WASHINGTON (AP) — The HealthCare.gov federal exchange enrollment site has not yet undergone full security testing and has only a temporary certificate of authority to operate.
The troubled Patient Protection and Affordable Care Act (PPACA) exchange enrollment system website received the temporary security certificate Sept. 27, just four days before it went live on Oct. 1, according to a memo obtained by The Associated Press.
The incomplete testing created uncertainties that posed a potentially high security risk for the website, according to the memo.
The memo called for a six-month "mitigation" program, including ongoing monitoring and testing.
That page was signed by three senior technical officials at the Centers for Medicare and Medicaid Services (CMS). All the officials deal with information security issues.
The memo came up Wednesday at a House committee hearing on PPACA implementation featuring Health and Human Services (HHS) Secretary Kathleen Sebelius. Sebelius oversees CMS.
"You accepted a risk on behalf of every user ... that put their personal financial information at risk," Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security."
Sebelius countered that the HealthCare.gov system is secure.
A permanent certificate will be issued when all security issues are addressed, Sebelius said.
Spokeswoman Joanne Peters said separately: "When consumers fill out their online ... applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."
A security certificate is required under longstanding federal policy before any government computer system can process, store or transmit agency data. The temporary certificate was approved by CMS chief Marilyn Tavenner.
No major security breaches have been reported.
The memo said, "From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."
The memo recommended setting up a security team to address risks and conduct daily tests, and said a full security test should be conducted within two to three months of the website going live.
On a separate page, the memo stated that "the mitigation plan does not reduce the risk to the (website) itself going into operation on October 1, 2013. However, the added protections do reduce the risk to the overall Marketplace operations and will ensure that the ... system is completely tested within the next 6 months."
Republicans opposed to PPACA are calling for Sebelius to resign. She apologized to people having trouble signing up but told the committee that the technical issues that led to frozen screens and error messages are being cleared up on a daily basis.
Associated Press writers Jack Gillum and David Espo contributed to this report.