KITV: Bhagowalia says the Health Connector has complied with all federal regulatory mandates
March 27, 2014: State Sen. Josh Green, a Democrat and doctor who chairs the Health Committee, told KITV4 the letter to Abercrombie sounds a "bit political," but is nevertheless "disconcerting."
"If that proves to be true, then there's going to be hell to pay," Green said of the Health Connector's alleged failure to test security. "I'm sure it's going to totally erode people's confidence that it's safe and secure."
To date, 5,744 individuals have obtained health insurance through the Health Connector since its launch five months ago. Before obtaining coverage, an applicant must supply their Social Security number, date of birth and income.
"With that data, someone could get access to practically anything," said Kay.
In a statement issued late Thursday by Abercrombie's chief adviser on technology and cybersecurity, Sanjeev "Sonny" Bhagowalia says the Health Connector has complied with all federal regulatory mandates.
"Hawaii's Exchange passed all security certifications required by the Centers for Medicare & Medicaid Services prior to launch on October 15 and has had no security breaches since that time," Bhagowalia wrote in an email to KITV4.
* * * * *
From US House Committee on Oversight and Government Reform
Dear Governor Abercrombie: March 25, 2014
Over the past four years, the Committee on Oversight and Government Reform has been conducting oversight of the Obama Administration's implementation of ObamaCare. We are writing to you because the Committee has learned that the Obama Administration took actions in the summer and fall of 2013 that appear to have placed the private information of Hawaiians at risk with the launch of ObamaCare's health insurance exchanges. We write to provide you with information pertinent to the citizens of your state as well as to request your assistance with the Committee's ongoing oversight.
It is clear that the Hawaii exchange has failed to live up to expectations. Despite receiving over $205 million dollars in federal grants to set up its ObamaCare exchange, the exchange has managed to enroll fewer than 5,000 people.(1) Put differently, for every person enrolled by the exchange, federal taxpayers gave the State approximately $44,000 to set up the exchange.(2)
In order to resolve technical problems, the Hawaii exchange website launched two weeks late, on October 15, 2013.(3) Once it launched, the exchange experienced technical problems. To date, Hawaii has signed up the fewest number of enrollees in the nation.(4) On December 6, 2013, Coral Andrews, your exchange's executive director resigned due to the exchange's ongoing development problems.(5) On February 26, 2014, Tom Matsuda, the Hawaii exchange's interim executive director, admitted that the exchange is financially unsustainable.(6) While these problems with the exchange are well known, little is known about the major security vulnerabilities that were present with the exchange on October 1, 2013, and whether those problems remain today.
Hawaii's Exchange Did Not Have Required Security Assessment Prior to Launch
Since October 1, 2013, Americans in states with exchanges established by the federal government have been entering their personally identifiable information (PII), such as birth dates, Social Security numbers, and income as well as PII of family members into HealthCare.gov. Individuals in states that established state health insurance exchanges, including Hawaii, have likewise been entering this information into similar websites. Federal agencies, including the Internal Revenue Service and the Social Security Administration, have responsibility for verifying much of the information provided by individuals applying for coverage through the ObamaCare exchanges. The information provided by these agencies passes through the federal data services hub to the exchanges, where the information is then stored.(7)
According to information provided by the Centers for Medicare and Medicaid Services (CMS), Hawaii's ObamaCare exchange did not have a security assessment prior to launch.(8) In fact, Hawaii's failure to conduct a security assessment of its exchange prior to October 1, 2013, appears to violate CMS's Minimum Acceptable Risk Standards for Exchanges (MARS-E).(9) According to MARS-E, a "security assessment of all security controls must be conducted prior to issuing the initial authority to operate for all newly implemented systems."(10) Hawaii's failure to conduct an independent security assessment of its exchange prior to October 1, 2013, also appears to violate compliance standards and frameworks established by the IRS and the National Institute for Standards and Technology (NIST) and raises serious questions about the decision making of both federal and state officials prior to the website's launch. (11)
Obama Administration Allowed Hawaii to Connect to Federal Data Hub Despite High Risks
The Committee has recently obtained the security risk assessment of the Chief Information Security Officer (CISO) at CMS for allowing states to connect to the data services hub. State exchanges and Medicaid systems needed authority to connect (ATC) agreements from CMS in order to connect to the federal data services hub.
