States’ links to federal data worrying to security experts

WASHINGTON - As President Barack Obama’s administration raced to meet its self-imposed deadline for online health-insurance markets, security experts working for the government worried that state computer systems would become a back door for hackers.

Documents provided to The Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as “high risk” for security problems.

The administration said the documents offer only a partial and “outdated” snapshot of an improving security situation, and the problems cited were either resolved or are being addressed through specific actions.

Obama, speaking to supporters Tuesday, said about 4 million people have signed up for health insurance through the federal or state marketplaces set up under the health-care law. No successful cyber attacks have taken place, officials said.

However, the matters detailed in documents and emails provided by the House Oversight and Government Reform Committee reveal broader concerns than the federal Health and Human Services Department has previously acknowledged.

To connect to federal computers, state and other outside systems must undergo a security review and receive an “authority to connect.”

With the health-care law, states needed approval to connect to a new federal data hub, an electronic back room that pings the Social Security Administration, the Internal Revenue Service and the Department of Homeland Security to verify personal details about people applying for government-subsidized insurance. The hub handles sensitive information, including income, immigration status and Social Security numbers.

The documents show a behind-the-scenes juggling act by officials and contractors as the Oct. 1 deadline for the online health-insurance exchanges loomed.

In one email from Sept. 29, a Sunday two days before the launch, Teresa Fryer, chief information security officer for the federal Centers for Medicare and Medicaid Services, wrote of the state security approvals, “The front office is signing them whether or not they are a high risk.” Her agency, known as CMS, also administers the health-care law.

Two days earlier, in a separate document, agency administrator Marilyn Tavenner approved nine states to connect although the approval document noted that “CMS views the October 1 connections to the nine states as a risk due to the fact that their documentation may not be submitted completely nor reviewed … by Oct. 1.”

Approval for those moderate-risk states was contingent on their submission of proper documentation. The states were Arkansas, Illinois, Iowa, Louisiana, Montana, Nebraska, Pennsylvania, Oklahoma and South Dakota.

Meanwhile, an agency PowerPoint presentation from Sept. 23 revealed huge differences in states’ readiness. Some were already approved, while others had security weaknesses that were well understood and being tackled. But there were also states where the federal government had little information on security preparations.

“CMS views these connections to states as a high risk due to the unknown nature of their systems,” according to the presentation.

Agency officials contemplated whether they would have to accept risk on behalf of other federal government entities, including Social Security and the IRS.

In another document, a federal contractor explicitly detailed the potential consequences of what he called an “elevated high risk.”

Allowing states to connect without the appropriate review “introduces an unknown amount of risk” that could put the personal information of “potentially millions of users at risk of identity theft,” not to mention exposing the program to fraud, contractor Ryan Brewer wrote to the Centers for Medicare and Medicaid Services in a Sept. 18 email.

Brewer had formerly been the agency’s top information security officer. He is currently with the cyber security firm GrayScout. The administration said he had no direct knowledge of the status of state security information.

In a Thursday letter to the oversight panel’s chairman, Rep. Darrell Issa, R-Calif., the administration said many of the high-risk issues identified in the documents had a corrective action plan before states got approval to connect. Twelve states received temporary, 60-day permissions to connect before Oct. 1 because the administration had not completed full reviews.

Currently, 46 states and Washington, D.C., have full three-year permissions to connect, wrote Health and Human Services Assistant Secretary Jim Esquea.

“The administration has not been forthcoming with the American people about the serious security risks,” Issa said in a statement. “Despite repeated assurances from HHS, the department appears to still be struggling with security concerns.” Information for this article was contributed by Darlene Superville and Ken Thomas of The Associated Press.