New security issues surface for health website
WASHINGTON – President Barack Obama claimed “full responsibility” Wednesday for fixing his administration’s much-maligned health insurance website as a new concern surfaced: a government memo pointing to security worries, laid out just days before the launch.
On Capitol Hill, Health and Human Services Secretary Kathleen Sebelius apologized to frustrated people trying to sign up, declaring that she is accountable for the failures but also defending the historic health care overhaul. The website sign-up problems will be fixed by Nov. 30, she said, and the gaining of health insurance will make a positive difference in the lives of millions of Americans.
Obama underscored the administration’s unhappiness with the problems so far: “There’s no excuse for it,” he said during a Boston speech to promote his signature domestic policy achievement. “And I take full responsibility for making sure it gets fixed ASAP.”
The website HealthCare.gov was still experiencing outages as Sebelius faced a new range of questions at the House Energy and Commerce Committee about a security memo from her department. It revealed that the troubled website was granted a temporary security certificate on Sept. 27, just four days before it went live on Oct. 1.
The memo, obtained by The Associated Press, said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month “mitigation” program, including ongoing monitoring and testing.
Security issues raise major new concerns on top of the long list of technical problems the administration is grappling with.
“You accepted a risk on behalf of every user … that put their personal financial information at risk,” Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. “Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security.”
Sebelius countered that the system is secure, even though the site’s certificate, known in government parlance as an “authority to operate,” is of a temporary nature. A permanent certificate will be issued only when all security issues are addressed, she stressed.
Spokeswoman Joanne Peters added separately: “When consumers fill out their online … applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices.”
The security certificate is required under longstanding federal policy before any government computer system can process, store or transmit agency data. The temporary certificate was approved by Medicare chief Marilyn Tavenner, the senior HHS official closest to the rollout. No major security breaches have been reported.
The memo said, “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website).”