[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
HOW SECURE IS PRIVATE MEDICAL INFORMATION? A REVIEW OF COMPUTER
SECURITY AT THE HEALTH CARE FINANCING ADMINISTRATION AND ITS MEDICARE
CONTRACTORS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
MAY 23, 2001
__________
Serial No. 107-29
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
72-833 WASHINGTON : 2001
_______________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Oversight and Investigations
JAMES C. GREENWOOD, Pennsylvania, Chairman
MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida
CLIFF STEARNS, Florida BART STUPAK, Michigan
PAUL E. GILLMOR, Ohio TED STRICKLAND, Ohio
STEVE LARGENT, Oklahoma DIANA DeGETTE, Colorado
RICHARD BURR, North Carolina CHRISTOPHER JOHN, Louisiana
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
Vice Chairman JOHN D. DINGELL, Michigan,
CHARLES F. BASS, New Hampshire (Ex Officio)
W.J. ``BILLY'' TAUZIN, Louisiana
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Adair, Jared, Acting Chief Information Officer, Health Care
Financing Administration, accompanied by John Van Walker,
Senior Advisor for Technology to CIO and Julie Boughn,
Director, Division of HCFA Enterprise Standards............ 9
Neuman, Michael, President and Lead Programmer, En Garde
Systems, Incorporated...................................... 18
Vengrin, Joseph E., Assistant Inspector General for Audit
Operations and Financial Statement Activities, accompanied
by Ed Meyers, Director, Information Technology Systems,
Office of Inspector General................................ 13
Material submitted for the record:
Documents referenced during hearing.......................... 40
(iii)
HOW SECURE IS PRIVATE MEDICAL INFORMATION? A REVIEW OF COMPUTER
SECURITY AT THE HEALTH CARE FINANCING ADMINISTRATION AND ITS MEDICARE
CONTRACTORS
----------
WEDNESDAY, MAY 23, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Oversight and Investigations,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m. in
room 2322, Rayburn House Office Building, Hon. James C.
Greenwood (chairman) presiding.
Members present: Representatives Greenwood, Whitfield, and
Tauzin (ex efficio).
Staff present: Amit Sachdev, majority counsel; Tom Dilenge,
majority counsel; Gary Dionne, Congressional Fellow; Peter
Kielty, legislative clerk; and Edith Holleman, minority
counsel.
Mr. Greenwood. Good morning. I am James Greenwood, chairman
of the subcommittee, and I apologize to our witnesses and to
the rest of you for the delay. The chairman of the full
committee, Mr. Tauzin, would like to join us. As if often the
case, another subcommittee is having a hearing, and he is
giving his opening statement at that hearing and should be with
us in a few minutes. So if you will--just ask your forbearance
for another few minutes, we will commence then.
[Brief recess.]
Mr. Greenwood. Well, we are informed that the chairman is
on his way, so we will begin. Our hearing will come to order.
Good morning. When Americans think about the future, their
greatest concern, according to a recent Wall Street Journal/NBC
News survey, is protecting their privacy. What is particularly
interesting about this discovery is that America's concern for
privacy is greater than concerns about such critical issues as
overpopulation, global warming, and even nuclear war. And when
it comes to the privacy of health data the findings are even
more startling.
Another recent survey has found that one in five Americans
believes his health data has been used inappropriately. And one
in six have altered their behavior to avoid the misuse of
information, even to the point of avoiding necessary medical
care.
If we are to address the nagging concerns of our fellow
citizens with regard to the privacy of their medical records,
then our standards must be very high indeed. Like Caesar's
wife, the security of our Nation's private health records must
be above suspicion. It is in the light of these and some
disturbing findings that we, in this subcommittee, gathered
today to examine this issue, particularly as it affects the
tens of millions of elderly and disabled Americans who rely on
the Federal Medicare Program.
The question posed today is how secure is the very
sensitive and private medical information gathered by the
Health Care Financing Administration, better known as HCFA, and
its dozens of fiscal intermediaries and carriers who process
literally billions of Medicare claims every year?
To begin to answer this question, several months ago I
requested that HCFA provide this subcommittee with information
and documentation relating to computer security, including all
penetration tests or vulnerability audits that have been
conducted on its various networks in the past 5 years.
