A top Healthcare.gov security officer told Congress this week that recommendations she made to limit access to the site owing to serious vulnerabilities were overruled by higher-ups in the Obama administration. CBS News’s Sharyl Attkisson has the story:
Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS) … was interviewed Tuesday behind closed doors by House Oversight Committee officials. The security risks were not previously disclosed to members of Congress or the public. Obama administration officials have firmly insisted there’s no reason for any concern regarding the website’s security.
[…]
Details are not being made public for security reasons but Fryer testified that one vulnerability in the system was discovered during testing last week related to an incident reported in November. She says that as a result, the government has shut down functionality in the vulnerable part of the system. Fryer said the other high-risk finding was discovered Monday. [Emphasis added]
In another security bombshell, Fryer told congressional interviewers that she explicitly recommended denial of the website’s Authority to Operate (ATO), but was overruled by her superiors. The website was rolled out amid warnings Fryer said she gave both verbally and in a briefing that disclosed ‘high risks’ and possible exposure to ‘attacks.’
“My recommendation was a denial of ATO,” Fryer told the committee during her day-long testimony. She told House members that her first recommendation to then-CMS chief information officer Tony Trenkle was made soon after the launch of the website on Oct. 1. She said, “I had discussions with him on this and told him that my evaluation of this was a high risk.” Trenkle retired from his CMS job on Nov. 13.
This is the first time a government insider has gone on record challenging the administration’s insistence that there were no worrisome security concerns.
When confronted with Fryer’s claims, Health and Human Services Secretary Kathleen Sebelius issued a denial, saying, “I can tell you that no senior official reporting to me ever advised me that we should delay.” But Fryer maintains that she briefed Sebelius’ top information officers at HHS in a teleconference Sept. 20, urging that the website launch be delayed for security reasons.
Fryer further testified that the the participants in the conversation included Healthcare.gov’s chief project manager Henry Chao, HHS chief information security officer Kevin Charest, and HHS Deputy Assistant Secretary for Information Technology Officer Frank Baitman. She says she was advised three days later that her advice was not going to be followed.
