Skip to comments.Memo Warned of "Limitless" Security Risks for HealthCare.gov ("Catastrophic"?)
Posted on 11/11/2013 5:23:15 PM PST by kristinn
CBS News has learned that the project manager in charge of building the federal health care website was apparently kept in the dark about serious failures in the website's security. Those failures could lead to identity theft among buying insurance. The project manager testified to congressional investigators behind closed doors, but CBS News has obtained the first look at a partial transcript of his testimony.
Henry Chao, HealthCare.gov's chief project manager at the Centers for Medicare and Medicaid Services (CMS), gave nine hours of closed-door testimony to the House Oversight Committee in advance of this week's hearing. In excerpts CBS News has obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said "the threat and risk potential (to the system) is limitless." The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.
But Chao testified he'd been told the opposite.
What I recall is what the team told me, is that there were no high findings," he said.
Chao testified security gaps could lead to identity theft, unauthorized access and misrouted data.
According to federal guidelines, high risk means "the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals."
(Excerpt) Read more at cbsnews.com ...
What difference, at this point, does it make?
i remember that thread even though it was years ago...
I’m a project manager. This is blatant BS. There is NO WAY this was not known unless the PM was asleep at the wheel or off doing crack with the mayor of toronto.
Good point!...We've spent 600 million on a site that could have been done for a couple of million at most by free enterprise...Why stop now??...I don't care if it takes us gazillions.....This is America.....we can do it!!!.....YES WE CAN!....../s
He would have had a copy of the security assessment.
I did the security assessment for a state exchange to the IRS. The PM most certainly received my report. I most certainly went through each of the findings with them.
The person who authored the memo that Chao "never saw" is now out of the picture.
No doubt Jarrett told him to go into hiding.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues
No. Absolutely not. Total BS. There is a risk manager. He knows all the risks. He reports the risks up the chain of command. For risks to -- instead -- be compartmentalized and kept hidden from the PM ... that's either a lie or an inconceivable level of managerial incompetence.
I’ll take “inconceivable level of managerial incompetence” for $100 if you please Alex.
According to federal guidelines, high risk means “the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals.”
So this is what is meant by a catastrophic insurance policy. A policy devised by Leftists.
How to fix it? Implant a chip in your hand or your forehead. Of course it will contain that well known number 666.
Better odds than Powerball for sure!
Given the fact that the federal government requires organizations handling financial information to conform to SOX (Sarbanes Oxley) audits, and organizations handling health care information to conform to HIPPA audits, it sounds like the system developed (NOT JUST THE WEB SITE!!!) doesn’t conform to either.
In addition to that, any self respecting financial company, especially one that uses credit cards, is supposed to meet PCI security specifications ( https://www.pcisecuritystandards.org/security_standards/index.php )
What are the chances that any of these security standards have been met?
Either one of two things happened:
1. Henry Chao lied to Congress when he testified behind closed doors last week for 9+ hours. He stated that he never saw the memo and he had been told that there were no significant problems with the web site.
2. Chao was never shown the Trenkle memo [but his superiors were] and they realized that [if he was shown the memo], he would never sign off on the Oct. 1st release.
Its either one or the other ...
Isn’t it sad that this is getting exponentially more play than Fast & Furious and the IRS.
Look, this is what I do for a living.
I am here to tell you something, Kristin.
I, personally, armed with a small team of equally skilled developers — maybe 3 to 5 — could have written the entire Obamacare website, tested, and secure, within three years.
NO way this thing should have costed what it did.
NO excuse for its failure.
This was not a web project, this was the laundering of millions of dollars to the Democrats.
Laz, once again, you broke the code.
This is the laundering of money to fellow travelers by the Dems.
Using our own tax money and funneling it to their cronies and fellow Communists has been raised to an art form by this Administration.
Why not call the moron that wrote the memo and ask him who he addressed it to.
Im a project manager. This is blatant BS. There is NO WAY this was not known unless the PM was asleep at the wheel or off doing crack with the mayor of toronto.
I am an ITSEC PM and I agree. Also having delt with mitigating “high findings” as a results of Gubment audits. I can tell very few of these audits come out clean as whistle. That said I would like the Issues & Risk registers gone over with fine toothed comb, not just those dealing with security but mainly performance and testing.
Yes it is sad. And the only reason is because nobamacare affects virtually all Americans. It's hard to ignore.
F&F and the IRS abuse will be walks in the park compared to this kludge.
Fast & Furious was an act of war against a neighboring country that has resulted in the murders of hundreds including 2 US law enforcement officers.
Oh, I think it's both a lie and this bunch has an inconceivable level of managerial incompetence. We've known the latter ever since those stories came out in 2008 about the Obama campaign: The campaign was effective but the campaign plane cabin was, uh, fragrant. And since then, anytime anything goes wrong, no one at the upper levels seems to know anything, even under oath.
I actually think that at this point, it does make a difference. Who’s going to sign up if there’s a strong possibility of identity theft? If no one signs up, this thing crashes.
I know some (like Rush) say that’s the intent (so as to get to a totally gov’t run health care system). But I’m not so sure that’s how things turn out if the gov’t itself has put tens of millions of citizens at risk of identity theft.
these nazis always have somebody else to blame don’t they.....
all this is intentional.
..well have all these takers on the medicaid roles and no money to pay for the drs and hospitals to treat them
and then an ensuing financial crisis after crisis until finally the federales slip in and SAVE US ALL by instituting univerals single payer health care ....