Committee staff also met with senior managers at HCFA on a
number of occasions since then to review the information
provided and to ask follow-up questions.
Before discussing our findings, I want to start by
providing some important background and context. HCFA processes
and pays more than $170 billion annually in claims for Medicare
health benefits, using a large and complex computer network
that links health providers, such as nursing homes and
hospitals, with billing clearinghouses, fiscal intermediaries,
and carriers.
Using a private dial-up telecommunications network provided
by AT&T, and provided by IBM prior to mid-1999, known as the
Medicare Data Communications Network, or MDCN, Medicare
contractors process standard Medicare claims that contain
personally identifiable medical information, such as names,
addresses, treatment, and diagnosis codes and payment and
insurance data.
This sensitive information traverses the MDCN in order to
be linked with necessary data bases of information contained by
HCFA and its contractors, including beneficiary claim
histories, eligibility data, such as social security numbers,
and other information stored in HCFA's Common Working File,
known as CWF. This computing network has over 75,000 authorized
users. And while it is a private-line network, it has
connectivity with other HCFA systems that are accessible via
the Internet. In addition, AT&T uses this private-line network
to provide similar services to roughly 35,000 customers
worldwide, including banks, insurance companies, health care
companies, and other Government agencies.
Much of what we have learned so far is good news. Compared
to many of its fellow agencies in the Federal Government, HCFA
has taken a much more proactive approach to cyber security,
particularly in the last 2 years. HCFA has conducted numerous
tests of its own systems, including penetration tests from both
inside and outside of the network. HCFA generally has limited
its Internet connections to reduce the possibility of outside
attack, and last year reconfigured those connections to further
minimize the chance of unauthorized intrusions after a team of
hired experts successfully penetrated its so-called secure
network via the Internet.
HCFA also is in the process of upgrading its internal
systems to reduce the systemic vulnerabilities in its desktop
operations, which should be complete by the end of this fiscal
year. Moreover, HCFA recently embarked upon an initiative to
review and upgrade the security of its Medicare contractors to
ensure compliance with current Federal requirements, something
that has not been done in a comprehensive manner in a very long
time.
The subcommittee has just begun to look at these contractor
systems and will continue to monitor HCFA's efforts to improve
their overall security. I also should point out that the new
Secretary of the Department of Health and Human Services has
made improved computer security at HCFA a top priority and has
proposed a new $30 million fund to help pay for it.
HCFA and several of its Medicare contractors also have
reported to this committee that they are unaware of any
significant intrusions into their systems by unauthorized
individuals, which is surely good news, although it is
important to keep in mind that there could have been intrusions
that went undetected, as was the case with several of the
intrusions perpetrated by the ethical hackers hired by HCFA and
the Inspector General, which we will talk about today.
The news, however, is not all good. Audit after audit, even
the most recent, continue to reveal significant computer
security problems at HCFA and its Medicare contractors,
vulnerabilities that continue to place personally identifiable
medical information at risk of unauthorized access, disclosure,
misuse or destruction. While much has been done to limit the
possibility of the truly outside attack by the World Wide Web,
this threat still exists, as several of our witnesses today
will describe.
For example, in 1999, HCFA issued a contract to En Garde
Systems to conduct ethical hacking in the form of external
penetration tests to determine whether the MDCN was secure from
attacks from hackers on the Internet. I am pleased that En
Garde Systems is before the subcommittee today as a witness,
and I am releasing a redacted version of the 1999 test results.
In that test, En Garde was easily able to exploit a
vulnerability in HCFA's web site to get access to the MDCN and
then HCFA's internal computer network.
This was rightly viewed as a serious security breach, and
at that time En Garde recommended that HCFA reconfigure its
computers to discontinue the linkage between the Internet and
the secured, private MDCN, the connection that HCFA used to
load information onto its web sites. While HCFA made some
changes to address this vulnerability at that time, the agency
did not follow through on the major En Garde recommendation
until pressed by this committee, informing us just yesterday
that it has disconnected this particular Internet connection.
While that certainly is progress, still more must be done to
reduce the risks imposed by external sources.
