recommended reading

CMS Manager Who Approved Launch Never Received Key Security Memos

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services // CSPAN

A top Obamacare technology official was not informed of high-level security risks before he recommended the launch, according to closed-door congressional testimony released late Monday night. 

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services, was not copied on Sept. 3 intra-office memos that described two outstanding problems as high impact (as opposed to low or moderate degree issues). Descriptions of the issues are redacted in the now-public Nov.1 interview with Chao and accompanying memos to protect information about vulnerabilities on, according to House Oversight and Government Reform Committee investigators. 

"The threat and risk potential is limitless" for one item that is not due to be fixed until May 31, 2014, states a visible portion of the documents. The other unidentified security matter involving the online insurance marketplace must be addressed by Feb. 26, 2015. 

Without being shown these documents, Chao co-wrote a recommendation that CMS chief Marilyn Tavenner authorize the system to launch, which she approved on Sept. 27. opened for business on Oct. 1.

Chao’s Nov. 1 testimony does not state whether he would have recommended operating the system had he been aware of the potential dangers. Citizens must enter sensitive personal information -- catnip for identity thieves -- to enroll in healthcare plans.

Chao did, however, acknowledge that he was taken aback by the omission, which occurred before he was instructed to go live with the system.

"It is disturbing. I mean, I don't deny that this is, kind of, a fairly nonstandard way to document a decision to make a recommendation to proceed in [authorization to operate]," he testified. Chao said he has been a technology manager at CMS since late 2007.

"I probably should have been copied on it," he said when first shown the Sept. 3 packet by investigators. "Why I'm surprised is that the [chief information security officer] had me do this, file this process, but [didn't] copy me on the ATO letter. I mean, wouldn't you be surprised if you were me?"

HHS officials have said that consumers who register online can trust that the information entered is protected by stringent standards and that the technology underlying the application process is secure.

Chao is scheduled to testify at a public House Oversight committee hearing on Wednesday.

The potential for hackers to defraud or harm patients by manipulating data transmissions has raised concerns among lawmakers and independent programmers.

Until fixed on Oct. 30, a security flaw in -- the Spanish language version of -- could have allowed identity thieves to steal personal information from enrollees as they typed. A separate flaw in that could have leaked email and other account information was eliminated that same week, after a private citizen informed federal officials of the problem, Time reported.

One vendor involved in designing the insurance shopping site previously jeopardized the personal data of 6 million Medicare beneficiaries, according to the Health and Human Services inspector general. 

Under a separate, ongoing project, Quality Software Services, Inc., or QSSI, failed to stop employees from connecting unauthorized USB devices, such as thumb drives and smartphones, to computers testing CMS systems. A June IG report categorized the oversight as a high risk.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.