Skip to comments.Memo Warned of "Limitless" Security Risks for HealthCare.gov ("Catastrophic"?)
Posted on 11/11/2013 5:23:15 PM PST by kristinn
CBS News has learned that the project manager in charge of building the federal health care website was apparently kept in the dark about serious failures in the website's security. Those failures could lead to identity theft among buying insurance. The project manager testified to congressional investigators behind closed doors, but CBS News has obtained the first look at a partial transcript of his testimony.
Henry Chao, HealthCare.gov's chief project manager at the Centers for Medicare and Medicaid Services (CMS), gave nine hours of closed-door testimony to the House Oversight Committee in advance of this week's hearing. In excerpts CBS News has obtained, Chao was asked about a memo that outlined important security risks discovered in the insurance system.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues, which are redacted for security reasons. The memo said "the threat and risk potential (to the system) is limitless." The memo shows CMS gave deadlines of mid-2014 and early 2015 to address them.
But Chao testified he'd been told the opposite.
What I recall is what the team told me, is that there were no high findings," he said.
Chao testified security gaps could lead to identity theft, unauthorized access and misrouted data.
According to federal guidelines, high risk means "the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals."
(Excerpt) Read more at cbsnews.com ...
What difference, at this point, does it make?
i remember that thread even though it was years ago...
I’m a project manager. This is blatant BS. There is NO WAY this was not known unless the PM was asleep at the wheel or off doing crack with the mayor of toronto.
Good point!...We've spent 600 million on a site that could have been done for a couple of million at most by free enterprise...Why stop now??...I don't care if it takes us gazillions.....This is America.....we can do it!!!.....YES WE CAN!....../s
He would have had a copy of the security assessment.
I did the security assessment for a state exchange to the IRS. The PM most certainly received my report. I most certainly went through each of the findings with them.
The person who authored the memo that Chao "never saw" is now out of the picture.
No doubt Jarrett told him to go into hiding.
Chao said he was unaware of a Sept. 3 government memo written by another senior official at CMS. It found two high-risk issues
No. Absolutely not. Total BS. There is a risk manager. He knows all the risks. He reports the risks up the chain of command. For risks to -- instead -- be compartmentalized and kept hidden from the PM ... that's either a lie or an inconceivable level of managerial incompetence.
I’ll take “inconceivable level of managerial incompetence” for $100 if you please Alex.
According to federal guidelines, high risk means “the vulnerability could be expected to have a severe or catastrophic adverse affect on organizational operations ... assets or individuals.”
So this is what is meant by a catastrophic insurance policy. A policy devised by Leftists.
How to fix it? Implant a chip in your hand or your forehead. Of course it will contain that well known number 666.
Better odds than Powerball for sure!
Given the fact that the federal government requires organizations handling financial information to conform to SOX (Sarbanes Oxley) audits, and organizations handling health care information to conform to HIPPA audits, it sounds like the system developed (NOT JUST THE WEB SITE!!!) doesn’t conform to either.
In addition to that, any self respecting financial company, especially one that uses credit cards, is supposed to meet PCI security specifications ( https://www.pcisecuritystandards.org/security_standards/index.php )
What are the chances that any of these security standards have been met?
Either one of two things happened:
1. Henry Chao lied to Congress when he testified behind closed doors last week for 9+ hours. He stated that he never saw the memo and he had been told that there were no significant problems with the web site.
2. Chao was never shown the Trenkle memo [but his superiors were] and they realized that [if he was shown the memo], he would never sign off on the Oct. 1st release.
Its either one or the other ...
Isn’t it sad that this is getting exponentially more play than Fast & Furious and the IRS.