Lawmakers: security warnings came before launch

Republican critics of Obamacare say website operators saw memos about a lack of security testing

Top IT officials from U.S. President Barack Obama's administration insisted is as secure as possible, despite questions raised from inside the government before the flawed website's launch.

A Sept. 3 memo from Tony Trenkle, CIO at the U.S. Centers for Medicare and Medicaid Services (CMS), raised six security concerns, including two open high-priority problems, less than a month before the agency launched, Republican critics of the Obama administration noted Wednesday.

Republicans also pointed to a Sept. 13 CMS memo saying security vendor Mitre was unable to complete end-to-end security testing of the health insurance website. CMS officials are still "ignoring" integrated security testing requirements for the website, said Representative Darrell Issa, a California Republican and chairman of the U.S. House of Representatives Oversight and Government Reform Committee.

"On the day of the launch, and even today, there are material failures in the security of the Obamacare website," Issa said during a committee hearing. "Hackers may have already, or may soon, find those vulnerabilities."

Several Republican critics of the Affordable Care Act, the 2010 insurance reform law known as Obamacare, questioned the security of during two separate hearings Wednesday morning. So far, critics of the law and its main website have been able to point to a single security incident, when one insurance applicant's personal information was shared with a second user.

Henry Chao, deputy CIO at CMS, and other Obama administration officials defended the security practices at during an often contentious oversight committee hearing. Despite a Sept. 27 internal memo raising concerns about a lack of end-to-end testing on the site, security testing is continually happening, Chao said. hasn't had end-to-end testing because security testing has not been completed on some portions of the website that are not yet rolled out or have not yet been completed, Chao told the committee. "We are still building parts of the system," he said.

Asked if is as secure as a banking website, Chao answered: "It was designed, implemented and tested to be secure."

Representative Patrick McHenry, a North Carolina Republican, asked if the website was "fully" tested to be as secure as other CMS sites.

The website meets all federal data security standards, said Chao, who earlier told committee staffers he did not see the Sept. 3 Trenkle memo.

Several Republicans questioned why CMS launched the site on Oct. 1 when there were outstanding questions about security and functionality. Many users were unable to navigate the website in the days after the launch, with page time-outs and several other malfunctions.

The problems persist a month-and-a-half after launch, Representative James Lankford, an Oklahoma Republican, said. Lankford tried to create an account on for about 90 minutes Wednesday morning with no success, he said.

Still, Chao and Todd Park, CTO for the Obama administration, both declined to say they would have delayed the website's launch, knowing what they know now. The decision to launch was not theirs, they both said.

Some Democrats accused committee Republicans of raising security questions in an effort to discredit Obamacare. Republicans are trying "to scare Americans away from the website by once again making unsupported assertions about the risk to their personal medical information," said Representative Elijah Cummings, a Maryland Democrat. "Nobody in this country believes that Republicans want to fix the website."

The effect of oversight hearing might be to "exaggerate the security difficulties of the website," added Representative Jim Cooper, a Tennessee Democrat. "The entire Internet probably should be more secure."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Healthcare.govTony TrenkleBarack Obamaindustry verticalsU.S. Centers for Medicare and Medicaid ServicesJim Coopersecurityhealth caregovernmentHenry ChaoElijah Cummingsdata protectionPatrick McHenryTodd ParkJames LankfordDarrell IssaU.S. House of Representatives Oversight and Government Reform CommitteeGovernment use of ITonline safety

More about CMSHouse of RepresentativesIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place