HealthCare.gov Security Back in the Spotlight

The head of the agency responsible for overseeing HealthCare.gov said security holes in the website have been fixed and no personal data on the site has been “maliciously accessed.”

In a Nov. 14 letter to lawmakers on the House Oversight and Government Reform Committee, the administrator of the Centers for Medicare and Medicaid Services, Marilyn Tavenner, said the agency has resolved nearly two dozen recent recommendations from the Government Accountability Office and is “using industry best practices to appropriately safeguard consumer's personal information.”

In a September report, GAO auditors cited inadequate security testing and noted CMS failed to implement software patches, properly configure an administrative network or require the use of strong passwords. GAO’s report was published just a few weeks after CMS revealed hackers had compromised a HealthCare.gov server over the summer and installed malware.

Tavenner’s letter came the day before a mostly glitch-free relaunch of the Obamacare website this weekend -- a contrast to last year’s disastrous rollout.

House Republicans say they remain concerned about the cybersecurity controls underpinning the online federal health exchange.

Still, during a hearing Wednesday, members of the House Science and Technology Committee reserved most of their rhetorical firepower for the site's failings last year.

The committee's only witness was former federal Chief Technology Officer Todd Park, who was questioned about his role in development of the portal. During the initial round of oversight hearings last fall, Park maintained he was not very familiar with the development and security testing of the site prior to its launch.

But Republicans have accused Park of misleading Congress.

In an October 2014 report, committee Republicans cite numerous emails turned over by the White House, in which Park communicated with top CMS officials about aspects of the site’s development. A month before the site’s launch, according to one email, Park requested a memo that “basically outlines the protection strategy, including threat assessment and response strategy,” according to one email.

During Wednesday’s hearing, Rep. Paul Broun, R-Ga., the chairman of the committee’s investigations subcommittee said: "That begs the question: What are you hiding, Mr. Park? ... Perhaps it is that you knew there were serious problems with HealthCare.gov prior to the launch, but you did not convey them on up the chain in your briefings with the president. Or, perhaps, you did and they were ignored because of this administration's relentless pursuit to launch HealthCare.gov on Oct. 1, 2013, no matter what the consequences may be.”

Park repeatedly testified he did not have a day-to-day role in the development of the site leading up to its launch. That was CMS’ job, he said.

"From time to time, I helped connect people to each other, served as a spokesperson of sorts and provided help on particular questions,” he told the committee. “However … I was not a project manager who was managing and executing the day in and day out operational work of building the new HealthCare.gov.”

He added, “I didn't have the kind of comprehensive, deep, detailed knowledge of the effort that a hands-on project manager would have."

Democrats on the committee released their own report appearing to back up Park’s version of events, namely that he served as a high-level adviser on the project -- the report’s title is “The View from 80,000 Feet: Todd Park in the Run Up to HealthCare.gov” -- and not as an on-the-ground project manager.

Emails cited in the report appear to show Park being rebuffed on more than one occasion by CMS officials when requesting briefings and meetings.

For example, when Park inquired about attending a “readiness review” meeting in mid-July as a “fly on the wall,” the former chief operating officer of CMS denied his request and responded “Flys [sic] on the wall are seldom invisible and often distracting!!!!”

The Democratic report concluded: “It is hard to reconcile the claim that Park was deeply involved in the development of HealthCare.gov with the reality that Park could not even get access to the website experience as it was being developed.”