Posted on 09/15/2014 9:38:43 AM PDT by jazusamo
Full title: Judicial Watch Uncovers HHS Documents Detailing High Risk Security Problems with Obamacare Internet Site
Less than one month before Healthcare.gov rollout, top Obama administration official highlights risks of malicious code being uploaded into the system through Excel macros; other high risk findings
(Washington, DC) Judicial Watch today released 94 pages of documents obtained from the U.S. Department of Health and Human Services (HHS) revealing that in the days leading up to the rollout of Obamacare, top Centers for Medicare and Medicaid Services (CMS) officials knew of massive security risks with Healthcare.gov and chose to roll out the website without resolving the problems. Detailed information regarding the security flaws, previously withheld from public disclosure, was released to Judicial Watch. Also released to Judicial Watch were Sensitive Information Special Handling memos sent from CMS to Mitre Corporation, the Healthcare.gov security testing company, in which CMS rated political damage and public embarrassment to CMS as factors in defining Risk Rating priorities.
The HHS documents as a result of a Freedom of Information Act (FOIA) lawsuit filed by Judicial Watch on March 18, 2014, Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430), after HHS failed to respond to a December 20, 2013, FOIA request seeking the following information:
Any and all records related to, regarding or in connection with the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
The existence of a security flaw in the Healthcare.gov web portal, in which [T]he threat and risk potential is limitless, had been previously revealed in a redacted version of a September 3, 2013, memo published by the House Government Oversight Committee. However, the details of that flaw and others found in the Healthcare.gov website were omitted from the House-issued memo for security reasons, according to a CBS News report by Sharyl Attkisson. Judicial Watch can now reveal exactly what those security flaws entailed.
These details are especially significant in light of the revelation by federal officials that the Healthcare.gov web portal was hacked last July, as reported on September 4, 2014. The documents obtained by Judicial Watch also show that top CMS officials, including CMS Chief Information Officer Tony Trenkle and CMS Director Marilynn Tavenner, were aware of the gaping security flaws, yet Tavenner chose to launch the website anyway. Trenkle himself resigned before the sites launch date.
In a September 3, 2014, Authorization Decision memo, Trenkle reveals a flaw involving Excel macros that could risk malicious code being uploaded into the system. According to a Finding in the just released unredacted memo, FFM [Federally Facilitated Marketplaces] has an open high finding: Macros enabled on uploaded files allow code to execute automatically.
In the Finding Description alongside that finding, the memo continues: An excel file with a macro which executes when the spreadsheet is opened was uploaded for a review by another user. The macro only opened up a command prompt window on the local users machine; however, the threat and risk potential is limitless. Keeping macros enabled relies on the local machine of the user who downloads to detect and stop malicious activity.
Among the Recommended Corrective Actions to fix this problem, the memo says, Implement a method for scanning uploaded documents for malicious macros. Remarkably, the due date provided for the corrective actions to remedy this limitless risk problem is May 31, 2014 eight months after the launch of Healthcare.gov.
The above revelation about the potential for malicious code being uploaded into Healthcare.gov is especially noteworthy, in light of the September 4, 2014, Wall Street Journal article, which reported, A hacker broke into part of the Healthcare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.
In the same September 3, 2014 memo, details of another high risk finding were disclosed: FFM has an open high finding: No evidence of functional testing processes and procedures being adequate to identify functional problems resulting in non-functional code being deployed.
The Finding Description for this flaw elaborates: Software is being deployed into implementation and production that contains functional errors. Untested software may produce functional errors that cause unintentional Denial of Service and information errors. The due date provided to correct this high risk flaw was listed as February 26, 2015, nearly a year and a half following Obamacares launch.
Another security flaw identified in the September 3 memo is: Many FFM controls are described in CFACTS as Not Satisfied. (CFACTS stands for CMS FISMA Controls Tracking System. It is CMS database used to keep track of security problems and fixes in the agencys information systems.) The Risk that this problem poses is described as follows: There is the possibility that the FFM security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity and availability of data and present a risk to the CMS enterprise. Officials provide a due date to correct this problem of February 7, 2014 more than four months after Healthcare.gov was to launch.
The September 3 memo also reveals that FFM appears to have selected an inappropriate E-Authentication level. The risk significance of this problem is described as: The E-Authentication level of a system determines the security controls and means when connecting to a system over or from an untrusted network. Use of inappropriate controls exposes the enterprise to additional risk. The due date to correct this issue was also provided as February 7, 2014.
In a September 6, 2013, Authorization Decision memo from CMS Chief Information Officer Tony Trenkle to CMS Director of Consumer Information and Insurance Systems Group, James Kerr, Trenkle advised, There are no findings in CFACTS for the FY13 Security Control Assessment (SCA) or the recent penetration testing. This meant that security problems found in testing the website had not even been entered into the database set up to keep track of security problems. Despite his findings, Trenkle gave his Authorization to Operate, concluding, The current risk is deemed acceptable.
Judicial Watch was also provided with the August 20, 2013, and December 6, 2013, Security Controls Assessment Test Plans sent by CMS to Mitre Corporation, the vendor tasked with testing the security of the Healthcare.gov portal. CMS advised Mitre that the highest Risk Rating should be given to flaws that could cause political damage to CMS. Moderate and low Risk Ratings were to include those resulting in potential public embarrassment to the agency. Specifically, the Assessment Test Plan provides the following Risk Ratings:
High: Exploitation of the technical or procedural vulnerability will cause substantial harm to CMS business processes. Significant political, financial and legal damage is likely to result. [Emphasis added]
Moderate: Exploitation of the technical or procedural vulnerability will significantly impact the confidentiality, integrity and/or availability of the system or data. Exploitation of the vulnerability may cause moderate financial loss or public embarrassment to CMS. [Emphasis added]
Low: Exploitation of the technical or procedural vulnerability will cause minimal impact to CMS operations. The confidentiality, integrity and availability of sensitive information are not at risk of compromise. Exploitation of the vulnerability may cause slight financial loss or public embarrassment. [Emphasis added]
These are more smoking gun documents that the Obama administration knowingly put the privacy of millions of Americans at risk through Obamacares healthcare.gov marketplace, said Judicial Watch President Tom Fitton. And these documents show that this administration was concerned about the political problems of the security flaws but couldnt care less about the threat to privacy of millions of innocent Americans. Given what we now know about Obamacares security, I have little doubt that Healthcare.gov is in danger of being in violation of federal privacy laws. If you share private information on Healthcare.gov or a related Obamacare site, you should assume that your private information is unsecure and at risk at being hacked.
When a government-created website lets hackers in to sift through your information, you have no recourse. You can’t sue the government.
"If you share private information on Healthcare.gov or a related Obamacare site, you should assume that your private information is unsecure and at risk at being hacked."
Bend over, touch your toes, this won't hurt a bit!
Yep, and the bureaucrats running the show knew full well before sites were launched.
Are these bugs or features? Collapse of the total US health care system as part of a Cloward Piven strategy is quite likely a goal.
If you are retired and on Medicare, you have no choice. All your personal information is shared with the government by your doctor and hospital.
Notice they haven’t released enrollment numbers since March.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.