CMS Officials Warned Of Security Risks Just Before Healthcare.gov Went Live

Jaikumar Vijayan | Computerworld | October 30, 2013

Internal memo obtained by CNN shows concerns about a lack of end-to-end testing

Less than four days before Healthcare.gov went live, two senior officials at the U.S. Centers for Medicare & Medicaid Services (CMS) expressed reservations about the security preparedness of the site.

In a memo addressed to CMS administrator Marilyn Tavenner, the officials noted that a required Security Control Assessment (SCA) of the site had only been partially completed due to "system readiness issues."

This failure to complete the testing represents a risk that the CMS needs to mitigate once the site goes live, the officials noted. The internal CMS memo, dated Sep. 27, was obtained by CNN, which published a copy of it on its website Wednesday.

The memo, written by James Kerr, consortium administrator for Medicare Health Plans Operations, and Henry Chao, deputy CIO at the CMS, noted that security tests had been successfully conducted on different versions of the system right through the development process.