In addition, the threat from internal sources is great and
includes the 75,000 employees of HCFA, its contractors, and
certain nursing homes that have authorized access to the
Medicare Transaction Network. More must be done and soon to
minimize this risk as well. HCFA must improve the basics of
security management. It lacks complete security plans, risk
assessments, and accreditations for many of its major systems
and applications. It fails to enforce strong passwords through
the use of available automated tools and fails to block its own
employees from downloading Internet hacker tools that could be
used to exploit the known vulnerabilities in its internal
systems, as two separate auditors did in tests conducted over
the past year.
I was pleased to learn just yesterday that the Department
of Health and Human Services, which oversees HCFA, plans to
issue for comment a new policy shortly, at our urging, that
will require its operating divisions to regularly scan their
systems for weak passwords, something that CDC, for example,
already has been doing but that HCFA does not currently do.
HCFA has also failed, in my opinion, to implement an
adequate testing regime to ensure the security of the Medicare
system. While many audits and penetration tests have been done
over the years, the restrictions imposed by HCFA on both the
scope and nature of these tests limit their overall
effectiveness in evaluating the real security posture of the
agency's various systems and networks.
For example, ever since a 1997 penetration test conducted
by the IG's auditors resulted in the penetration of HCFA's
mainframe in the altering of Medicare payment information, HCFA
has refused to permit the IG's auditors to conduct similar in-
depth testing. In addition, HCFA oftentimes has been slow to
implement needed corrective actions following poor test
results, and has not consistently tested the efficacy of the
corrective actions once implemented.
HCFA also needs to do a better job overseeing its Medicare
contractors, as well as those contractors such as IBM and AT&T
that provide critical network services utilized by HCFA and its
business partners. For too long, it would appear, HCFA has
allowed these contractors to essentially assess themselves
without sufficiently rigorous independent testing.
The committee's review has found only one set of
penetration tests ordered by HCFA back in 1998 and covering
just four of HCFA's more than 55 Medicare contractors. Since
that time, and despite some significant findings, HCFA has not
conducted further tests of its contractors, leaving that task
to the Department's Office of Inspector General, which conducts
annual assessments of financial controls at HCFA and its major
Medicare contractors. But these IG audits, as the IG notes in
its testimony today, are fairly low-level tests due to
restrictions imposed upon them and are not meant to really test
the adequacy of computer security.
Even so, in every year since 1996, the IG has identified
computer security controls to be a, ``material weakness'' at
both HCFA's Central Office and its Medicare contractors. HCFA
either needs to step up its own testing of these contractors or
work to ensure that the IG is permitted to conduct full-scale
testing of these contractor systems.
I am also concerned that HCFA has not yet insisted that
AT&T and IBM, which respectively run the private network upon
which the MDCN runs and the HCFA web servers, agree to a
thorough testing of the interconnectivity between these
networks, HCFA, and the Internet and between the more than
35,000 AT&T customers that utilize the private network in
addition to HCFA.
Clearly, HCFA has dragged its feet when it comes to
assuring the security of these systems. Back in 1998, En Garde
Systems sensibly recommended that HCFA conduct several distinct
tests of those systems to evaluate their security given the
incredible trust HCFA places upon them. Two and a half years
later, only one of these tests has been conducted, and despite
identifying serious problems, no further testing has been done.
As the committee found, neither HCFA nor AT&T has yet tested
the security of the MDCN to determine whether one HCFA partner
could gain unauthorized access to HCFA internal systems via the
MDCN connection or whether one of AT&T's 35,000 other customers
that utilize this same network could do the same.
Oral assurances are one thing, test results are another. So
how secure is confidential and personal Medicare information?
Clearly, it is not secure enough. While HCFA is to be commended
on its success in making its data more secure than many other
types of sensitive data collected by the Federal Government, it
is less secure than it can or should be.
