360° Coverage : AP Exclusive: Health law cybersecurity challenges

2 Updates

AP Exclusive: Health law cybersecurity challenges

Feb 25 2014, 1:54pm CST | by

WASHINGTON (AP) — As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that...

Filed under: news

 
 
 

26 weeks ago

AP Exclusive: Health law cybersecurity challenges

Feb 25 2014, 1:54pm CST | by

WASHINGTON (AP) — As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that state computer systems could become a back door for hackers.

Documents provided to The Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as "high risk" for security problems.

Back-door attacks have been in the news, since the hackers who stole millions of customers' credit and debit card numbers from Target are believed to have gained access through a contractor's network.

The administration says the documents offer only a partial and "outdated" snapshot of an improving situation, and the security problems cited were either resolved or are being addressed through specific actions. No successful cyber-attacks have taken place, officials say.

However, the issues detailed in documents and emails provided by the House Oversight and Government Reform committee reveal broader concerns than the federal Health and Human Services department has previously acknowledged.

They show a frenzied behind-the-scenes juggling act by officials and contractors as the Oct. 1 deadline for new health insurance exchanges loomed. Instead of providing a showcase for President Barack Obama, the launch of his health care law became a case study in how big technology projects can go off the rails.

In order to connect to federal computers, state and other outside systems must undergo a security review and receive an "authority to connect."

With the health care law, states needed approval to connect to a new federal data hub, an electronic back room that pings Social Security, the Internal Revenue Service, Homeland Security to verify personal details about people applying for government-subsidized insurance. The hub handles sensitive information, including income, immigration status and Social Security numbers.

The documents showed a high-stakes decision-making process playing out against a backdrop of tension and uncertainty as the clock ran out. For example:

— In one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, "The front office is signing them whether or not they are a high risk." Her agency, known as CMS, also administers the health care law.

Two days earlier, in a separate document, CMS administrator Marilyn Tavenner approved nine states to connect although the approval document noted that "CMS views the October 1 connections to the nine states as a risk due to the fact that their documentation may not be submitted completely nor reviewed...by Oct. 1." Approval was contingent on states submitting proper documentation. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma, and South Dakota.

— A CMS PowerPoint presentation from Sept. 23 revealed huge differences in states' readiness. Some were already approved; others had security weaknesses that were well understood and being tackled. But there were also states where the federal government had little information on security preparations.

"CMS views these connections to states as a high risk due to the unknown nature of their systems," according to the presentation.

CMS officials contemplated whether their agency would have to accept risk on behalf of other federal government entities, including Social Security and the IRS.

—A federal contractor explicitly detailed the potential consequences of what he called an "elevated high risk."

Allowing states to connect without the appropriate review "introduces an unknown amount of risk" that could put the personal information of "potentially millions of users at risk of identity theft," not to mention exposing the program to fraud, contractor Ryan Brewer wrote to CMS security in a Sept. 18 email.

Brewer had formerly been in government, as top CMS information security officer. He is currently with the cybersecurity firm GrayScout. The administration says he had no direct knowledge of the status of state security information.

In a Feb. 20 letter to the oversight panel's chairman, Rep. Darrell Issa, R-Calif., the administration said many of the high-risk issues identified in the documents had a corrective action plan before states got approval to connect. Twelve states received temporary, 60-day permissions to connect before Oct. 1 because the administration had not completed full reviews.

Currently, 46 states and Washington, D.C., have full three-year permissions to connect, wrote HHS assistant secretary Jim Esquea.

"The administration has not been forthcoming with the American people about the serious security risks," Issa said in a statement. "Despite repeated assurances from HHS, the department appears to still be struggling with security concerns."

Cybersecurity consultant and author Theresa Payton, who reviewed the materials for the AP, said it's difficult to second-guess the administration's decisions. A phased rollout of the health care markets would have been a prudent way to keep risks manageable. But Payton, who was chief White House information officer for President George W. Bush, said federal agencies can face unique deadline pressures.

The administration should have found a way to let consumers know that the new online markets weren't quite ready for prime time, she said. "A customer education campaign on how to avoid fraud would have gone a long way."

Even top-performing states are not immune to problems. In a Jan. 10 email exchange, officials and contractors wondered whether they might have to disconnect California from federal computers after a website publicly disclosed that state's vulnerabilities.

"There are many security issues with the states' systems," a contractor wrote to CMS supervisors. "I would expect many more of the 'known' flaws to be posted in the near future."

The administration says officials quickly contacted California, and after learning that the state was addressing the issues, dropped any consideration of disconnecting.

