Cybersecurity Chief Had Qualms Over Health Website

By  | 

WASHINGTON (AP) The top cybersecurity officer for the Health and Human Services Department said he was concerned about potential vulnerabilities ahead of the launch of the Obama administration's health care website.

But Kevin Charest told congressional investigators he was unable to get answers to his questions from others inside the department. He concluded that the testing of the site was substandard.

"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition. Excerpts of his testimony were provided to The Associated Press by the House Oversight and Government Reform Committee.

Charest and Teresa Fryer — another government cybersecurity professional who also had qualms — were to testify before the panel Thursday.

Chairman Darrell Issa, R-Calif., investigating the chaotic rollout of the website, contends the administration risked the personal information of millions of Americans in its zeal to meet a self-imposed Oct. 1 deadline. The online federal insurance market is the main portal to coverage under President Barack Obama's signature program.

The panel's senior Democrat, Rep. Elijah Cummings of Maryland, says the administration addressed the potential security issues through added vigilance instituted before the site went live. He says despite initial operational problems, the site has not been successfully hacked. Cummings says it is Republicans who are risking the privacy of average citizens by demanding detailed blueprints that, if leaked, would become a road map for hackers.

With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle stations. Republicans have raised security issues but have yet to produce a smoking gun.

As chief information security officer for HHS, Charest offered a look an insider concerns during the weeks and days before the website went live. Technical problems developed immediately and many potential customers were frozen out. The site seems to be working well now, but the administration's signup campaign hasn't fully recovered its momentum.

"I get paid to be paranoid," Charest said in the transcript. "And so I wanted to understand the exact controls in place, what environment, what procedures, what policies."

But the Centers for Medicare and Medicaid Services — the departmental division running the health care rollout — wasn't sharing.

"I was frustrated by a number of requests I made that I did not receive," Charest said. The requests were not just related to security, he said, but other operational issues as well.

He said he came to believe that CMS — as the division is known— was deliberately keeping information to itself. "I can't explain it," he said.

While he did not have direct chain-of-command authority over the rollout, "I have responsibility for incident control," Charest testified. "Putting my bad-guy hat on, this would be something I would think would be desirable for someone to want to attack." has two major components: an electronic "back room" that got full operational and security certification and a consumer-facing "front room" that was temporarily certified Sept. 27.

The back room, known as the federal data services hub, pings government agencies to verify applicants' personal information. It does not store data.