Department of Health and Human Services Secretary Kathleen Sebelius couldn't give a definitive answer Wednesday about whether the Healthcare.gov website was secure.
Sebelius, testifying before the House Energy and Commerce committee, said she didn't know whether each line of new code for the website was being tested and was secure.
When asked by Rep. Mike Rogers, R-Mich., whether each new piece of code added to the website was security tested, Sebelius first said that, according to her understanding, that yes, the code had been tested.
But after being pressed by Rogers, Sebelius said “I don’t know” but that the security of the site was an “ongoing operation.”
Rogers then asked if any end-to-end testing — a test that makes sure the entire program works from beginning to end — had been performed since the website went live on Oct. 1.
Sebelius could only say that she would find out if such a test had taken place, and reiterated that ongoing security tests were being carried out.
Rogers pointed Sebelius to a letter written to Centers for Medicare and Medicaid Services Administrator Marilyn Tavenner, which stated that “due to system readiness issues, the [Security Control Assessment] was only partly completed,” which “constitutes a risk that must be accepted and mitigated to support” the launch of the website.
The letter was dated Sept. 27 and written by Henry Chao, deputy chief information officer, and James Kerr, consortium administrator for Medicare health plans operations. Tavenner signed the letter.
Chao and Kerr said that parts of the website were not tested due to ongoing development and that the site as a whole had not been tested.
Those untested aspects, according to Chao and Kerr, “exposed a level of uncertainty that can be deemed as a high risk” for the website.
Because of those risks, Rogers said Sebelius “accepted a risk on behalf of every user on this [website] that put their personal information at risk because you did not have even the most basic end-to-end test on security of the system.”
Rogers said that Amazon, ProFlowers and Kayak wouldn’t have allowed such a lapse in security.
“This is completely an unacceptable level of security,” Rogers said.
“Don’t you think you have the obligation to tell the American people that ‘we’re going to put you in this system but beware your information is likely to be vulnerable?’ ” Rogers asked.
Chao and Kerr suggested daily and weekly scans of the website and to fully test the site with 60 to 90 days of the website launch.
The two recommended giving a dedicated security team six months to implement the mitigation plan. Nowhere in the letter do they ask to keep the website down during the mitigation, however.