, and Technology Committee hearing that the website be shut down until security issues were fixed. In January, hacking expert David Kennedy, who is himself an ObamaCare supporter, revealed how he had been able to compromise HealthCare.gov and access the records of 70,000 users in just four minutes. Kennedy noted that he had been able to extract the information without even hacking the website itself, explaining that the site was “wide open” for that kind of breach.
Last year, a South Carolina lawyer’s personal information was exposed to a man from North Carolina when he logged onto the website to browse plans. The South Carolinian was only made aware of the incident because the man called and alerted him. After making multiple attempts to contact the Department of Health and Human Services, his request to have his HealthCare.gov information removed from the website was finally obliged. This week, Congressman Robert Hurt (R-VA) has introduced legislation that would allow HealthCare.gov users to delete their own profiles in order to protect their personal information.
State health exchanges have also succumbed to breaches. Last September, an employee of MNsure, Minnesota’s state-run ObamaCare exchange, accidentally sent an email that exposed the Social Security numbers, names, business addresses, and other personal information of over 2,400 insurance agents. Jim Koester, the insurance broker who received the email, complied with MNsure in deleting the information but was greatly disturbed that there had not been safeguards in place to prevent the incident. “The gorilla in the room,” he said at the time of the incident, “is that they sent me something that’s not even encrypted. It’s unsecured, on an Excel spreadsheet – which is using outdated technology to transfer that information in the first place. They’ve got to realize they have a huge problem.” In December, a Romanian hacker gained access to the Vermont exchange’s development server at least fifteen times and went undetected for a month.
While data may not have been extracted in July’s cyber-attack on HealthCare.gov, the fact remains that personal information has already been compromised in previous breaches – leading investigators and experts to conclude that the Administration has not done enough to prevent it from happening again. Republicans in Congress have been urging the Administration to address these issues since HealthCare.gov’s disastrous launch over a year ago. These hearings are intended to ensure action on these issues and give the American people the transparency they have been repeatedly denied.
AMAC believes that ObamaCare is fundamentally flawed and that its problems will not be fully fixed until the law is repealed and replaced. However, AMAC also recognizes that the insecurities of HealthCare.gov are a significant problem that must be fixed immediately. When government jeopardizes the confidential information of millions of Americans and fails to be forthright about the problem and diligent about a solution, it betrays the confidence of the American people at a fundamental level. AMAC will continue to urge redress of these security flaws and demand both transparency and accountability from the Obama Administration through its presence on Capitol Hill and its support at the grassroots level.