What to Believe About Security Risks in Subpoenaed HealthCare.gov Docs

By Joseph Marks

December 18, 2013

The battle over whether to release contractors’ documents that may point out security weaknesses in the HealthCare.gov website can be confusing to follow and even more confusing to take sides in.

That’s because, while the government officials and contractors waging the battle are mostly doing it with the same established set of facts -- laid out in the documents themselves -- the public doesn’t have access to those facts. And all the officials have some motive to give a slanted impression of what the documents say.

Here are the basic facts as the public knows them:

As part of its investigation into what went wrong with the HealthCare.gov launch, the House Oversight and Government Reform Committee requested documents from contractors that worked on the project and from the Health and Human Services Department.

At least two of those contractors, CSSI and MITRE Corporation, passed their documents through HHS officials who gave committee members redacted copies and allowed them to view but not keep unredacted documents.

That wasn’t sufficient for Oversight Chairman Darrell Issa, R-Calif., who unilaterally subpoenaed the contractors for unredacted copies that he’d be able to selectively release to the public.

HHS told contractors that releasing the documents to Issa would violate their contracts but, after consulting with lawyers, they decided they had no choice and turned the documents over.

That’s where we stand today.

Both HHS and Republicans and Democrats in Congress agree that the documents reveal some security weaknesses in HealthCare.gov as of mid-October, but they disagree about how significant those vulnerabilities were at the time and the extent to which they’ve likely been remedied.

All sides also agree that releasing the full unredacted documents to the public could help hackers looking to break into the site and either gum up its operations or steal insurance seekers’ personal information.

What they disagree about is whether the decision on what portions of the documents are safe to release should be made by Issa or by the full committee.

HHS officials and congressional Democrats say Issa can’t be trusted to make the right call about what portions of the documents can be released without endangering security. Issa says he’s fully capable of making that call after consulting with officials and security experts and that it’s the administration that’s endangering Americans’ security by keeping the documents completely under wraps.

That’s a policy and procedural question and a highly interesting and debatable one. But the debate has a political dimension too.

Federal and state insurance marketplaces are the largest component of Obamacare, which was, incidentally, the most partisan and divisive domestic political issue of the past decade.

In order for those marketplaces to work, they must enroll a large enough number of people in new insurance plans by the time open enrollment ends in March 2014 (the Obama administration is aiming for 7 million enrollees). That batch of new enrollees must also include enough young and healthy people, who are likely to pay more into their plans than insurers pay out for drugs and doctor visits, to counterbalance older and sicker people who are more likely to take more money out of the system than they pay in.

That means Issa, a Republican who opposed the health care law, has an incentive to pump up the fear of security risks to tamp down enrollment and increase the chances of Obamacare’s failure. It also means the Obama administration and congressional Democrats have an incentive to downplay security risks to keep enrollment up.

With no independent assessment of what the documents contain, the public has little guide as to who’s more motivated by politics and who’s more motivated by principle.

Here are a few more wrinkles.

Are there security risks for Americans who enter information into HealthCare.gov?

Certainly. No system is impregnable and people take a risk every time they enter personal information into a Web form, whether it comes from the government or the private sector. This is acknowledged by every tech official in government and they say it’s what keeps them up at night.

There’s not uniform agreement, though, about what risks are so serious a system shouldn’t operate until they’re resolved and which risks are acceptable. Guidelines, including those in the Federal Information Security Management Act, offer some help but they’re a blunt instrument tasked with an extremely complicated task. 

For the record, HHS officials say HealthCare.gov is FISMA-compliant and that there have been no successful cyber attacks against the system since it launched.

Would Issa release information that could aid hackers looking to break into the site?

The chances he would release such information through sheer negligence are extremely limited. Issa has pledged to consult with security experts, who are notoriously cautious, before any release. As chairman of the committee that governs federal technology policy, he’s also among the most knowledgeable lawmakers about technology. That means, at the very least, he’ll take the experts’ warnings very seriously.

That said, it’s almost certain that Issa would draw the line about what’s safe to release and what’s not at a different place than the administration would.

The reason may be partly about politics. It’s also about principle, though. In addition to his work on technology and controversial investigations (Fast and Furious, Benghazi) Issa is also a major proponent of improving government transparency and has argued that government is generally too cautious, if not evasive, about providing information to the public.

In an ironic twist, Issa is cosponsoring a bill to beef up Freedom of Information Act compliance with Oversight’s ranking member, Rep. Elijah Cummings, D-Md., who’s also his lead congressional combatant regarding the HealthCare.gov documents release. 

By Joseph Marks

December 18, 2013