TRENDING:

Panel Probes CTO's HealthCare.gov Role

Todd Park Says His Involvement In Cybersecurity Was Limited Marianne Kolbasuk McGee (HealthInfoSec) • November 20, 2014    
Panel Probes CTO's HealthCare.gov Role

The nation's chief technology officer at the time of last year's troubled launch of Obamacare's HealthCare.gov website told a House panel Nov. 19 that his role in the launch was minimal and cybersecurity issues were handled by others.

See Also: Live Webinar | CybeRx - How to Automatically Protect Rockwell OT Customers from Today’s Cyber-Attacks

The hearing, conducted by the House Committee on Science, Space and Technology's subcommittee on oversight, was convened to explore if former U.S. CTO Todd Park had attempted to previously hide from Congress the level of his involvement in the troubled launch of HealthCare.gov or his knowledge of security shortcomings of the site.

"On Nov. 13, 2013, in testimony before the [House] Committee on Oversight and Government Reform, you said that you did not 'actually have a really detailed knowledge base' of the [HealthCare.gov] website before it was launched, and that you were 'not deeply familiar' with the development and testing regimen that happened prior to Oct. 1, 2013," said Rep. Paul Broun, R-Georgia, chair of the subcommittee, in his opening statement, addressing Park.

"However, the committee has in its possession documents that appear to contradict much of what you have said in your prior Congressional appearance," Broun added. Among the "documents" referred to by Broun and other GOP lawmakers during the hearing were several e-mails between Park and various leaders of the Centers for Medicare and Medicaid Services, the unit of the Department of Health and Human Services responsible for implementing the Affordable Care Act program, including HealthCare.gov.

Some of those e-mails referred to HealthCare.gov "risks." Park contended that the risks referred to in the e-mails were project risks, not specifically cybersecurity risks, that had been resolved.

The inquiry was the latest in a series of Congressional hearings that have scrutinized the rocky HealthCare.gov launch and probed whether the site had undergone thorough security testing and risk mitigation before the Affordable Care Act's initial open enrollment launch on Oct. 1, 2013. A recent Government Accountability Office report identified a number of cybersecurity weaknesses and recommendations to improve HealthCare.gov security before the second open enrollment season for Obamacare launched on Nov. 15. CMS has said 22 technical recommendations made by GAO to improve HealthCare.gov security have been addressed (see HealthCare.gov Security Bolstered).

Other Duties

Park testified that his former White House job as CTO entailed "championing" a portfolio of more than a dozen technology innovation initiatives, ranging from making government data more transparent and available to the public to harnessing technologies to combat human trafficking.


Todd Park

"My role as U.S. CTO was not to oversee the internal federal IT budget and operations," he testified. Park acknowledged, however, that he "was asked to provide assistance" to CMS for the HealthCare.gov project.

Park testified that his role in advising CMS was not that of a "project manager who was managing and executing the day-in and day-out operational work of building HealthCare.gov. This was the responsibility of CMS," he said. "I didn't have the kind of comprehensive, deep, detailed knowledge of the effort that a hands-on project manager would have. ..."

Limited Cyber Role

Park said much of his advisory role in the HealthCare.gov project was related to interagency work involving the federal data services hub, which acts as a conduit to provide data from various sources to the Obamacare insurance exchange sites. The hub, for example, can be used to gather data from the IRS to determine whether an individual is eligible for federal subsidies to help pay for health insurance coverage.

Park described his involvement in HealthCare.gov cybersecurity issues as "rather tangential". He told the panel: "I do not have the expertise in cybersecurity that the professors of cybersecurity and other experts who previously testified before this committee have. Responsibility for the cybersecurity of HealthCare.gov rests with CMS."

Park noted that the interagency steering committee he co-chaired had a privacy and security subgroup, "but this subgroup was staffed and led by agency personnel, who occasionally asked the overall committee co-chairs to help facilitate interagency dialogue and cooperation, but who generally drove to the ultimate answers themselves."

E-mail Exchanges

Some GOP subcommittee members read from subpoenaed e-mails between Park and CMS officials to probe Park's level of knowledge of HealthCare.gov troubles, including cybersecurity issues, before its launch on Oct. 1, 2013. One of the e-mail exchanges between Park and former CMS Chief Operating Officer Michelle Snyder on Sept. 29, 2013, referred to "risks," noted subcommittee vice chairman Rep. Kevin Cramer, R-North Dakota, who asked Park to explain the "risks" that were discussed in the exchange.

"It was about helping CMS get additional hardware capacity in place for HealthCare.gov," Park testified, adding that the extra server capacity was subsequently delivered to the data center for the Obamacare website.

The questioning provoked some Democrats on the committee to scold GOP members for politicizing HealthCare.gov because of the GOP's overall disdain for the Affordable Care Act.

The "game of gotcha" with Park's e-mails sends the wrong message to technology innovators and hard-to-find cybersecurity experts in the private sector, whom the federal government is trying to recruit to public service jobs, says Rep. Suzanne Bonamici, D-Oregon. "This hearing has a feeling of a trial," commented Rep. Eric Swalwell, D-Calif.

In Park's new role as a consultant to the White House - he left the CTO position in August - he's returned to Silicon Valley to help attract "the best tech talent in the nation to serve the American people," he testified.

Park was issued a subpoena last month by Rep. Lamar Smith, R-Texas, chair of the House Science, Space and Technology Committee, to testify at the hearing (see New GOP Healthcare.gov Security Probe). Broun noted that the committee had not yet received all material that had been subpoenaed from the Obama administration prior to the hearing. That leaves open the possibility that Park might be called to testify at another hearing, Broun says.

"These documents were not easy to come by," Broun said in his opening statement, referring to the material that had been submitted under subpoena so far.

"Mr. Park, I find your and the White House's lack of transparency intolerable and an obstruction to this committee's efforts to conduct oversight," Broun said. "It took a subpoena to get you here. It took another subpoena to compel your documents from the White House, but even with that, we have yet to receive all of your documents in compliance with our subpoena issued on September 19th, exactly two months ago. That begs the question - what are you hiding, Mr. Park?"

Previous
USPS Defends Breach Notification Delay
Next
Financial Sector Terrorism Threat Grows

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.