Healthcare.gov is ripe for cyber attacks targeting personal information, the chairman of the House Homeland Security Committee charged Wednesday.
The site is vulnerable bcause the federal agency charged with ensuring the security of government websites played virtually no part in its development, Rep. Michael McCaul (R-Texas) said.
Apart from two e-mails and a phone call, Department of Homeland Security (DHS) did not participate in the Centers’ for Medicare and Medicaid Services’ (CMS) development of the enrollment portal for the landmark health law, McCaul said.
“DHS had effectively no input into the security of Healthcare.gov, despite it being arguably the most significant federal website ever constructed,” the Texas Republican said during a hearing of the panel.
Upon logging onto the website, consumers looking for coverage are prompted to input personally identifying information, including their social security number, immigration status, household income and details about their health.
While the system does not store the information, McCaul said it could exist for as long as ten years on federal and state exchanges set up under the Affordable Care Act (ACA).
“All of this information is a tempting target for hackers, identity thieves and other malicious actors,” he said.
Under questioning, Roberta “Bobbie” Stempfly, associate director of the DHS Office of Cybersecurity and Communications, said it is investigating roughly 16 reports from agencies about possible attacks, and is aware of one unsuccessful “denial-of-service” attack seeking to shut the site down.
Stempfly stressed that it would be atypical for an agency to involve DHS prominently in the development of an application, and said agencies retain primary responsibility for securing and defending their own networks.
The panel’s top Democrat said GOP criticism over DHS involvement is misplaced.
“Some of my colleagues have indicated that DHS should assure the safety and security of the personal information on Healthcare.gov,” Rep. Bennie Thompson (D-Miss.) said. “While this is in interesting proposition, there is no law requiring DHS to play such a role.”
Rather, Thompson said, DHS has broader responsibility of observing, reporting and responding to threats and assuring that agencies follow regulations under the Federal Information Security Management Act (FISMA).
Still, Stempfly testified that DHS was contacted by CMS in August about services the agency might be able to provide in relation to the ACA.
The two agencies enetered into general discussions to refine the request for assistance and DHS gave CMS descriptions of specific capabilities and services the agency could offer.
CMS has not followed up with a specific request and Stempfly’s office has not provided technical assistance to CMS relative to Healtrhcare.gov, she said.