After its review, the CISO only recommended four state systems be allowed to connect to the hub. According to the reviews, the CISO deemed 35 state systems as a high risk and an additional ten state systems as a moderate risk of connecting to the data hub. (12) NIST defines a moderate risk as a risk where "the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals" (13) and a high risk as a risk where "the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals." (14)
Despite the CISO's negative assessments that generally revealed incomplete documentation and inadequate security testing, CMS allowed most of these states to connect to the federal data hub on October 1, 2013. A few days prior to October 1, 2013, Ryan Brewer, CMS 's CISO from 2009 through 2011 and currently an advisor to CMS on information security matters, offered the following assessment to current CMS CISO Teresa Fryer: "Allowing these states to connect to the Hub and FFM [Federally Facilitated Marketplace] without the appropriate review of their documentation introduces an unknown amount of risk to the Hub and FFM. This in turn puts the PII of potentially millions of users at risk of identity theft and fraud to the CMS marketplace healthcare subsidy program." (15) [emphasis added]
It does not appear, however, such concerns were welcomed by senior CMS management in the days leading up to the October 1, 2013, launch date. In response to a September 29, 2013, e-mail from Mike Mellor, CMS Deputy CISO, about an ATC "signing party," (16) Ms. Fryer wrote, "normally I just review and sign what Ryan [Brewer] gives me anyway because the front office is signing them whether or not they are a high risk." (17) [emphasis added] At the time, CMS's front office consisted of CMS's Chief Information Officer Tony Trenkle, CMS 's Deputy Chief Information Officer Henry Chao, and CMS's Chief Technology Officer George Linares. (18) Ms. Fryer testified that by authorizing states to connect to the data hub CMS accepted "a risk, again, of the unknowns, because things haven't been tested." (19)
On September 28, 2013, CMS's CISO completed its assessment of Hawaii's ATC package. (20) The CISO considered several factors in its assessment, including CMS's security experts' review of documentation submitted by the Hawaii exchange and "23 High-impact findings." (21) Based on this information, the CISO concluded that there was a high risk if CMS allowed Hawaii's exchange to connect to the data hub. (22) The CISO recommended several actions that Hawaii could take to reduce the high risk, but these fixes, if they took place, likely did not occur until after October 1, 2013. (23) Despite the high risk and Hawaii's inability to open its exchange for two weeks after October 1, 2013, CMS allowed Hawaii's exchange to connect to the data hub on October 1, 2013.
Due to the decision of the Obama Administration to launch the exchanges on October 1, 2013, before states could properly test their systems and government security experts could properly review security documentation and address known problems, the personal information of millions of Americans who have sought to obtain coverage through the exchanges was put at risk. As the Committee continues its oversight of ObamaCare, we request that you provide the following information to the Committee by April 8, 2014.
1) All documents and communications between any employees, contractors, or agents of the State of Hawaii and any employees, contractors, or agents of the U.S. Department of Health and Human Services, including but not limited to any employees, contractors, or agents of the Centers for Medicare and Medicaid Services, referring or relating to the Hawaii exchange or the federal data services hub between May 1, 2013, and the present.
2) All documents and communications between any employees, contractors, or agents of the State of Hawaii and any employees, contractors, or agents of the White House, including but not limited to the Executive Office of the President, referring or relating to the Hawaii exchange or the federal data services hub between May l, 2013, and the present.
3) All assessments or audits of the Hawaii exchange's development, readiness, or security between July 1, 2012, and the present.
The Committee on Oversight and Government Reform is the principal oversight committee of the House of Representatives and has broad authority to investigate "any matter" at "any time" under House Rule X. If you have any questions about this request, please contact Brian Blase or Meinan Goto of the Committee staff at (202) 225-5074. Thank you for your attention to this important matter.
Darrell Issa, Chairman
Jim Jordan, Chairman
James Lankford, Chairman
PDF: Letter from Committee
* * * * *
1 Kaiser Exchange Grants, HHS enrollment estimates as of Mar. 1 2014.
2 Enrollment numbers as of Mar. 1, 2014.
3 Maeve Reston, Hawaii health marketplace off to an especially rough start, LOS ANGELES TIMES (Feb. 25, 2014),
5 Head of Hawaii Insurance Exchange Steps Down, NEW YORK TIMES (Nov. 22, 2014)
6 Kristen Consillio, Hawaii Health Connector won't be sustainable after 2014, HONOLULU STAR-ADVERTISER (Feb. 26, 2014).
7 Department of Health and Human Services, Office of Inspector General, Observations Noted During the OIG Review of CMS's Implementation of the Health Insurance Exchange-Data Services Hub (Aug. 2, 2013)
8 ClSO Reviewer Overall Comments and Recommendations of the Hawaii Kauhale On-Line Eligibility Assistance Project ATC (Sept. 28, 2013).
9 Centers for Medicare & Medicaid Services, Catalog of Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement, Ver. 1. 0 (Aug. 1, 2012)
10 Id. at 42.
11 NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems 30 (February 2010), ("Organizations consider both the technical expertise and level of independence required in selecting security control assessors.").
12 CMS CISO Reviewer Overall Comments & Recommendations (on file with Committee staff).
13 See U.S. Dep 't of Commerce, Federal Information Process Standards Publication, Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199, at 2 (Feb. 2004) (hereinafter "FJPS PUB 199"). According to NIST, a serious adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss or life or serious life threatening injuries. See id.
14 See id. at 3. According to NIST, a severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. See id.
15 E-mail from C. Ryan Brewer, Principal, GrayScout, LLC, to Teresa M. Fryer, CISO, CMS (Sept. 18, 2013, 2:17 PM) (on file with Committee staff).
16 E-Mail from Michael Mellor, Deputy CISO, CMS, to Teresa M. Fryer, CISO, CMS (Sept. 29, 2013, 7:02AM) (on file with Committee staff).
17 E-mail from Teresa M. Fryer, CISO, CMS, to C. Ryan Brewer, Principal, GrayScout, LLC, and Michael Mellor, Deputy CISO, CMS (Sept. 29, 2013, 8:15:55 AM) (on file with Committee staff).
18 Transcribed Interview with Thomas Schankweiler, Information Security Officer, Centers for Medicare and Medicaid Services, in Wash. D.C. (Dec. 17, 2013).
19 Transcribed Interview with Teresa Fryer, Chief Information Security Officer, Centers for Medicare and Medicaid Services, in Wash. D.C. (Dec. 17, 2013).
20 CISO Reviewer Overall Comments and Recommendations of the Hawaii Kauhale On-Line Eligibility Assistance Project ATC (Sept. 28, 2013).