Accordingly, today I call upon HCFA to take the following
actions: One, HCFA must step up its efforts to implement the
outstanding corrective actions necessary to address known
vulnerabilities in its own systems; two, HCFA must demand that
its contractors submit to independent testing of their systems,
including those test of the AT&T and IBM networks that were
recommended more than 2\1/2\ years ago; three, HCFA must
aggressively carry out its plan to review and upgrade the
security of its Medicare contractors and be prepared to fund
needed corrective actions; four, HCFA must build into its
security management a more regular and vigorous process of
scanning its networks for vulnerabilities, improve
configurations, and weak passwords; and five, HCFA must quickly
evaluate the security of its remote access and dial-up
capabilities and enhance that security where necessary. I
understand the contract for these services is about to expire,
and it is my strong recommendation that the new contract
reflect these recommendations.
I look forward to working with HCFA, this new
Administration, and with members on both sides of the aisle to
improve the protection afforded to this highly personal
information of Medicare beneficiaries. When it comes to such
sensitive data, we can never be too vigilant.
I will now recognize the chairman of the full committee,
Mr. Tauzin, for his opening statement.
Chairman Tauzin. Thank you, Mr. Chairman. First, let me
assure the witnesses today and our guests that the lack of
attendance of members at this hearing should not be taken as
any sign of a lack of interest in this important subject. There
is an important hearing going on downstairs on the issue of
online fraud, which is very similar, in some respects, to our
concerns as regards the issues of security of the HCFA systems.
And there are other distractions, such as that occurring on the
Senate today, that is occupying quite a few members this
morning, as everybody considers fallout from what might happen
this afternoon.
But I can assure there is huge interest and support for
you, Mr. Chairman, and this inquiry among the committee members
on both sides of the aisle. And I want to join you in the list
of recommendations you have made today to HCFA. The protection
of privacy and private information in the HCFA systems is a
critical issue. It is not only critical for the security of
those funds and those systems, which are critical to many
millions of older Americans and ill Americans, it is also
equally critical in terms of the privacy rights of Americans
whose sensitive medical histories, medical treatments, and
medical information can be at risk.
We recently held hearings with the Secretary of the health
agency regarding the ongoing decisions regarding health
insurance--health information, rather, privacy. And those
privacy rules are currently under review to make sure that we
get them right. It will do little good for us to have privacy
rules at a health agency and privacy laws in general if the
Internet and computer systems that contain those data banks and
upon which that information is moved is available to hackers
and intruders and people who would create mischief with that
information. It is critical that this hearing continue to
produce oversight, the kind of extraordinary and sensitive,
constant review and attention to the questions of privacy in
these systems.
Last month, the subcommittee held a hearing that showed
just how easily it was for Federal computer systems to be
penetrated by hackers. At that hearing, we saw first hand just
how easily a team of 20-something ethical hackers could, in
minutes, hack into Government computers, crack passwords, and
escalate their privileges to allow them not only to get into a
computer system but to take control of it and to take control
of entire computer networks. That was one frightening hearing.
I hope those of you who are here today, if you were not present
for that hearing, will go back and read some of the testimony
given that day.
Anybody watching how easily those hackers got into those
systems and controlled those systems and what they said they
could do once they controlled them, how they could take
control, for example, of the microphones and record any
conversations in the room where the computer is located. If you
had a camera on your computer, how they could take control of
the camera and actually view anything going on in the room
where the computer is located. Anybody who saw that
demonstration had to be extraordinarily concerned about the
security of systems where sensitive, private information is
stored and transmitted.
Today's hearing will continue our investigation into
Federal computer security and will highlight the results of the
committee's review of the Health Care Financing Administration,
or HCFA. Like Chairman Greenwood, I am pleased, first of all,
to learn that HCFA is doing a better job than many other
agencies in working to address computer security
vulnerabilities. But let us be honest, HCFA has to do a better
job than most other Federal agencies. The information is much
more sensitive than many other Federal agencies.
And the information you have backs up a Federal support
system that is critical to the health care of millions of
Americans--our own moms and dads and grandparents and aunts and
uncles and soon brothers and sisters and ourselves. And we
can't permit HCFA to have anything less than the best when it
comes to security in these systems.
Now, the bottom line is that it is not going to be enough
for HCFA to make sure its own systems are properly protected,
because oversight testing of Medicare contractors and their
systems are equally important. It is not enough to say that
HCFA can take the assurances of IBM and AT&T that their systems
are secure. We need to know that they have been tested, and we
need to know that HCFA is taking great steps to make sure that
those assurances are real. It is not that we think that
contractors are incompetent or deceptive; it is simply we
cannot and should not take anybody's word for it. If you are
going to contract with separate systems to carry this data and
to help administer the program, the Government agency has an
obligation that it cannot waiver from in its self-knowing that
those systems are secure, not taking anybody's word for it.
