Thursday, October 31, 2013
Associated Press
WASHINGTON
President Barack Obama claimed “full responsibility” Wednesday for fixing his administration’s much-maligned health insurance website as a new concern surfaced: a government memo pointing to security worries, laid out just days before the launch.
On Capitol Hill, Health and Human Services Secretary Kathleen Sebelius apologized to frustrated people trying to sign up, declaring that she is accountable for the failures but also defending the historic health care overhaul. The website sign-up problems will be fixed by Nov. 30, she said, and the gaining of health insurance will make a positive difference in the lives of millions of Americans.
Obama underscored the administration’s unhappiness with the problems so far: “There’s no excuse for it,” he said during a Boston speech to promote his signature domestic policy achievement. “And I take full responsibility for making sure it gets fixed ASAP.”
The website HealthCare.gov still was experiencing outages as Sebelius faced a new range of questions at the House Energy and Commerce Committee about a security memo from her department. It revealed that the troubled website was granted a temporary security certificate Sept. 27, just four days before it went live Oct. 1.
The memo, obtained by The Associated Press, said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month “mitigation” program, including ongoing monitoring and testing.
Security issues raise major new concerns on top of the long list of technical problems the administration is grappling with.
“You accepted a risk on behalf of every user ... that put their personal financial information at risk,” Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. “Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security.”
Sebelius countered that the system is secure, even though the site’s certificate, known in government parlance as an “authority to operate,” is of a temporary nature. A permanent certificate will be issued only when all security issues are addressed, she stressed.
The memo said, “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the [federal marketplace website].”
It recommended setting up a security team to address risks and conduct daily tests, and said a full security test should be conducted within two to three months of the website going live.
A separate page stated that “the mitigation plan does not reduce the risk to the [website] itself going into operation on Oct.1, 2013. However, the added protections do reduce the risk to the overall Marketplace operations and will ensure that the ... system is completely tested within the next 6 months.”
That page was signed by three senior technical officials below Tavenner at the Centers for Medicare and Medicaid Services. All the officials deal with information security issues.