360° Coverage : AP Exclusive: Health law cybersecurity challenges

2 Updates

AP Exclusive: Health law cybersecurity challenges

Feb 25 2014, 1:54pm CST | by

WASHINGTON (AP) — As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that...

Filed under: news

 
 
 

26 weeks ago

AP Exclusive: Health law cybersecurity challenges

Feb 25 2014, 1:54pm CST | by

WASHINGTON (AP) — As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that state computer systems could become a back door for hackers.

Documents provided to The Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as "high risk" for security problems.

Back-door attacks have been in the news, since the hackers who stole millions of customers' credit and debit card numbers from Target are believed to have gained access through a contractor's network.

The administration says the documents offer only a partial and "outdated" snapshot of an improving situation, and the security problems cited were either resolved or are being addressed through specific actions. No successful cyber-attacks have taken place, officials say.

However, the issues detailed in documents and emails provided by the House Oversight and Government Reform committee reveal broader concerns than the federal Health and Human Services department has previously acknowledged.

They show a frenzied behind-the-scenes juggling act by officials and contractors as the Oct. 1 deadline for new health insurance exchanges loomed. Instead of providing a showcase for President Barack Obama, the launch of his health care law became a case study in how big technology projects can go off the rails.

In order to connect to federal computers, state and other outside systems must undergo a security review and receive an "authority to connect."

With the health care law, states needed approval to connect to a new federal data hub, an electronic back room that pings Social Security, the Internal Revenue Service, Homeland Security to verify personal details about people applying for government-subsidized insurance. The hub handles sensitive information, including income, immigration status and Social Security numbers.

The documents showed a high-stakes decision-making process playing out against a backdrop of tension and uncertainty as the clock ran out. For example:

— In one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, "The front office is signing them whether or not they are a high risk." Her agency, known as CMS, also administers the health care law.

Two days earlier, in a separate document, CMS administrator Marilyn Tavenner approved nine states to connect although the approval document noted that "CMS views the October 1 connections to the nine states as a risk due to the fact that their documentation may not be submitted completely nor reviewed...by Oct. 1." Approval was contingent on states submitting proper documentation. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma, and South Dakota.

— A CMS PowerPoint presentation from Sept. 23 revealed huge differences in states' readiness. Some were already approved; others had security weaknesses that were well understood and being tackled. But there were also states where the federal government had little information on security preparations.

"CMS views these connections to states as a high risk due to the unknown nature of their systems," according to the presentation.

CMS officials contemplated whether their agency would have to accept risk on behalf of other federal government entities, including Social Security and the IRS.

—A federal contractor explicitly detailed the potential consequences of what he called an "elevated high risk."

Allowing states to connect without the appropriate review "introduces an unknown amount of risk" that could put the personal information of "potentially millions of users at risk of identity theft," not to mention exposing the program to fraud, contractor Ryan Brewer wrote to CMS security in a Sept. 18 email.

Brewer had formerly been in government, as top CMS information security officer. He is currently with the cybersecurity firm GrayScout. The administration says he had no direct knowledge of the status of state security information.

In a Feb. 20 letter to the oversight panel's chairman, Rep. Darrell Issa, R-Calif., the administration said many of the high-risk issues identified in the documents had a corrective action plan before states got approval to connect. Twelve states received temporary, 60-day permissions to connect before Oct. 1 because the administration had not completed full reviews.

Currently, 46 states and Washington, D.C., have full three-year permissions to connect, wrote HHS assistant secretary Jim Esquea.

"The administration has not been forthcoming with the American people about the serious security risks," Issa said in a statement. "Despite repeated assurances from HHS, the department appears to still be struggling with security concerns."

Cybersecurity consultant and author Theresa Payton, who reviewed the materials for the AP, said it's difficult to second-guess the administration's decisions. A phased rollout of the health care markets would have been a prudent way to keep risks manageable. But Payton, who was chief White House information officer for President George W. Bush, said federal agencies can face unique deadline pressures.

The administration should have found a way to let consumers know that the new online markets weren't quite ready for prime time, she said. "A customer education campaign on how to avoid fraud would have gone a long way."

Even top-performing states are not immune to problems. In a Jan. 10 email exchange, officials and contractors wondered whether they might have to disconnect California from federal computers after a website publicly disclosed that state's vulnerabilities.

"There are many security issues with the states' systems," a contractor wrote to CMS supervisors. "I would expect many more of the 'known' flaws to be posted in the near future."

The administration says officials quickly contacted California, and after learning that the state was addressing the issues, dropped any consideration of disconnecting.

