One of the persistent concerns about Healthcare.gov regards the security of the federal health insurance exchange marketplace, as I reported for Politico Magazine this month. At least one glaring security flaw remained unpatched until the end of October. Despite the “big fix” announced on December 1, the security of the website and the backend systems behind it have not only remained in doubt, given issues that have come out in Congressional testimony but have now become the subject of contentious exchanges between the United States House Oversight Committee and the Department of Health and Human Services, which operates them.
Today, Democrats on the House Energy and Commerce Committee released a memorandum regarding a security briefing on the Affordable Care Act (embedded below) that includes a summary of a classified briefing from Dr. Kevin Charest, the HHS Chief Information Security Officer, and Ned Holland, HHS Assistant Secretary for Administration. The memorandum states that “there have been no successful security attacks on Healthcare.gov. In it, Dr. Charest is quoted as saying that “no person or group has hacked into Healthcare.gov, and no person or group has maliciously accessed any personally identifiable information from users.”
The authors of the memorandum, Representatives Henry A. Waxman and Diana DeGette, write that “the information provided in the briefing was reassuring,” given the assurances of the chief information security officer that “the security of Healthcare.gov has not been breached, and hackers have had no access to personally identifiable information.”
Despite this letter, it’s not clear whether the Healthcare.gov security concerns that TrustedSec has highlighted have been addressed. Given the continued focus of Congressional committees on the issue, expect more assessments and audits to emerge in the future.