Source: AP Business

 
Update
2

12 hours ago

Khazanah throws MAS RM6b lifeline

Aug 29 2014 5:01pm CDT | Source: Business Times Singapore

August 30, 2014 1:15 AMKHAZANAH Nasional will inject RM6 billion (SS$2.4 billion) over three years to resuscitate loss-making Malaysia Airlines (MAS) under a recovery plan that includes even an Act of Parliament. Other key moves are migrating its operations, assets and liabilities to a new company (NewCo) and slashing the workforce of 20,000 by ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 
Update
1

1 day ago

MAS posts loss of RM307m for Q2

Aug 28 2014 5:00pm CDT | Source: Business Times Singapore

August 29, 2014 1:13 AMMALAYSIA Airlines (MAS) registered a loss of RM307 million (S$122 million) for the second quarter to end-June, but warned of worse to come in the second half when the "full financial impact of the double tragedies of MH370 and MH17" hits ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/31" rel="author">Associated Press</a>
The Associated Press (AP) is one of the largest and most trusted sources of independent newsgathering, supplying a steady stream of news to its members, international subscribers and commercial customers.

 

blog comments powered by Disqus

Latest stories

Experimental Ebola drug cures infected monkeys
Toronto, Aug 30 (IANS) In what appears to provide new hope for people infected with the deadly Ebola virus, scientists have successfully treated all the Ebola infected monkeys with an experimental drug called Zmapp.
 
 
Male tilapia fish use urine to lure mates!
London, Aug 30 (IANS) Native to southern Africa, Mozambican tilapia fish use urine to reduce aggressive behaviour in other males, lure females to the nests that they make and stimulate spawning, says a study.
 
 
Curbing water scarcity possible by 2050: Study
Toronto, Aug 30 (IANS) Despite what appears to be an insurmountable problem, researchers have found that it is possible to turn the situation around and significantly reduce water scarcity in just over 35 years.
 
 
Modi arrives in Japan
Kyoto, Aug 30 (IANS) Prime Minister Narendra Modi Saturday began a five-day visit to Japan, keen to boost ties in infrastructure, trade, defence and civil nuclear energy.
 
 
 

Latest from the Network

I'm not a drug addict: Keira Knightley
Los Angeles, Aug 30 (IANS) Actress Keira Knightley believes she must have coped with being famous because she has avoided becoming a drug addict, despite shooting to fame at a young age. The 29-year-old shot to fame...
Read more on Celebrity Balla
 
Kanye West wants to do comedy film
Los Angeles, Aug 30 (IANS) Rapper Kanye West is reportedly looking for a prominent role in a "laugh out loud comedy". West has said in the past that he wants to spread his wings and dabble in other spheres of the...
Read more on Celebrity Balla
 
Chelsea's Torres joins AC Milan on two-year loan
London, Aug 30 (IANS) Chelsea striker Fernando Torres will join AC Milan on a two-year loan. "Chelsea Football Club and AC Milan have agreed terms for the two-year loan deal of Fernando Torres to the Italian club. The...
Read more on Sport Balla
 
Britney Spears 'moving on' post split
Los Angeles, Aug 30 (IANS) Pop star Britney Spears "is moving on" following her split from David Lucado by concentrating on her work. The "Toxic" hitmaker, who reportedly dumped her boyfriend Thursday after a video...
Read more on Celebrity Balla
 
It's London calling for SRK's SLAM! THE TOUR
New Delhi, Aug 30 (IANS) After touring multiple cities in the US in September, Bollywood superstar Shah Rukh Khan, some of his friends and the "Happy New Year" coterie will take to the stage in London with SLAM! THE...
Read more on Celebrity Balla
 
Modi's 'bandhgala' look in Japan gets praise
Kyoto, Aug 30 (IANS) Prime Minister Narendra Modi landed at the Osaka airport in Japan Saturday, looking dapper in a dark 'bandhgala'. His look got a thumbs up from a few Twitter users. Twitter user Atmay @...
Read more on Politics Balla
 
Dortmund hold Augsburg to win 3-2
Berlin, Aug 30 (IANS) Borussia Dortmund dominated the game but nearly had to share the spoils with a resilient Augsburg at the opener of the second round of Bundesliga. Dortmund wrapped up their first win in their...
Read more on Sport Balla
 
Loew names Germany's 21-man squad
Berlin, Aug 30 (IANS) Germany football coach Joachim Loew has called up his 21-man squad for the upcoming international matches. The reigning FIFA World champions will encounter Argentina and Scotland in September....
Read more on Sport Balla
 
Kerber out of US Open
New York, Aug 30 (IANS) Sixth seeded Angelique Kerber lost to Belinda Bencic 1-6, 5-7 in the US Open women's singles third round here. The 17-year-old Swiss tennis player was the second youngest girl in the women's...
Read more on Sport Balla
 
Croatian qualifier upsets second seed Halep at US Open
New York, Aug 30 (IANS) Croatian qualifier Mirjana Lucic-Baroni upset second seeded Romanian Simona Halep 7-6(6), 6-2 in the women's singles third round at the US Open here. "It's incredible. It's just amazing," Lucic...
Read more on Sport Balla