So I want to strongly encourage you to go much further in
this area than you have gone so far. And I want to congratulate
Chairman Greenwood for the very clear successes that his
investigation has already produced in terms of pressing the
Department and HCFA to make certain improvements in the
management of security at HCFA prior to this hearing today.
I don't think, Mr. Chairman, this subcommittee can rest
until you and I and members can stand before any camera in
America and say that we are personally satisfied the medical
information of our constituents is adequately protected and
that the systems that back up the health security of our
families is adequately protected and that the solvency and
financial security of those funds is not threatened by hackers,
whom we saw in this room, given the chance, that come in and
totally destroy sanctity and solvency of those funds. Now,
until we can personally do that, until you have done your job
to personally assure yourselves of that and satisfied us that
it is also true, this committee has to keep up its vigilant
attention on this issue.
Thank you, Mr. Chairman.
[The prepared statement of Hon. W.J. ``Billy'' Tauzin
follows:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Thank you, Mr. Chairman, and let me commend you for holding this
very timely hearing on a topic of such great importance to the American
people--the protection of their privacy and their private information.
Due in part to the Internet, Americans today are paying greater
attention to privacy protections. But I don't think that many people
realize the extent to which the ongoing debate over privacy is so
closely related to the issue of computer security. That is one reason
why this Committee has been conducting an investigation into the
adequacy of Federal efforts to protect our nation's cyber
infrastructure and the vast amounts of sensitive data stored on Federal
computers.
Last month, the Subcommittee held a hearing that showed just how
easily Federal computer systems could be penetrated by hackers. At that
hearing, we saw first hand just how easily a team of 20-something
``ethical hackers'' could, in minutes, hack into government computers,
crack passwords, and escalate their privileges to allow them to get
control of entire computer networks.
Today's hearing continues our investigation into Federal computer
security and highlights the results of the Committee's review of the
Health Care Financing Administration, or HCFA. Like Chairman Greenwood,
I am pleased to learn that HCFA has been doing a better job than many
other agencies in working to address computer security vulnerabilities.
But HCFA is an agency that must do better than most agencies.
The security of the Medicare claims system is a matter that HCFA
and all of us must take very seriously--for it is one of the most
critical Federal assets, containing vast amounts of personally
identifiable private medical information. And there is no doubt that
HCFA can and must do better in this area. This hearing will explore the
very real security vulnerabilities that face HCFA, and the serious
management challenges the agency must address in order to properly
secure the computer networks that make the Medicare claims system work.
Let me highlight just one of these issues, namely HCFA's failure to
conduct sufficient oversight and testing of its Medicare contractors
and the contractors such as IBM and AT&T that provide critical network
services to HCFA. I share Chairman Greenwood's concerns that HCFA has
not been aggressive enough in pushing these contractors to allow
independent tests of their systems. In an area as sensitive as this
one, we simply cannot take their assurances of security at face value--
not because they are incompetent or deceptive, but simply because they
may not be as secure as they would like to think.
I want to strongly encourage the agency to go further in this area,
not just with respect to its contractors' networks, but also its own.
Without rigorous, independent testing, we simply cannot assure the
American people that their private medical information is indeed
protected.
Finally, I want to congratulate Chairman Greenwood for the clear
successes this investigation already has produced in terms of pressing
the Department and HCFA to make certain improvements to the management
of security at HCFA prior to this hearing today.
I look forward to the testimony from our witnesses today, and
continuing to work with HCFA and this Committee as it works to address
these concerns.
Mr. Greenwood. I thank the chairman for his opening
statement and welcome the witnesses. There is an amendment to
our witness list. Ms. Michael McMullan, the Acting Deputy
Administrator of HCFA will not be testifying, but we do welcome
Ms. Jared Adair, the Acting Chief Information Officer of the
Health Care Financing Administration. She is accompanied by Mr.
