Do not settle for an email blasting service or a newswire overloaded with financial statements. Standard Newswire gets your news into the hands of working journalists, broadcast hosts, and news producers.
Find out how you can start using Standard Newswire to
Sign Up to Receive Press Releases:
Standard Newswire™ LLC
209 W. 29th Street, Suite 6202
New York, NY 10001, USA.
(212) 290-1585
Lack of 'ATO' Was 'High Risk to Agency'
Contact: Jill Farrell, Judicial Watch, 202-646-5172
WASHINGTON, Jan. 19, 2016 /Standard Newswire/ -- Judicial Watch today released over 1,000 pages of new documents that show federal health care officials knew that the Obamacare website, when it launched in 2013, did not have the required "authorization to operate" (ATO) from agency information security officials. These documents, obtained from the U.S. Department of Health and Human Services (HHS), come in two productions of records: a 143-page production and an 886-page production. The email records reveal that HHS officials had significant concerns about the security of the Healthcare.gov site leading up to its October 1, 2013, launch.
Judicial Watch obtained the HHS documents in response to a court order in a Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430)). The lawsuit was filed in March 2014, after HHS failed to respond to a December 20, 2013, FOIA request seeking the following information:
- All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
On September 21, 2013, 10 days before the launch of the Obamacare website, Centers for Medicare and Medicaid Services (CMS) Information Security Officer Tom Schankweiler discussed with Deputy Chief Information Officer Henry Chao 17 initial "moderate" security issues findings and two "high" security issues. Two high findings and 3 moderate findings were resolved, according to the documents. The emails also show that a separate security analysis found 17 "high" security issues, prompting Chao to ask, "What are we actually signing off on…?" Schankweiler responded that the numerous security issues resulted in CMS Security Officer Teresa Fryer's refusing to approve the "ATO" (Authorization to Operate), something he indicated he found out belatedly.
The documents also show that on September 30, 2013, the day before the website launch, Blue Canopy, a contractor that was testing the security of the Healthcare.gov system, reported that the "parsing engine did not properly handle specially crafted messages." The vendor added, "As a result, consumption of these messages would cause the service to crash."
Over six weeks later, a November 6, 2013, email to colleagues George Linares, the acting chief technology officer of CMS, said that Healthcare.gov "is operating without an ATO [Authorization to Operate]." Further, he added, "Operating without an ATO is a serious issue and it represents a high risk to the agency."
In a separate November 6, 2013, memo sent a month after the initial website launch, as HHS prepared for a relaunch, CMS security testing contractor Adam Willard warned CGI Federal programmer Balaji Ramamoorthy, "it is possible for anyone to run a brute force [attack] against Healthcare.gov to obtain the results of their eligibility." (CGI was the Canadian IT contractor hired by CMS to oversee most of the Healthcare.gov website development.
MORE: www.judicialwatch.org/press-room/press-releases/judicial-watch-new-hhs-documents-reveal-security-concerns-healthcare-gov-had-no-authorization-to-operate
