Top experts today gave members of the House Oversight & Government Reform Committee their thoughts about how hackers might try to attack HealthCare.gov.
Members of the committee unanimously voted to close the session to the public, to avoid giving hackers a tutorial on HealthCare.gov vulnerabilities.
The witnesses were Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services and Milton Shomo, a principal information systems engineer at MITRE Corp., a company that’s tested HealthCare.gov security.
The written versions of the witnesses’ testimony aren’t classified documents, but the committee gave members of Congress numbered copies and prohibited members from making their own copies or taking the documents out of the hearing room.
Rep. Darrell Issa, R-Calif., the committee chairman, said in an opening statement that his staff has been unable to get information about HealthCare.gov security from HHS. He said his staff has had to rely on documents obtained from vendors, through subpoenas.
The documents suggest HHS opened HealthCare.gov to the public before data security officials thought it was ready, Issa said.
Issa said his understanding is that, under the law, a high-level federal official can approve the launch of a website simply by agreeing to accept the risk that the site could have security problems, even if the site has failed security tests or has undergone no tests.
“There is no protection against a judgment call,” Issa said.
Rep. Elijah Cummings, D-Md., the highest-ranking Democrat on the committee, noted that the hearing was the 23rd the committee’s held on the Patient Protection and Affordable Care Act and PPACA implementation.
HHS data security officials have assured Congress that HealthCare.gov is secure and has not yet been the target of a successful attack, Cummings said.