Darrell Issa is probably not a favorite of CMS, but as Chairman of the House Oversight and Government Reform Committee, he can make them squirm. He is still, rightly, focused on security of the Obamacare website. The Committee's website http://oversight.house.gov/release/issa-challenges-sebelius-false-misleading-statements-healthcare-gov-security/ says they are going to challenge some statements made by Health and Human Services Secretary Kathleen Sebelius about security of the site. It is a curious mix of things they are looking into:
1) that MITRE was conducting ongoing security testing;
2) that MITRE’s preliminary report “did not raise flags about going ahead;”
3) that “no one… suggested that the risks outweighed the importance of moving forward;”
4) that MITRE made recommendations to CMS about moving forward.
An odd mix, to be sure. Remember the adage, "never ask a question you don't already know the answer to." If MITRE was not doing security testing, put up warning flags about proceeding, and didn't make recommendations about moving forward with deployment of the site, it would be hard to say on what basis CMS made the risk management decision to deploy.
In a Politico story today, Brett Norman quotes an HHS letter that says:
“There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information,” the statement said. “An independent security control assessor tested each piece of the Healthcare.gov system that went live October 1 prior to that date with no open high findings”
http://www.politico.com/story/2014/01/darrell-issa-kathleen-sebelius-obamacare-101924.html#ixzz2pubEX9o8
Anyone who has any time at all in cybersecurity, would know that statements like this are not made by anyone. Never.
It is a dangerous thing to say, especially in a system where there are obvious security flaws, the system was deployed before it was ready, and changes are being made on the fly. If there were no Cat 1 security deficiencies, it would be the first system ever built by the government that could say so. Everybody has some problems in development, and with this system, there have been more than just some. They had Cat 1s everywhere else, but they want to say that they had none in security. Preposterous, and unbelievable, but this is, after all, the most fun Washington has had in a long time, so not impossible.
Second, nobody ever says "There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information...." There was a GAO report published yesterday that left some doubt about how government agencies are handling disclosures, when they know they have them. They don't have consistent ways to identify the loss, collect the data about who is affected, and report the incident to the right agencies. Then, they don't always take appropriate action to deal with the potential damage. If CMS looks like the kind of place you could trust to identify the loss, report the loss, and help the customers, given the political spear dangling from their chest, then you have more faith in them than I would have. Amazon books:
No comments:
Post a Comment