90 Miles From Tyranny : Judicial Watch Uncovers HHS Documents Detailing “High Risk” Security Problems with Obamacare Internet Site

infinite scrolling

Tuesday, September 16, 2014

Judicial Watch Uncovers HHS Documents Detailing “High Risk” Security Problems with Obamacare Internet Site


Less than one month before Healthcare.gov rollout, top Obama
administration official highlights risks of malicious code being uploaded into the system through Excel macros; other “high risk” findings

(Washington, DC) – Judicial Watch today released 94 pages of documents obtained from the U.S. Department of Health and Human Services (HHS) revealing that in the days leading up to the rollout of Obamacare, top Centers for Medicare and Medicaid Services (CMS) officials knew of massive security risks with Healthcare.gov and chose to roll out the website without resolving the problems. Detailed information regarding the security flaws, previously withheld from public disclosure, was released to Judicial Watch. Also released to Judicial Watch were “Sensitive Information – Special Handling” memos sent from CMS to Mitre Corporation, the Healthcare.gov security testing company, in which CMS rated “political … damage” and “public embarrassment to CMS” as factors in defining “Risk Rating” priorities.

The HHS documents were released as a result of a Freedom of Information Act (FOIA) lawsuit filed by Judicial Watch on March 18, 2014, Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430), after HHS failed to respond to a December 20, 2013, FOIA request seeking the following information:

Any and all records related to, regarding or in connection with the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.

The existence of a security flaw in the Healthcare.gov web portal, in which “[T]he threat and risk potential is limitless,” had been previously revealed in a redacted version of a September 3, 2013, memo published by the House Government Oversight Committee. However, the details of that flaw and others found in the Healthcare.gov website were omitted from the House-issued memo “for security reasons,” according to a CBS News report by Sharyl Attkisson. Judicial Watch can now reveal exactly what those security flaws entailed.

These details are especially significant in light of the revelation by federal officials that the Healthcare.gov web portal was hacked last July, as reported on September 4, 2014. The documents obtained by Judicial Watch also show that top CMS officials, including CMS Chief Information Officer Tony Trenkle and CMS Director Marilynn Tavenner, were aware of the gaping security flaws, yet Tavenner chose to launch the website anyway. Trenkle himself resigned before the site’s launch date.

In a September 3, 2013, “Authorization Decision” memo, Trenkle reveals a flaw involving Excel macros that could risk malicious code being uploaded into the system. According to a “Finding” in the just released unredacted memo, “FFM [Federally Facilitated Marketplaces] has an open high finding: Macros enabled on uploaded files allow code to execute automatically.”

In the “Finding Description” alongside that finding, the memo continues: “An excel file with a macro which executes when the spreadsheet is opened was uploaded for review by another user. The macro only opened up a command prompt window on the local user’s machine; however, the threat and risk potential is limitless. Keeping macros enabled relies on the local machine of the user who downloads to detect and stop malicious activity.”

Among the “Recommended Corrective Actions” to fix this problem, the memo says, “Implement a method for scanning uploaded documents for malicious macros.” Remarkably, the due date provided for the corrective actions to remedy this “limitless” risk problem is May 31, 2014 – eight months after the launch of Healthcare.gov.

The above revelation about the potential for malicious code being uploaded into Healthcare.gov is especially noteworthy, in light of the September 4, 2014, Wall Street Journal article, which reported, “A hacker broke into part of the Healthcare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.”

In the same September 3, 2013 memo, details of another “high risk” finding were disclosed: “FFM has an open high finding: No evidence of functional testing processes and procedures being adequate to identify functional problems resulting in non-functional code being deployed.”

The “Finding Description” for this flaw elaborates: “Software is being deployed into implementation and production that contains functional errors. Untested software may produce functional errors that cause unintentional Denial of Service and information errors.” The due date provided to correct this high risk flaw was listed as February 26, 2015, nearly a year and a half following Obamacare’s launch.

Another security flaw identified in the September 3 memo is: “Many FFM controls are described in CFACTS as ‘Not Satisfied.’” (CFACTS stands for CMS FISMA Controls Tracking System. It is CMS’ database used to keep track of security problems and fixes in the agency’s information systems.) The “Risk” that this problem poses is described as follows: “There is the possibility that the FFM security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity and availability of data and present a risk to the CMS enterprise.” Officials provide a due date to correct this problem of February 7, 2014 – more than four months after Healthcare.gov was to launch.

The September 3 memo also reveals that “FFM appears to have selected an inappropriate E-Authentication level.” The risk significance of this problem is ...


Read The Rest:

No comments: