House committees had three Patient Protection and Affordable Act implementation hearings going on at the same time Thursday morning.
The House Oversight and Government Reform Committee brought in Kevin Charest, the chief information security officer at the U.S. Department of Health and Human Services, and Teresa Fryer, director of the enterprise information security group at the Centers for Medicare & Medicaid Services.
The committee also hauled in Frank Baitman, the HHS chief information officer.
Republicans asked witnesses detailed questions about whether HealthCare.gov went live without an adequate review process.
The Republican members said they’d gotten one security report, from September, from one of the HealthCare.gov contractors, but that they were having trouble getting other site security documents and didn’t even know about a new report created in December.
Fryer said she’d have to ask her agency about providing a full report.
“Those are sensitive documents,” Fryer said. “We don’t like to have them out there.”
Rep. Gerry Connolly, D-Va., argued that, if someone does give the committee the full security plan, someone could accidentally leak the plan and bring on the kind of attack that the committee is supposed to try to prevent.
Charest provided written testimony that described the Federal Information Security Management Act data security requirements that apply to the exchange.
The House Committee on Science, Space and Technology presented witnesses who talked about the threat of thieves using exchange systems to steal the users’ identities.
Waylon Krush of Lunarline, a cyber-security company, said all computer systems face security risks and that many other government sites seem to be of greater interest to would-be criminals.
“The recent coverage of retail demonstrates some of the high-payoff targets criminals are interested in,” Krush said.
David Kennedy of TrustedSec, another data security company, provided an analysis of what he sees as the weaknesses in the HealthCare.gov system that showed up as Fryer was considering whether to give the system an ATO – “authority to operate.”
Members of the House Energy & Committee asked Gary Cohen, director of the Center for Consumer Information & Insurance Oversight, the CMS unit in charge of the exchanges, why, shortly before open enrollment, he’d given testimony assuring the committee HealthCare.gov would work.
“Clearly, it was wrong,” Cohen said. “But it was also what I believed.”
CMS technology officials predicted that the site would work, Cohen said.
Rep. Michael Burgess, R-Texas, blasted Cohen.
“If I were [the HHS] secretary, I would have fired you,” he said. “If I were the president… I would have been so embarrassed I would have fired the whole lot of you.”
Cohen said the HealthCare.gov site is now working.
“If we’d all been fired, it would not be working now,” Cohen said.