recommended reading

CMS Manager Who Approved Launch Never Received Key Security Memos

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services // CSPAN

A top Obamacare technology official was not informed of high-level security risks before he recommended the launch, according to closed-door congressional testimony released late Monday night. 

Henry Chao, deputy chief information officer for the Centers for Medicare and Medicaid Services, was not copied on Sept. 3 intra-office memos that described two outstanding problems as high impact (as opposed to low or moderate degree issues). Descriptions of the issues are redacted in the now-public Nov.1 interview with Chao and accompanying memos to protect information about vulnerabilities on, according to House Oversight and Government Reform Committee investigators. 

"The threat and risk potential is limitless" for one item that is not due to be fixed until May 31, 2014, states a visible portion of the documents. The other unidentified security matter involving the online insurance marketplace must be addressed by Feb. 26, 2015. 

Without being shown these documents, Chao co-wrote a recommendation that CMS chief Marilyn Tavenner authorize the system to launch, which she approved on Sept. 27. opened for business on Oct. 1.

Chao’s Nov. 1 testimony does not state whether he would have recommended operating the system had he been aware of the potential dangers. Citizens must enter sensitive personal information -- catnip for identity thieves -- to enroll in healthcare plans.

Chao did, however, acknowledge that he was taken aback by the omission, which occurred before he was instructed to go live with the system.

"It is disturbing. I mean, I don't deny that this is, kind of, a fairly nonstandard way to document a decision to make a recommendation to proceed in [authorization to operate]," he testified. Chao said he has been a technology manager at CMS since late 2007.

"I probably should have been copied on it," he said when first shown the Sept. 3 packet by investigators. "Why I'm surprised is that the [chief information security officer] had me do this, file this process, but [didn't] copy me on the ATO letter. I mean, wouldn't you be surprised if you were me?"

HHS officials have said that consumers who register online can trust that the information entered is protected by stringent standards and that the technology underlying the application process is secure.

Chao is scheduled to testify at a public House Oversight committee hearing on Wednesday.

The potential for hackers to defraud or harm patients by manipulating data transmissions has raised concerns among lawmakers and independent programmers.

Until fixed on Oct. 30, a security flaw in -- the Spanish language version of -- could have allowed identity thieves to steal personal information from enrollees as they typed. A separate flaw in that could have leaked email and other account information was eliminated that same week, after a private citizen informed federal officials of the problem, Time reported.

One vendor involved in designing the insurance shopping site previously jeopardized the personal data of 6 million Medicare beneficiaries, according to the Health and Human Services inspector general. 

Under a separate, ongoing project, Quality Software Services, Inc., or QSSI, failed to stop employees from connecting unauthorized USB devices, such as thumb drives and smartphones, to computers testing CMS systems. A June IG report categorized the oversight as a high risk.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.