WASHINGTON: As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that state computer systems could become a back door for hackers.
Documents provided to the Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as “high risk” for security problems.
Back-door attacks have been in the news, since the hackers who stole millions of customers’ credit and debit card numbers from Target are believed to have gained access through a contractor’s network.
The Obama administration says the documents offer only a partial and “outdated” snapshot of an improving situation, and the security problems cited were either resolved or are being addressed through specific actions. No successful cyber attacks have taken place, officials say.
However, the issues detailed in documents and emails provided by the House Oversight and Government Reform Committee reveal broader concerns than the federal Health and Human Services department has previously acknowledged.
The potential impact of security flaws is rated high if a breach could have a severe or catastrophic impact on organizational operations, organizational assets, or individuals; moderate if the consequences would be serious, and low if the adverse effects would be limited. Ohio’s risk was rated moderate on Sept. 29.
In order to connect to federal computers, state and other outside systems must undergo a security review and receive an “authority to connect.”
With the health-care law, states needed approval to connect to a new federal data hub, an electronic back room that pings Social Security, the Internal Revenue Service and Homeland Security to verify details about applicants for subsidized insurance. The hub handles such information as income, immigration status and Social Security numbers.
The documents showed a high-stakes decision-making process playing out against a backdrop of tension and uncertainty as the clock ran out.
For example, in one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, “The front office is signing them whether or not they are a high risk.” Her agency, known as CMS, also administers the health-care law.
Two days earlier, in a separate document, CMS administrator Marilyn Tavenner approved nine states to connect although she noted proper documentation was incomplete or had not been reviewed. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma and South Dakota.
In a statement, the oversight panel’s chairman, Rep. Darrell Issa, R-Calif., said, “The administration has not been forthcoming … about the serious security risks. Despite repeated assurances from HHS, the department appears to still be struggling with security concerns.”