Committee Holds another Politically Motivated Hearing on Healthcare.gov
(Washington, DC) – Today, the House Committee on Science, Space, and Technology held its second hearing on alleged security issues of Healthcare.gov. Testifying before the Committee were four private IT security experts, including the Minority witness Mr. Waylon Krush, currently the CEO of Lunarline, a cyber-security consulting firm, where he works with federal and commercial clients. Mr. Krush is also a founding member of the Warrior to Cyber Warrior program, a free cybersecurity training program for returning Veterans. In his testimony, Mr. Krush said that “to truly understand system risk – particularly for a system as complex as Healthcare.gov – you have to know a system inside and out. Speculating that specific attacks threaten the security of Healthcare.gov is just that. Speculation.”
Ranking Member Eddie Bernice Johnson (D-TX) said in her opening statement, “I am concerned that the intention of this hearing appears to be to scare Americans away from the Healthcare.gov site. This represents a continuation of a cynical campaign to make the Affordable Care Act fail through lack of participation. While we are holding this hearing, both the House Oversight and Government Reform Committee and the Energy and Commerce Committee are holding similar events. All with the apparent goal to create a sense of fear, thereby manufacturing an artificial security crisis.”
She continued, “The country faces a lot of real issues and real policy challenges. If we are truly interested in hacking and identity theft, we should have representatives of the largest retail institutions in the country here to discuss the challenges they face in protecting people’s information.”
Democratic Members emphasized that there have been no security breaches on Healthcare.gov, that Healthcare.gov followed the federal standards for cybersecurity that include continuous monitoring of the system, and the fundamental fact that Healthcare.gov does not contain medical records. Additionally, Democratic Members pointed out that numerous other websites have more personally identifiable data on them and that the most significant data breaches have occurred in the private sector, neither of which was a focus of the hearing.
Mr. Krush in his testimony described the Risk Management Framework that is used when developing federal information systems and stated that the process for implementing security on a Federal Information System is much more rigorous and in-depth than in the commercial markets and that this rigor would have been enforced on Healthcare.gov. Mr. Krush served in the Army for seven years, engaging in “red team” penetration testing of federal government web-sites, he was a former information security engineer in the Advanced Systems Division at AT&T, and he helped write the federal standards for security controls used by all U.S. federal information systems except those related to national security.
Ms. Johnson said of the political nature of the hearing, “[I]t appears that the Majority has allowed the Committee to become a tool of political messaging to a degree I have never witnessed in my time in Congress. And I have been here 22 years.”
At the same time that the Science Committee was taking testimony from witnesses who had no specific knowledge regarding the security or vulnerabilities of healthcare.gov, the House Committee on Oversight and Government Reform received testimony from the Chief Information Security Officer at the Centers for Medicare and Medicaid Services. The security officer, Theresa Fryer, testified that the site's "security control assessment met all industry standards, was an end-to-end test and was conducted in a stable environment that allowed for testing to be completed in the allotted time (completed December 18)." Fryer also testified that, "The protections that we have put in place have successfully prevented attacks…There have been no successful security attacks on the FFM (federal marketplace), and no person or group has maliciously accessed personally identifiable information."
Related Content
Next Article Previous Article