Expanded HealthCare.gov Scrutiny SoughtCongressman Asks GAO to Conduct Broader Security Testing
The chairman of a House committee has requested that the Government Accountability Office conduct a "complete and continuous end-to-end testing" of the security of the HealthCare.gov site and systems. But federal officials say extensive testing of the site is ongoing.
The request, made in a May 1 letter to the GAO from Rep. Lamar Smith, R -Texas, chairman of the House Committee on Space, Science and Technology, is a follow-up to a number of Congressional committee hearings last fall that considered the security risks of the HealthCare.gov site and systems.HealthCare.gov facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare.
In the letter, Smith acknowledges that the GAO is currently conducting an audit of the security and privacy of HealthCare.gov that will include "an architecture review, vulnerability testing and examination of the monitoring and incident detection capabilities of the website."
However, in addition to what's already planned by GAO, Smith asks that the watch dog agency also perform penetration testing, source code analysis, a review of the developer supply chain, and an examination of secure code practices through the software development cycle.
"In the rush to launch the website, the Obama Administration appears to have cut corners that have put the personal data of millions of Americans at risk," Smith writes in the letter. "In addition ... many Americans now worry about how the Heartbleed bug may compound the risk of financial or medical identity theft," he says.
Smith also asks that the GAO make a determination "of the specific involvement of staff of the Executive Office of the President relative to the development and implementation of the security and privacy standards of HealthCare.gov prior to the Oct. 1, 2013 launch."
The senator requests that GAO provide "a determination by Sept. 1 as to whether the Administration has effectively implemented appropriate controls to protect the confidentiality, integrity and availability of the HealthCare.gov information systems and information."
Despite the technical problems that crippled the HealthCare.gov site in the early weeks of its launch, the Department of Health and Human Services has said that about 8 million Americans signed up for health insurance coverage before open enrollment ended in March.
So Far, So Good?
Throughout the intense Congressional and public scrutiny of HealthCare.gov's security, HHS officials have maintained that there have been no successful malicious attacks on the site or systems.
In a recent interview with Information Security Media Group, HHS CIO Kevin Charest said HealthCare.gov is undergoing "end-to-end" security testing every quarter, even though the federal government requires such testing every three years.
The quarterly testing will likely continue for the next year or two, "then move to a reasonable cycle" he said. The next test is slated for June.
Independent security contractors completed a security control assessment of the federally facilitated marketplace (FFM) on Dec. 18, 2013, "with no open high findings," says the Centers for Medicare and Medicaid Services - the HHS unit responsible for HealthCare.gov - in a statement to ISMG. "This security control assessment met all industry standards, was an end-to-end test and was conducted in a stable environment that allowed for testing to be completed in the allotted time," CMS says.
Additionally, the security of the HealthCare.gov systems "is also monitored by sensors and other tools to deter and prevent any unauthorized access," says the statement. "CMS conducts continuous monitoring by a 24/7, multi-layer IT professional security team, and added penetration testing and a change management process with ongoing testing and mitigation strategies implemented in real time. As part of the ongoing testing process, and in line with federal and industry standards, any open risk findings are being appropriately addressed with risk mitigation strategies and compensating controls."
CMS also notes: "Ongoing vulnerability assessments of the FFM network infrastructure and Internet-facing Web servers are conducted through penetration testing, which involves simulated attempts to breach the security defense of the website, and continuous monitoring of marketplace-related systems to alert security professionals of any new vulnerabilities that may exist due to recent changes or maintenance. Information from these tests has enabled us to prevent any successful attacks on the FFM."
Before the next open enrollment period begins on Oct. 1, the HealthCare.gov technical and security team will update the site and systems with new health plans being offered by insurers, Charest said. "We're continually improving the site," Charest said. "There's no lack of understanding that the launch wasn't what we desired."
In response to the Heartbleed bug, in April, HHS issued a notice on HealthCare.gov requiring consumers to change their passwords for the website. HHS said that while there was no indication that any personal information had ever been at risk, the move to address Heartbleed issues and reset consumers' passwords were taken "out of an abundance of caution" (see Healthcare.gov: Change Passwords).
A spokesman for Smith tells Information Security Media Group that he has not yet heard back from the GAO in response to the letter. Also, a spokesman for the GAO tells ISMG that "every request we receive undergoes a review before we make a determination and that usually takes a week or two. So [GAO does not] have a decision as of yet."
David Kennedy, founder of security firm TrustedSec, who in November testified at a House Committee on Science, Space and Technology hearing about HealthCare.gov security risks, tells ISMG the most important activities he'd like to see GAO complete are source code analysis, penetration testing and the review of the secure coding practices. "This will ensure we understand the current level of threats as well as ensuring that there is a process in place to reduce new exposures introduced to the healthcare.gov infrastructure long-term," he says.
Penetration testing should test the site's Web applications, Web services tier, network, operating system and Web server layers, "as well as the human element or social-engineering," he says. "This will give a large understanding of what types of exposures exist from both an external, internal, and personnel standpoint."
Meanwhile, source code analysis "determines the level of proper coding practices and what exposures truly exist," he says. "If backdoors are placed in HealthCare.gov, it could be disastrous."
In addition to the GAO review of HealthCare.gov,, end-to-end testing should be done at least annually, Kennedy says. "In-between [there] should be code reviews and appropriate security controls test to ensure no new major exposures go unnoticed," he says.