Issa’s Quest Continues to Expose HealthCare.gov Security Gaps
Oversight and Government Reform Chairman Darrell Issa is on a quest to prove there are vast security gaps on HealthCare.gov, and he and his staff think they may have just hit a goldmine.
On Dec. 20, the California Republican’s office released selected portions of a Dec. 17 interview between the committee and Teresa Fryer, the chief information security officer at the Centers for Medicare and Medicaid Services.
According to the excerpts, Fryer urged her colleagues against issuing authority to operate approval for the website — which is meant to facilitate enrollment into the insurance exchanges mandated by the 2010 health care law — due to potential cybersecurity vulnerabilities. (An ATO order is like a green light to launch a site.)
Additional transcribed excerpts from the committee’s Dec. 4 grilling of Tony Trenkle, the former chief information officer for CMS, could give Issa and his team more fodder: Portions of the interview, obtained by 218, show that Trenkle doesn’t “recall” cautions from Fryer about proceeding with the Oct. 1 launch of the website.
“When asked if he got feedback from his chief security advisor Teresa Fryer on going ahead with the Oct 1 launch, Trenkle told the committee, ‘Not that I recall,'” Issa spokesman Frederick Hill said in an email. “Fryer’s stark testimony about the warnings she gave Trenkle and others has opened up new questions about the candor and credibility of [Health and Human Services] officials who made the disastrous decision to go forward with the October 1 launch against expert advice.”
Here’s an excerpt of an exchange between Fryer and the committee from Dec. 17, which Issa and his cohorts argue tells a very different story than the one Trenkle, who resigned in mid-November, relayed to the committee.
Fryer: My recommendation was a denial of an ATO.
Committee: Who did you make that recommendation to?
Fryer: To my management. To the authorizing official.
Committee: Which is who?
Fryer: Tony Trenkle.
Committee: And did you do that in person?
Fryer: Yes, and it was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with him on this and told him that my evaluation of this was a high risk.