New security issues surface for health website

By RICARDO ALONSO-ZALDIVAR and LAURIE KELLMAN
Associated Press

WASHINGTON (AP) -- President Barack Obama claimed "full responsibility" Wednesday for fixing his administration's much-maligned health insurance website as a new concern surfaced: a government memo pointing to security worries, laid out just days before the launch.

On Capitol Hill, Health and Human Services Secretary Kathleen Sebelius apologized to frustrated people trying to sign up, declaring that she is accountable for the failures but also defending the historic health care overhaul. The website sign-up problems will be fixed by Nov. 30, she said, and the gaining of health insurance will make a positive difference in the lives of millions of Americans.

Obama underscored the administration's unhappiness with the problems so far: "There's no excuse for it," he said during a Boston speech to promote his signature domestic policy achievement. "And I take full responsibility for making sure it gets fixed ASAP."

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

Graphic: Problems with the health care website

The website HealthCare.gov was still experiencing outages as Sebelius faced a new range of questions at the House Energy and Commerce Committee about a security memo from her department. It revealed that the troubled website was granted a temporary security certificate on Sept. 27, just four days before it went live on Oct. 1.

The memo, obtained by The Associated Press, said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month "mitigation" program, including ongoing monitoring and testing.

Security issues raise major new concerns on top of the long list of technical problems the administration is grappling with.

"You accepted a risk on behalf of every user ... that put their personal financial information at risk," Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security."

Sebelius countered that the system is secure, even though the site's certificate, known in government parlance as an "authority to operate," is of a temporary nature. A permanent certificate will be issued only when all security issues are addressed, she stressed.

Spokeswoman Joanne Peters added separately: "When consumers fill out their online ... applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."

The security certificate is required under longstanding federal policy before any government computer system can process, store or transmit agency data. The temporary certificate was approved by Medicare chief Marilyn Tavenner, the senior HHS official closest to the rollout. No major security breaches have been reported.

The memo said, "From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."

It recommended setting up a security team to address risks and conduct daily tests, and said a full security test should be conducted within two to three months of the website going live.

A separate page stated that "the mitigation plan does not reduce the risk to the (website) itself going into operation on October 1, 2013. However, the added protections do reduce the risk to the overall Marketplace operations and will ensure that the ... system is completely tested within the next 6 months."

That page was signed by three senior technical officials below Tavenner at the Centers for Medicare and Medicaid Services. All the officials deal with information security issues.

Republicans opposed to Obama's health care law are calling for Sebelius to resign. She apologized to people having trouble signing up but told the committee that the technical issues that led to frozen screens and error messages are being cleared up on a daily basis.

Sebelius' forthright statement about her ultimate accountability for problems with the sign-up rollout came as Rep. Marsha Blackburn, R-Tenn., peppered her with questions about the "debacle."

"Hold me accountable for the debacle," Sebelius responded. "I'm responsible."

Rep. Henry Waxman of California, the ranking Democrat on the committee, scoffed at Republican "oversight" of a law they have repeatedly tried to repeal.

"I would urge my colleagues to stop hyperventilating," said Waxman. "The problems with HealthCare.gov are unfortunate and we should investigate them, but they will be fixed. And then every American will have, finally have, access to affordable health insurance."

The website HealthCare.gov was intended to be the online gateway to coverage for millions of uninsured Americans, as well those who already purchase their policies individually. Many people in the latter group will have to get new insurance next year, because their policies do not meet the standards of the new law.

Throughout the 3 {-hour hearing, Sebelius was respectful, often addressing lawmakers as "sir" or "congresswoman." She kept her cool as some lawmakers repeatedly cut off her answers. But she did not shy a few times from tersely interjecting her views while a member was speaking.

The standing-room-only hearing room was silent when she swore an oath to tell the truth and began her opening statement.

Addressing consumers who've tangled with the confusing system, Sebelius added, "So let me say directly to these Americans, you deserve better. I apologize."

She parried questions about problems with the website as well as a wave of cancellation notices hitting individuals and small businesses who buy their own insurance. Those notices are coming because many existing individual policies are too skimpy to meet the law's requirements. The administration says consumers affected will be able to find better coverage.

Lawmakers also wanted to know how many people have enrolled in plans through the health insurance marketplaces. Sebelius stuck with the administration response, promising to release the data in mid-November.

Starting Jan. 1, most Americans will be required to carry health insurance or face fines. At the same time, insurance companies will no longer be able to turn away people in poor health. The law provides subsidized private insurance for middle-class people who don't get health care on the job. Low-income people can access an expanded version of Medicaid in states that agree to expand that safety net program.

Congressional Republicans have introduced competing versions of legislation to let insurance companies continue selling coverage that has been available, freeing them from a requirement to cancel policies that do not meet the standards established in the law.

One bill in the House, authored by Rep. Fred Upton of Michigan, would cover the sale of policies providing individual coverage through 2014.

Republican officials said the House was likely to vote on the issue next month.

Sens. Ron Johnson of Wisconsin and Marco Rubio of Florida back Senate legislation that would apply to existing individual or group policies, and would permit their sale indefinitely. It was not clear if or when a vote might be held in the Democratic-controlled Senate.

Identical legislation has been introduced in the House by Rep. Ron DeSantis, R-Fla.

Associated Press writers Jack Gillum and David Espo contributed to this report.