WASHINGTON (AP) — The second-in-command at the federal Health and Human Services Department says he doesn't recall reporting security concerns about the administration's health insurance website to higher-ups.
Deputy Secretary William Corr "has no recollection" of relaying concerns passed on to him by the department's top technology officer to his own boss, Secretary Kathleen Sebelius, or to White House officials, spokeswoman Joanne Peters said.
Corr and Sebelius both have offices on the sixth floor of the HHS building, overlooking the National Mall. Over the summer and into early fall, the department was working frantically to meet a self-imposed Oct. 1 deadline for the start of the first open enrollment season under President Barack Obama's health care law. That's also when the website was scheduled to go live.
HHS chief information officer Frank Baitman testified to Congress this week that he learned days before the launch that senior cybersecurity experts inside the department were balking at signing a required operational certificate. The problem: Security testing had not been completed because the website was getting constant technology tweaks and also was crashing. Baitman said he passed that information on to Corr and another top official.
HealthCare.gov is the online portal to coverage under Obama's law. It was overwhelmed by multiple technical problems when it launched and was out of commission most of October. Major computer issues have since been resolved, and most consumers are able to sign up. But questions remain about how and why the administration bungled the rollout.
Baitman told the House Oversight and Government Reform Committee this week that on Sept. 20 the chief information security officer for the Centers for Medicaid and Medicare Services, Teresa Fryer, outlined her concerns during a teleconference. CMS is the department division running the website.
A second cybersecurity professional senior to Fryer, the chief information officer of CMS, was also uncomfortable with signing the operational and security certificate, which is a requirement for federal technology projects.
"I shared it with a few people," Baitman said, naming Corr and E.J. "Ned" Holland, the department's assistant secretary for administration.
"I thought it was noteworthy that the chief information security officer for CMS had expressed that she was uncomfortable signing it," Baitman added. He said he didn't consider that a "red flag," but he wanted to share it with senior officials.
The security certificate was finally signed on Sept. 27 by Marilyn Tavenner, the administrator of Medicare and Medicaid, whose background is in hospital administration, not technology.
It amounted to a six-month permit, coupled with a series of measures to address possible security vulnerabilities. Without complete security testing ahead of the launch, it wasn't possible to assess how well the site would stand up to hackers. Fryer testified that testing was successfully completed on Dec. 18, and she would be willing to sign off now. There have been no successful attacks on the site.
Corr, the No. 2 HHS official who was alerted by Baitman, plays a behind-the-scenes role.
Corr got his start in health care in the 1970s, running clinics in rural areas of Tennessee and Kentucky. He later served as a senior staffer to House and Senate Democrats and worked as HHS chief of staff during President Bill Clinton's administration. Before returning to government service in 2009, he was executive director of the Campaign for Tobacco-Free Kids.