Does Healthcare.gov Violate the Obama Administration's Own Security Guidance?



In sworn congressional testimoney yesterday, Health and Human Services Secretary Kathleen Sebelius said that HealthCare.gov was operating under provisional security authorization—a temporary certificate issued just a few days before the October 1 launch, according to an internal administration memo first published by the Associated Press.

That memo warned that lack of thorough testing meant the site was left with the potential for serious security risks. "From a security perspective," the memo said, "the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."

In addition, the temporary authorization appears to violate administration guidance on web security—guidance crafted by Jeff Zients, who has been tasked with heading up the repair effort, in his former position as acting director of the Office of Management and Budget. As The Washington Examiner's Philip Klein reports:

During her testimony Wednesday before the House Energy and Commerce Committee, Secretary of Health and Human Services Kathleen Sebelius said that healthcare.gov is operating under a "temporary" order certifying that it met stringent security standards even as testing continues.

But that would appear to contradict guidance issued by the White House Office of Management and Budget last year by none other than Jeff Zients—the former acting director of OMB, who more recently was brought in to oversee the "tech surge" to fix problems facing Obamacare's implementation.

In a Sept. 27, 2012, memo addressed to the heads of executive departments and agencies, Zients said that OMB did not recognize "interim" authorizations.

Klein asked HHS about the apparent conflict between the memo and the temporary authorization and got a non-response:

HHS has now responded, but the response does not address the issue of whether the issuance of a temporary authorization violated official OMB guidance issued by Zients.

In an emailed statement, HHS spokeswoman Joanne Peters repeated nearly verbatim the response from CMS spokeswoman Bataille from earlier in the day. Peters said, "When consumers fill out their online Marketplace applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."

Regardless of whether or not the site itself is secure (which sort of doesn't matter at the moment, given that it doesn't work), it certainly looks as if the security authorization it's currently relying on violates the administration's own procedures. 

NEXT: Calif. State Senator Investigated for Taking Bribes

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. While the certificate is temporary, we may all be assured that it is stringent.

    1. Hello, I am a wealthy Kenyan prince. I recently acquired a large number of insurance plans, but I have no way to access them. If you could send me $5000, I will be able to unlock these insurance plans and would send you at least $100,000.

      1. And you could keep the $5000, too, if you like it.

        1. You didn’t scam that.

  2. Sort of OT:
    Just noticed on another BBS. Someone commented that a commercial web site is currently “Obamacared”.
    The next “Kleenex”!

    1. Meaning it’s functional but at a very slow speed and low reliability?

      1. Meaning if it were a living thing, it would jump out of the monitor and shit in the middle of your dining room table.

      2. In this case, it simply meant F’d up; not functional.

  3. You have to give the website your information to find out how much of it will be leaked out.

    1. LOL.

      I suppose the site could be “Pelosied”.

  4. Look at it this way, when people have their identity stolen they will forget all about their crappy overpriced health insurance. This could be a very good development for Obama.

    1. LOL.

      It’ll give Holder something to do.

      Wait, I’ve got something in my eye ….

  5. We need to get the anon-bot on the case and get this fixed right up.

  6. Wow. THIS was “unexpected”.

    1. Almanian!|10.31.13 @ 4:11PM|#
      “Wow. THIS was “unexpected”.”

      But Obo is “angry” and Sebelius “takes full responsibility”!

  7. If you like your identity, you can keep it.

    1. Some identities that don’t meet minimum ACA standards will be compromised. You must upgrade to at least a Bronze-level identity, which requires a minimum of $10,000 in credit card debt you didn’t authorize.

      1. Does that mean if I have a Cadillac identity, I’ll have to downgrade or be taxed?

  8. What we clearly need is single-payer identity theft.

  9. This really is stunning to behold. Even I did not realize how incompetent these boobs are.

    So let me see if I can put it in a nutshell.

    They lied their asses off, bribed and extorted to get obamacare passed with zero bipartisan support. Now that the president’s lies are plain for all to see and undeniable, they are just saying he had to do it because people dont know what is good for them.

    On top of that, the whole thing is crashing like the hindenburg. The 680M dollar website is non-functional, the plans are costing far more than the pre-obamacare projected increases, and now your identity will be stolen ( you can be certain it is going to happen ).

    The best is yet to come. I am betting once this thing gets fully implemented it will be as bad or worse than a single payer plan. Actually getting medical care will be next to impossible.

    1. The local rag buries the entire story on page 10, beneath the fold.
      The front page yesterday was given over to a feud between two GOP guys no one ever heard of.
      You can see how the media is really on top of this.

      1. A joke from East Germany, back in the day.

        (Neues Deutschland was the main government/party newspaper).

        Nasser, John Kennedy, and Napoleon were sitting together in the afterlife, looking down at the DDR and discussing their misfortunes.

        Nasser said, “if I would have had the Volksarmee at my disposal, I wouldn’t have have lost the Six Day War”

        Kennedy said, “if the STASI had worked for me, I wouldn’t have been assassinated.

        Napoleon said, “if Neues Deutschland had been France’s newspaper, nobody would have found out that I lost the battle of Waterloo.”

        The USA now has an entire media constellation that runs like Neues Deutschland.

  10. The best is yet to come. I am betting once this thing gets fully implemented it will be as bad or worse than a single payer plan. Actually getting medical care will be next to impossible.

    Considering American politics, I think we’re going to be able to achieve universal health care at sub-NHS quality and astronomical prices.

    1. When I typed that I was thinking of the case of the woman who died of hunger while in an NHS hospital, and of the several cases of patients drinking water out of flower pots.

      I just saw a report a couple of days ago that canada is reducing the allowable number of cataract surgeries in a given area from ~5000 to ~3000, if I remember the numbers right. People were already on wait for a year or so to have that treatment, and now the wait times are dramatically increasing.

      1. That truly is just sad. But it’s OK to the Progs. Which is even sadder. And why I keep my 2nd Amendment options available….

  11. On the plus side your identity might get stolen so many times that it is virtually useless to each individual theif.

    1. Now, there’s a lovely thought.

  12. So, which is it: the site needs a temporary permit because it doesn’t qualify for a full one, or

    the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.

    They’re not even trying any more. I guess there’s no challenge left in it; its been pretty well proven that you can tell any lie, no matter how outrageous, and as long as it is promoting a Dem program, the DemOp media won’t call you on it.

  13. Oh, and somebody needs to photoshop a solitaire game onto the computer screen.

Please to post comments

Comments are closed.