Issa report paints picture of strife, factionalism in run-up to HealthCare.gov launch

Senior IT officials at the Department of Health and Human Services were troubled by problems with technical architecture, security and testing in the weeks prior to the October 2013 botched launch of HealthCare.gov, but were blocked by colleagues within the Centers of Medicare and Medicaid Services and the White House from scrutinizing the project, according to a report from Republicans on the House Oversight and Government Reform Committee.

"Frankly, it's worse than I imagined!" HHS CIO Frank Baitman wrote in a Sept. 27, 2013, email to agency CTO Bryan Sivak.

According to the selection of email excerpts quoted in "Behind the Curtain of the HealthCare.gov Rollout," released Sept 17 by Rep. Darrell Issa (R-Calif.), chairman of the Oversight panel, Baitman and Sivak contemplated a campaign to roll back the launch to a limited population, as a kind of beta test, as problems with the site's performance were addressed. "To declare victory without fully launching," Sivak wrote in an email.

CMS Administrator Marilyn Tavenner acknowledged during a Sept. 18 hearing of the committee that there was conversation about a staggered launch to a few states. "I and the team did not think it was possible. I did not think it was possible the way the [federally facilitated marketplace] was configured to do that, nor did I think it was necessary," Tavenner said. "I had my own IT team who conveyed to me that they were confident in the project."

Sivak's worries stemmed in part from news from a CMS official who said that just a few days before the launch, the system was not able to handle more than 500 concurrent users. He was blunt about his concerns in an email to Baitman, writing, "Anyone who has any software experience at all would read that and immediately ask what the [expletive] you were thinking by launching."

CMS Deputy CIO Henry Chao, who had day-to-day oversight of the development of the federally facilitated marketplace, wrote to Baitman that, "without that personal investment in establishing the basis for understanding the operational aspects of the program (which HHS clearly does not have), there is no way to have a meaningful dialogue about the issues that 'visibility' provides you."

There was additional strain within CMS between leadership and security officials about whether the site should receive an authority to operate -- amply documented in a series of Congressional hearings -- which resulted in Tavenner signing the HealthCare.gov ATO certification herself, over objections from some CMS security experts.

According to a Sept. 16 report from Government Accountability Office, CMS has "not yet fully mitigated" some of the security weaknesses that existed at launch. In addition, GAO offered (but did not release for security reasons) 22 technical recommendations for fixes to HealthCare.gov, of which 19 have been implemented, according to the CMS reply to the GAO report.

HealthCare.gov security is being treated as an urgent issue by some lawmakers in the wake of the breach of a test server supporting site development by hackers seeking a nesting ground for a botnet. According to security reports from HHS and from the Department of Homeland Security, no personally identifiable data was exfiltrated and there was no lateral movement into the live HealthCare.gov site.

CMS pushed back against the assessment that HealthCare.gov was insecure at launch.

"CMS does not concur with GAO's finding that CMS accepted significant security risks when it granted the FFM and the Hub an Authority to Operate (ATO) in September 2013 and allowed states to connect to the Hub," according to the reply comments that went out under the signature of HHS Assistant Secretary for Legislation Jim Esquea. CMS stated also that the agency "conducts end-to-end comprehensive [security control assessments] in the FFM that are above industry standards," and another round of such testing will take place this month in advance of the next open enrollment period, which kicks off Nov. 15.