Source: AP Business

 
Update
2

2 days ago

Khazanah throws MAS RM6b lifeline

Aug 29 2014 5:01pm CDT | Source: Business Times Singapore

August 30, 2014 1:15 AMKHAZANAH Nasional will inject RM6 billion (SS$2.4 billion) over three years to resuscitate loss-making Malaysia Airlines (MAS) under a recovery plan that includes even an Act of Parliament. Other key moves are migrating its operations, assets and liabilities to a new company (NewCo) and slashing the w ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 
Update
1

3 days ago

MAS posts loss of RM307m for Q2

Aug 28 2014 5:00pm CDT | Source: Business Times Singapore

August 29, 2014 1:13 AMMALAYSIA Airlines (MAS) registered a loss of RM307 million (S$122 million) for the second quarter to end-June, but warned of worse to come in the second half when the "full financial impact of the double traged ...
Source: Business Times Singapore   Full article at: Business Times Singapore
 

 

Don't miss ...

 

<a href="/latest_stories/all/all/31" rel="author">Associated Press</a>
The Associated Press (AP) is one of the largest and most trusted sources of independent newsgathering, supplying a steady stream of news to its members, international subscribers and commercial customers.

 

blog comments powered by Disqus

Latest stories

Japan to aid connectivity upgrade in northeast India
Tokyo, Sep 1 (IANS) India and Japan Monday decided to strengthen cooperation for improving connectivity and socio-economic development in northeastern states of India.
 
 
Three Ebola cases recorded in Nigeria oil hub
Abuja, Sep 1 (IANS) At least three cases of Ebola virus disease (EVD) have been recorded in Nigeria's oil hub of Port Harcourt, where a fatality was confirmed last week, the country's Minister of Health Onyebuchi Chukwu said here Monday.
 
 
India, Japan to elevate strategic partnership
Tokyo, Sep 1 (IANS) Prime Minister Narendra Modi Monday said relations with Japan were of the "highest priority" for his government and announced a slew of initiatives, including turning the strategic partnership into a "special" partnership and a fast-track channel for Japanese investors.
 
 
Indian in UAE unable to pay hospital bills
Abu Dhabi, Sep 1 (IANS) An uninsured Indian man in the UAE has run up more than $160,000 in medical bills after he suffered a brain haemorrhage and spent about six months in an Abu Dhabi hospital, a media report said.
 
 
 

Latest from the Network

'Ukrainian conflict has escalated into war'
Kiev, Sep 1 (IANS) Ukrainian Defence Minister Valeriy Geletey Monday said the conflict in eastern Ukraine between government troops and pro-independence insurgents has escalated into a "war". "A great war came at our...
Read more on Politics Balla
 
IS slogan found on school walls in Saudi Arabia
Riyadh, Sep 1 (IANS) Slogans praising Sunni militant group Islamic State (IS) were found on the walls of some schools in the Saudi Arabia capital following Saudi King Abdullah bin Abdulaziz's call for coordinated...
Read more on Politics Balla
 
Japan to aid connectivity upgrade in northeast India
Tokyo, Sep 1 (IANS) India and Japan Monday decided to strengthen cooperation for improving connectivity and socio-economic development in northeastern states of India. According to an Indian government release issued...
Read more on Politics Balla
 
Words cannot describe Abe's hospitality, says Modi
Tokyo, Sep 1 (IANS) Prime Minister Narendra Modi Monday said he could not describe in words the hospitality he received in Japan, saying it was an indication of Japanese Prime Minister Shinzo Abe's special affection...
Read more on Politics Balla
 
PTI president says political crisis in Pakistan scripted (Roundup)
Islamabad, Sep 1 (IANS) In a clear sign of a revolt brewing within, Pakistan Tehreek-e-Insaf (PTI) president Javed Hashmi Monday claimed that the ongoing political crisis in the country was scripted amidst more clashes...
Read more on Politics Balla
 
Three Ebola cases recorded in Nigeria oil hub
Abuja, Sep 1 (IANS) At least three cases of Ebola virus disease (EVD) have been recorded in Nigeria's oil hub of Port Harcourt, where a fatality was confirmed last week, the country's Minister of Health Onyebuchi...
Read more on Business Balla
 
Blake Shelton and Miranda Lambert reject $1m Vegas offer
Blake Shelton and Miranda Lambert rejected a $1 million deal to perform three shows in Las Vegas. The country couple turned down the offer and tried to negotiate a $1.25 million deal, meaning they would earn $416,000...
Read more on Celebrity Balla
 
Adam Levine splashes out $4.55m on new home
Adam Levine and his wife Behati Prinsloo are set to splash out $4.55 million on their first apartment together. The Maroon 5 frontman and the Victoria's Secret Angel - who tied the knot in July - are said to be in...
Read more on Celebrity Balla
 
Seth Rogen says stolen celebrity photos shouldn't be posted
Seth Rogen has urged people not to post the naked photos stolen from Jennifer Lawrence's phone. The 'Knocked Up' star is disgusted by the leak of explicit images of the Oscar-winning actress and is adamant that what has...
Read more on Celebrity Balla
 
Miley Cyrus: Elvis was the original twerker
Miley Cyrus has claimed Elvis Presley was the original twerker. The 'We Can't Stop' singer has attracted much attention and criticism for her penchant to perform the butt-shaking dance on stage in various flesh-flashing...
Read more on Celebrity Balla