Policy

Issa's Quest Continues to Expose HealthCare.gov Security Gaps

Oversight and Government Reform Chairman Darrell Issa is on a quest to prove there are vast security gaps on HealthCare.gov, and he and his staff think they may have just hit a goldmine.

On Dec. 20, the California Republican's office released selected portions of a Dec. 17 interview between the committee and Teresa Fryer, the chief information security officer at the Centers for Medicare and Medicaid Services.

According to the excerpts, Fryer urged her colleagues against issuing authority to operate approval for the website — which is meant to facilitate enrollment into the insurance exchanges mandated by the 2010 health care law — due to potential cybersecurity vulnerabilities. (An ATO order is like a green light to launch a site.)

Additional transcribed excerpts from the committee's Dec. 4 grilling of Tony Trenkle, the former chief information officer for CMS, could give Issa and his team more fodder: Portions of the interview, obtained by 218, show that Trenkle doesn't "recall" cautions from Fryer about proceeding with the Oct. 1 launch of the website.

"When asked if he got feedback from his chief security advisor Teresa Fryer on going ahead with the Oct 1 launch, Trenkle told the committee, 'Not that I recall,'" Issa spokesman Frederick Hill said in an email. "Fryer's stark testimony about the warnings she gave Trenkle and others has opened up new questions about the candor and credibility of [Health and Human Services] officials who made the disastrous decision to go forward with the October 1 launch against expert advice."

Here's an excerpt of an exchange between Fryer and the committee from Dec. 17, which Issa and his cohorts argue tells a very different story than the one Trenkle, who resigned in mid-November, relayed to the committee.

Fryer: My recommendation was a denial of an ATO.

Committee: Who did you make that recommendation to?

Fryer: To my management. To the authorizing official.

Committee: Which is who?

Fryer: Tony Trenkle.

Committee: And did you do that in person?

Fryer: Yes, and it was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with him on this and told him that my evaluation of this was a high risk.

Team Issa might have something substantial to show for its dogged efforts to expose incompetence in the Obama administration, but it faces somewhat of an uphill battle in getting people to see the information outside a partisan filter.
Issa has come under fire over the past week for releasing subpoenaed materials without first attaining a majority vote from the full Oversight and Government Reform Committee, which could run afoul of House rules. Even Minority Leader Nancy Pelosi, D-Calif., has joined in, calling for Speaker John A. Boehner, R-Ohio, to compel Issa to stand down.
He is also being slammed by his ranking member, Rep. Elijah E. Cummings, D-Md., who says the releases are not only breaking precedent, but have been taken entirely out of context.
"Chairman Issa's reckless pattern of leaking partial and misleading information is now legendary for omitting key information that directly contradicts his political narrative," Cummings said in a statement last week. "This effort to leak cherry-picked information is part of a deliberate campaign to scare the American people and deny them the quality affordable health insurance to which they are entitled under the law."
Cummings' team has made public its own portions of the Fryer transcript, which reportedly show that her concerns about HealthCare.gov's security risks — and her recommendation not to approve the ATO for the site's launch — were assuaged seven days later, when additional risk mitigation strategies were established that rendered that "no" recommendation all but moot.
Fryer also told the committee that "there have been no successful attempts of any of these types of attacks ... no successful breaches [or] security incidents," and that the website's systems "exceed" the standards established by the National Institutes of Standards and Technology pursuant to the Federal Information Security Management Act.
Oversight and Government Reform Committee Democrats also had a counter to the Republicans' use of Trenkle's testimony: "During his own transcribed interview with Committee staff, Mr. Trenkle — who has decades of experience with IT systems and was not a political appointee — stated that the mitigation strategy addressed the risks outlined in the ATO on Sept. 27," they wrote in a Dec. 20 release.