House Passes 2nd HealthCare.gov BillCommittees Grills HHS on Security Issues
The House of Representatives on Jan. 16 approved a bill that would amend the Affordable Care Act to require more transparency in the operation of health insurance exchanges facilitated by the federally operated HealthCare.gov site.
See Also: Data Center Security Study - The Results
Among the security-related provisions of the Exchange Information Disclosure Act, sponsored by Rep. Lee Terry, R-Neb., is for Congress to receive weekly reports on technical problems with the HealthCare.gov site, including those related to consumer privacy and data security.
The bill passed the GOP-led House 259 to 154, with 33 Democrats supporting the legislation.
The passage of the bill comes less than a week after the House approved legislation that would require the Department of Health and Human Services to notify individuals within two days of discovering breaches involving personal information on federally facilitated and state-operated Obamacare health insurance exchanges.
That bill, the Health Exchange Security and Transparency Act of 2014, sponsored by Rep. Joe Pitts, R-Pa., passed the House 291 to 122, with 67 Democrats voting in favor (see Obamacare Breach Bill Passes House).
The White House opposed passage of the breach bill, "because it would create unrealistic and costly paperwork requirements that do not improve the safety or security of personally identifiable information in the health insurance marketplaces."
The White House did not issue a statement on the Terry-sponsored bill.
The office of Senate Majority Leader Harry Reid, D-Nev., did not reply to an inquiry about whether the Senate will consider either bill.
The passage of the Terry-sponsored bill came minutes after the House Committee on Oversight and Government Reform adjourned a hearing where members questioned IT and information security officials from the HHS and its Centers for Medicare and Medicaid Services about data security and security testing of the HealthCare.gov systems and site, especially in the weeks leading up to the troubled Oct. 1 launch. That hearing was one of two focused on the security of HealthCare.gov held by House committees on Jan. 16. The other hearing was conducted by the House Science, Space and Technology Committee.
CMS is responsible for the HealthCare.gov site, which facilitates the health insurance exchanges for 36 states that chose not to run their own online insurance marketplaces under the Affordable Care Act.
Since October, there have been several Congressional committee hearings focused on the technical problems of HealthCare.gov, including questioning of HHS and CMS leaders about whether the site's security testing at the time of its launch was insufficient (see: Experts Answer Obamacare Questions).
At the Jan. 16 House Science, Space and Technology Committee hearing, David Kennedy, founder of computer security consulting firm TrustedSec LLC, told members, "HealthCare.gov is not secure today," according to Reuters. Prior to the hearing, Kennedy told Reuters the government has yet to plug more than 20 vulnerabilities that he and other security experts reported to the government shortly after HealthCare.gov went live on Oct. 1. The vulnerabilities mean that hackers could steal personal information, modify data, attack the personal computers of website users and damage the infrastructure of the site, Kennedy contends.
However, HHS CISO Kevin Charest, in his written testimony for the Jan. 16 House Committee on Oversight and Government Reform, said, "to date, there have been no successful security attacks on HealthCare.gov, and no person or group has maliciously accessed personally-identifiable information from the site."
Under questioning during that hearing, Teresa Fryer, CISO of CMS, testified that "100 percent" of data involved with HealthCare.gov is encrypted, although she admitted not knowing details of all the encryption technology used on all the systems involved. She noted that more than 200 CMS information systems fall under her jurisdiction, and she said that specific technology decisions for HealthCare.gov were made by others more closely involved with the design and implementation.
Program-level IT decisions at HHS, including those involving IT security, "are made by our operating divisions at the operating division level, as in the instance of HealthCare.gov," said Charest, in his written testimony. "As the 'business owner' of HealthCare.gov, as is the case with Medicare.gov, CMS is responsible for IT security for the website," he added.