The technologically troubled HealthCare.gov website has been the subject of at least one attempted but unsuccessful cyber attack, according to one of the of the Homeland Security Department’s top cyber officials.
“We are aware of one open-source action attempting to perpetrate a denial-of- service attack against the HealthCare.gov site that has been unsuccessful,” Bobbie Stempfley, the acting assistant secretary of DHS’ Office of Cybersecurity and Communications, testified before the House Homeland Security Committee Wednesday.
The Department of Health and Human Services, in total, has notified DHS of 16 potential security issues with the system, Stempfley told members of the committee, which focused on potential cybersecurity concerns with the online portal.
That’s just a tiny sliver of the overall number of reported attacks and intrusions against all federal systems, which totaled 138,000 in fiscal 2013, Stempfley said.
Still, lawmakers said the consolidation of personal information — such as names, Social Security numbers and immigration status — and the glitch-prone website are cause for concern.
“Even if a system worked properly, the centralization of so much data would create security concerns,” said Rep. Mike McCaul (R-Texas), the committee’s chairman. “But in this case HealthCare.gov is so flawed, these concerns are even greater.”
McCaul also said he’s concerned DHS — which is broadly responsible for securing federal civilian networks — didn’t play enough of a role in the development of the site or its security testing.
“I think it would surprise many Americans to know that DHS had, effectively, no input into the security of HealthCare.gov despite it being arguably the most significant federal government website ever created,” he said. “To be clear, DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of HealthCare.gov.”
During development of the website, the only contact between DHS and the agency responsible for building it, the Centers for Medicare and Medicaid Services, “consisted of two emails and one phone call,” McCaul said.
“In this case, CMS never asked DHS for advice, technical assistance or even a threat briefing,” he added.
Agencies have responsibility for individual sites
But Stempfley said that’s not out of the ordinary.
“It is not typical for a department or agency as they’re building a specific application to involve DHS,” she said.
While it’s true that DHS is responsible for conceiving the broad security guidance agencies follow to secure their networks, under the Federal Information Security Management Act regulations, agency leadership ultimately has the responsibility for building, operating and securing specific applications, she said.
In the case of HealthCare.gov, CMS officials first contacted DHS in late August to discuss services it could offer in regard to the new information systems built to implement the Affordable Care Act (ACA), according to Stempfley’s testimony.
DHS provided CMS a list of capabilities but “has not yet received a specific request from CMS relative to the ACA systems, and has not provided technical assistance to CMS relative to ACA systems,” Stempfley said in her testimony.
The tech-troubled launch of the health care website also faced intense scrutiny at a House Oversight and Government Reform Committee hearing Wednesday.
Oversight Chairman Darrell Issa (R-Calif.) went so far as to subpoena federal chief technology officer Todd Park to testify before the committee on how the administration planned to fix the the site’s glitches.