We finally got to hear testimony from some of the people who were responsible for creating the mess on the Obamacare website, which poses risk to data in their networks. A couple of interesting things came from it.
1. MITRE was doing the Independent Verification &Validation part of the evaluation of the security features of the system. CMS hired an ethical hacker to augment their security testing. He found 7-10 items which were "not serious".
2. MITRE published a report, portions of which were redacted because they showed vulnerabilities to the system. This is actually a good thing, since publication would make it even easier to get into the site, something a normal user cannot do.
3. Only a short part of MITRE's report was read in the open hearing, but it contained the following gem of information: "MITRE was unable to evaluate the Confidentiality or Integrity of the system" because it wasn't ready. The three elements of the security evaluation, Confidentiality, Integrity and Availability, were not even done, yet the Administrator of CMS felt confident enough in their design to sign off on the risks. If good designs were enough, we could throw away those acquisitions manuals and buy good designs. On what basis HHS could make such a decision is a mystery. We know Availability failed.
Several sources today (http://www.nextgov.com/health/2013/11/cms-manager-who-okayed-healthcaregov-missed-security-memo/73625/) site portions of a report saying the security risks were "limitless" in this system. When has anyone ever seen an evaluation like this result in an Authority to Operate (ATO)?
4. Mr. Chao, the Deputy CIO at CMS, said security testing was completed at the component level, but was not able to be completed end-to-end. Component level testing would not include the interfaces to the other systems that connect our sensitive data to this portal. Does CMS feel comfortable accepting that level of risk? Do the other agencies connecting to this portal feel comfortable with accepting them? A Hill article today (http://thehill.com/blogs/healthwatch/health-reform-implementation/189916-top-cms-official-didnt-know-about-obamacare) says Chao was not included on parts of the request for sign-off on the ATO. That didn't seem to keep him from rationalizing the lack of security testing.
5. Mr. Powner, from GAO, twice cautioned that we should be concerned about security while the system is being built. Considering that no security testing had been done that would justify granting an ATO, the risks climb dramatically with changes that are being made on the fly, where political pressures abound. Will the system be tested before the 30th of November when all the changes are supposed to be done? Not likely. They cannot even get the portal to work like a portal. Until it is stable, it would be difficult to test.
We should think twice about putting any data into this system until it is operational, the security testing is complete, and the vulnerabilities are corrected. You can bet the Chinese are already hacking this goldmine. Amazon books:
No comments:
Post a Comment