HealthCare.gov ducked final security requirements before launch
(CBS News) WASHINGTON -- The health care website went down again Monday for an hour and a half, and no one is sure why. It's being taken offline on purpose every night from 1 a.m. to 5 a.m. for repairs. Millions are still having trouble buying insurance on it, and it turns out that even when the website works, it may not be secure enough to protect privacy.
As HealthCare.gov was being developed, crucial tests to ensure the security and privacy of customer information fell behind schedule.
CBS News analysis found that the deadline for final security plans slipped three times from May 6 to July 16. Security assessments to be finished June 7 slid to August 16 and then August 23. The final, required top-to-bottom security tests never got done.
The House Oversight Committee released an Obama administration memo that shows four days before the launch, the government took an unusual step. It granted itself a waiver to launch the website with "a level of uncertainty ... deemed as a high (security) risk."
WH docs: Paper applications for Obamacare were problematic, too
Obamacare: Memo reveals health care adviser warned W.H. was losing control 3 years ago
Complete Coverage: Obamacare Kicks Off
Agency head Marilyn Tavenner accepted the risk and "mitigation" measures like frequent testing and a dedicated security team. But three other officials signed a statement saying that "does not reduce the risk" of launching October 1.
Georgetown Law professor Lawrence Gostin is a big supporter of the Affordable Care Act. He helped Congress write the law to meet constitutional standards. But he's critical of the launch without proper security.
Watch: Obamacare enrollment got off to very slow start, below.
"Nothing can undermine public confidence more than the fear of a security and privacy breach," Gostin said. "You could have somebody hack into the system, get your Social Security number, get your financial information."
HealthCare.gov exchanges data through a massive hub that includes the IRS and Social Security Administration, to verify income and identity, and Veterans Affairs, for military personnel who receive special benefits.
Last week at a congressional hearing, Health and Human Services Secretary Kathleen Sebelius told Democrat G.K. Butterfield that Americans have no reason to worry.
Asked if she had confidence in measures the administration was taking to protect the security of Americans' personal information, Sebelius responded, "I do, sir."
While officials try to fix all the problems with the website, internal notes released Monday from a government meeting last week reflect a new concern: that the media may begin to follow customer experiences. In some cases, CMS fears, there are "fewer health insurance options than would be desired" and "relatively high-cost plans."