Less than one month before Healthcare.gov rollout, top Obama administration official highlights risks of malicious code being uploaded into the system through Excel macros; other “high risk” findings

(Washington, DC) – Judicial Watch today released 94 pages of documents obtained from the U.S. Department of Health and Human Services (HHS) revealing that in the days leading up to the rollout of Obamacare, top Centers for Medicare and Medicaid Services (CMS) officials knew of massive security risks with Healthcare.gov and chose to roll out the website without resolving the problems. Detailed information regarding the security flaws, previously withheld from public disclosure, was released to Judicial Watch.  Also released to Judicial Watch were “Sensitive Information – Special Handling” memos sent from CMS to Mitre Corporation, the Healthcare.gov security testing company, in which CMS rated “political … damage” and “public embarrassment to CMS” as factors in defining “Risk Rating” priorities.

The HHS documents as a result of a Freedom of Information Act (FOIA) lawsuit filed by Judicial Watch on March 18, 2014, Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430), after HHS failed to respond to a December 20, 2013, FOIA request seeking the following information:

Any and all records related to, regarding or in connection with the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.

The existence of a security flaw in the Healthcare.gov web portal, in which “[T]he threat and risk potential is limitless,” had been previously revealed in a redacted version of a September 3, 2013, memo published by the House Government Oversight Committee.  However, the details of that flaw and others found in the Healthcare.gov website were omitted from the House-issued memo “for security reasons,” according to a CBS News report by Sharyl Attkisson. Judicial Watch can now reveal exactly what those security flaws entailed.

These details are especially significant in light of the revelation by federal officials that the Healthcare.gov web portal was hacked last July, as reported on September 4, 2014. The documents obtained by Judicial Watch also show that top CMS officials, including CMS Chief Information Officer Tony Trenkle and CMS Director Marilynn Tavenner, were aware of the gaping security flaws, yet Tavenner chose to launch the website anyway. Trenkle himself resigned before the site’s launch date.

In a September 3, 2014, “Authorization Decision” memo, Trenkle reveals a flaw involving Excel macros that could risk malicious code being uploaded into the system. According to a “Finding” in the just released unredacted memo, “FFM [Federally Facilitated Marketplaces] has an open high finding: Macros enabled on uploaded files allow code to execute automatically.”

In the “Finding Description” alongside that finding, the memo continues: “An excel file with a macro which executes when the spreadsheet is opened was uploaded for a review by another user. The macro only opened up a command prompt window on the local user’s machine; however, the threat and risk potential is limitless. Keeping macros enabled relies on the local machine of the user who downloads to detect and stop malicious activity.”

Among the “Recommended Corrective Actions” to fix this problem, the memo says, “Implement a method for scanning uploaded documents for malicious macros.”  Remarkably, the due date provided for the corrective actions to remedy this “limitless” risk problem is May 31, 2014 – eight months after the launch of Healthcare.gov.

The above revelation about the potential for malicious code being uploaded into Healthcare.gov is especially noteworthy, in light of the September 4, 2014, Wall Street Journal article, which reported, “A hacker broke into part of the Healthcare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.”

In the same September 3, 2014 memo, details of another “high risk” finding were disclosed: “FFM has an open high finding: No evidence of functional testing processes and procedures being adequate to identify functional problems resulting in non-functional code being deployed.”

The “Finding Description” for this flaw elaborates: “Software is being deployed into implementation and production that contains functional errors. Untested software may produce functional errors that cause unintentional Denial of Service and information errors.” The due date provided to correct this high risk flaw was listed as February 26, 2015, nearly a year and a half following Obamacare’s launch.

Another security flaw identified in the September 3 memo is: “Many FFM controls are described in CFACTS as ‘Not Satisfied.’”  (CFACTS stands for CMS FISMA Controls Tracking System. It is CMS’ database used to keep track of security problems and fixes in the agency’s information systems.) The “Risk” that this problem poses is described as follows: “There is the possibility that the FFM security controls are ineffective. Ineffective controls do not appropriately protect the confidentiality, integrity and availability of data and present a risk to the CMS enterprise.” Officials provide a due date to correct this problem of February 7, 2014 – more than four months after Healthcare.gov was to launch.

The September 3 memo also reveals that “FFM appears to have selected an inappropriate E-Authentication level.” The risk significance of this problem is described as: “The E-Authentication level of a system determines the security controls and means when connecting to a system over or from an untrusted network. Use of inappropriate controls exposes the enterprise to additional risk.” The due date to correct this issue was also provided as February 7, 2014.

In a September 6, 2013, “Authorization Decision” memo from CMS’ Chief Information Officer Tony Trenkle to CMS Director of Consumer Information and Insurance Systems Group, James Kerr, Trenkle advised, “There are no findings in CFACTS for the FY13 Security Control Assessment (SCA) or the recent penetration testing.”  This meant that security problems found in testing the website had not even been entered into the database set up to keep track of security problems. Despite his findings, Trenkle gave his “Authorization to Operate,” concluding, “The current risk is deemed acceptable.”

Judicial Watch was also provided with the August 20, 2013, and December 6, 2013, Security Controls Assessment Test Plans sent by CMS to Mitre Corporation, the vendor tasked with testing the security of the Healthcare.gov portal.  CMS advised Mitre that the highest “Risk Rating” should be given to flaws that could cause “political” damage to CMS.  Moderate and low “Risk Ratings” were to include those resulting in potential “public embarrassment” to the agency. Specifically, the Assessment Test Plan provides the following Risk Ratings:

“High: Exploitation of the technical or procedural vulnerability will cause substantial harm to CMS business processes. Significant political, financial and legal damage is likely to result. [Emphasis added]

“Moderate: Exploitation of the technical or procedural vulnerability will significantly impact the confidentiality, integrity and/or availability of the system or data. Exploitation of the vulnerability may cause moderate financial loss or public embarrassment to CMS. [Emphasis added]

“Low: Exploitation of the technical or procedural vulnerability will cause minimal impact to CMS operations. The confidentiality, integrity and availability of sensitive information are not at risk of compromise. Exploitation of the vulnerability may cause slight financial loss or public embarrassment.” [Emphasis added]

“These are more smoking gun documents that the Obama administration knowingly put the privacy of millions of Americans at risk through Obamacare’s healthcare.gov ‘marketplace,’” said Judicial Watch President Tom Fitton.  “And these documents show that this administration was concerned about the political problems of the security flaws but couldn’t care less about the threat to privacy of millions of innocent Americans.  Given what we now know about Obamacare’s security, I have little doubt that Healthcare.gov is in danger of being in violation of federal privacy laws.  If you share private information on Healthcare.gov or a related Obamacare site, you should assume that your private information is unsecure and at risk at being hacked.”