The maddening technical problems that frustrated consumers for weeks as they tried to sign up for health insurance would pale in comparison if a serious security breach compromised the names, Social Security numbers, incomes and other personal information of millions of Americans.
Republicans on the House Oversight and Government Reform Committee are trying to build a case that the administration recklessly ignored security concerns to meet a self-imposed Oct. 1 deadline for flipping the switch. The administration — and Democratic lawmakers— say all issues were addressed through special vigilance instituted just before the launch. While Republicans have raised questions, they have yet to find a smoking gun.
Officials told the committee no attempted attack by hackers has succeeded, although a shadowy group calling itself "Destroy Obamacare" has tried. There have been 13 known inadvertent exposures or disclosures of information.
The root of the controversy is that the healthcare site did not get full security testing, as is the usual practice with federal systems before they are put into use. The technology was getting constant tweaks that precluded a final assessment. It also was prone to crashing.
However, Medicare's top cybersecurity official testified Thursday that the revamped website passed full security tests Dec. 18, easing her earlier concerns about vulnerabilities. Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, had initially balked at the site going live.
She said Thursday she would now recommend full operational and security certification for the site, which currently has what amounts to a six-month permit. The Medicare agency is responsible for expanding coverage to the uninsured under the healthcare law.
Shortly before the launch, Fryer had told other top officials that she could not recommend going ahead because security testing had not been completed.
She drafted a formal memo expressing her concerns, but never sent it, partly because more senior officials had already determined to proceed with additional safeguards to address potential risks. "There is also no confidence that personal identifiable information will be protected," she said in her unsent memo.
The formal go-ahead to operate the system was signed Sep. 27 by Medicare chief Marilyn Tavenner, who usually does not adjudicate technology disputes.
Testing since then seems to have settled the internal debate.
"The testing was successfully completed. It had good results," Fryer told the committee. She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that HealthCare.gov now has "a clean bill of health."
But Republicans sought to turn the focus to the administration's decision to launch before testing was complete.
Baitman, the HHS chief information officer, testified that he relayed the concerns of Fryer and others to senior levels of the department, telling second-in-command Corr and Assistant Secretary for Administration E.J. "Ned" Holland.
Baitman said he was not personally convinced the security worries were a "red flag." But he did say he had recommended a phased-in launch as opposed to trying to go live nationally on Oct. 1.
Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the website, contends the administration risked Americans' personal information to avoid postponing the president's signature program. "It seems to defy common sense that a website plagued with functional problems was in fact perfectly secure," said Issa.
The panel's senior Democrat, Rep. Elijah Cummings of Maryland, said Republicans are "cherry picking partial information to promote a political narrative that is inaccurate."
Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.
With the healthcare law remaining a polarizing issue in the midterm congressional elections, both political parties are at battle stations.
In a closed-door deposition prior to the hearing, top HHS cybersecurity officer Kevin Charest said he, too, was concerned about potential vulnerabilities ahead of the launch. But he told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.
"I would say that it didn't follow best practices," Charest said in a Jan. 8 deposition.