Less than four days before Healthcare.gov went live, two senior officials at the U.S. Centers for Medicare & Medicaid Services (CMS) expressed reservations about the security preparedness of the site.
In a memo addressed to CMS administrator Marilyn Tavenner, the officials noted that a required Security Control Assessment (SCA) of the site had only been partially completed due to "system readiness issues."
This failure to complete the testing represents a risk that the CMS needs to mitigate once the site goes live, the officials noted. The internal CMS memo, dated Sep. 27, was obtained by CNN, which published a copy of it on its website Wednesday.
The memo, written by James Kerr, consortium administrator for Medicare Health Plans Operations, and Henry Chao, deputy CIO at the CMS, noted that security tests had been successfully conducted on different versions of the system right through the development process.
However, the security contractor in charge of the testing had not gotten an opportunity "to test all of the security controls in one complete version of the system," the memo said. "From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as high risk for [Federally Facilitated Marketplace]," systems, the authors noted.
The memo does not mention any specific issues and instead simply notes the "inherent security risks" with not having end-to-end code testing done in a singe environment. It will likely be viewed by many as further confirmation that the site is vulnerable to attacks that enable identity theft and other kind of fraud.
David Lindsay, senior product manager with Coverity, a firm that does software code testing for some of the largest companies in the world -- including the 10 biggest aerospace and defense companies -- said that the concerns expressed in the memo are not unusual.
Testing of applications can take place right up to the very last minute, especially with large projects. Often, organizations are unable to complete all tests until after the full system is live. The best way to mitigate security risks is to build security controls and code tests into the development process, he said.
Even with such controls, it is not unusual for organizations to discover security vulnerabilities while conducting scans and penetration tests after a system has gone live. It is not alarming that there are security issues at that point, Lindsay said. The question is how well the organization handles it.
The memo recommends several steps for mitigating security risks to the site. It calls on the CMS, which is responsible for running Healthcare.gov, to monitor and perform weekly tests of all network perimeter devices and all inter-connected servers. It also recommends the daily use of network monitoring tools for quickly detecting and mitigating suspicious behavior on the site. In addition, it calls on the CMS to get a full Security Controls Assessment test done within 90 days of the site going live.
The memo also asks Tavenner to establish a dedicated security team reporting to the CMS CIO to monitor and ensure that risk mitigation work is completed. It also recommends that the CIO and CISO report on a weekly basis to the Health Reform Operations Board.
Healthcare.gov is designed to let people enroll in Affordable Care Act health plans and does not store a lot of personal information. Instead, it serves largely to route information between the user, health insurers and databases at the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs and other federal agencies.
Since the site went live on Oct. 1, it has been beset by problems that have made it hard for people to shop around for and enroll in healthcare plans. So far, none of the problems appear to be security related.
But many security experts are concerned that the frantic rush to fix the site over the next few weeks could heighten security risks and introduce new vulnerabilities in the system.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.