John Van Walker, the Senior Advisor for Technology to the HCFA
CIO, and Julie Boughn, Director of the Division of HCFA
Enterprise Standards.
We are also pleased to have with us, Mr. Michael Neuman,
president and lead programmer of En Garde Systems,
Incorporated, as well as Mr. Joseph Vengrin, Assistant
Inspector General for Audit Operations and Financial Statement
Activities, who is accompanied by Mr. Ed Meyers, Director,
Information Technology Systems of the Office of Inspector
General at the Department of Health and Human Services.
Welcome to all of you. You are, I believe, aware that the
committee is holding an investigative hearing, and when doing
so has had the practice of taking testimony under oath. Do you
any of you have objections to testifying under oath?
Seeing none, the Chair then advises you that under the
rules of the House and the rules of the committee you are
entitled to be advised by counsel. Do you desire to be advised
by counsel during your testimony?
In that case, would you please rise and raise your right
hand, and I will swear you in.
[Witnesses sworn.]
Mr. Greenwood. Thank you. You may be seated. You are now
under oath. And we would like to proceed, I believe, beginning
with an opening statement from Ms. Adair for 5 minutes.
Welcome.
TESTIMONY OF JARED ADAIR, ACTING CHIEF INFORMATION OFFICER,
HEALTH CARE FINANCING ADMINISTRATION, ACCOMPANIED BY JOHN VAN
WALKER, SENIOR ADVISOR FOR TECHNOLOGY TO CIO AND JULIE BOUGHN,
DIRECTOR, DIVISION OF HCFA ENTERPRISE STANDARDS; JOSEPH E.
VENGRIN, ASSISTANT INSPECTOR GENERAL FOR AUDIT OPERATIONS AND
FINANCIAL STATEMENT ACTIVITIES, ACCOMPANIED BY ED MEYERS,
DIRECTOR, INFORMATION TECHNOLOGY SYSTEMS, OFFICE OF INSPECTOR
GENERAL; AND MICHAEL NEUMAN, PRESIDENT AND LEAD PROGRAMMER, EN
GARDE SYSTEMS, INCORPORATED
Ms. Adair. Thank you.
Mr. Greenwood. Good morning.
Ms. Adair. Good morning. Chairman Tauzin, Chairman
Greenwood, thank you for inviting us here today to discuss the
Health Care Financing Administration's information security
efforts. Protecting the confidential health information of the
Americans who rely on our programs is a critically important
responsibility. I assure you we take this duty seriously, and
over the last few years we have made substantial improvement.
Beneficiary data are essential to carrying out Medicare's
health insurance functions. These data allow us to determine if
an individual is enrolled in Medicare and to determine whether
a claim should be paid and how much to be paid. As custodians
of these data, it is our job to ensure that proper safeguards
are in place. Our beneficiaries deserve no less.
We face considerable security challenges due to Medicare's
current, complex environment. The complexity of this
environment is driven by the increasingly data-intensive nature
of modern health care. And because our claims processing
contractors are, by law, decentralized. We are proud in the
history of the Medicare Program there have been no significant
security or privacy breaches of Medicare systems, and there
have been no substantial problems with breaches of
confidential, beneficiary or provider data. Nevertheless, we
remain vigilant in our efforts to protect beneficiary
information.
We recognize that although perfect security is
unattainable, we must constantly and rigorously improve our
defenses. Even the smallest technological change can open us to
new threats that cannot always be anticipated. We have worked
proactively to identify, correct, and prevent problems. And I
want to thank the Office of the Inspector General as well as
the General Accounting Office for their assistance in
highlighting areas where we can make improvements and in
recommending solutions. Their work serves as an important road
map for us as we work to improve security.
We have instituted a comprehensive system security program
across our entire enterprise, and we continue to make great
strides in improving security. For example, we became one of
the first non-military Federal agencies to initiate third-party
penetration testing of our system. At our agency and at some of
our claims processor contractors, we have used ethical hackers
to test for potential vulnerabilities before someone actually
seeking to do harm could discover them. In addition, we have
been conservative in moving to new e-business technology to
ensure that adequate protections are in place before using this
kind of technology. And we do not share confidential
beneficiary information for marketing or commercial purposes.
We have established baseline security requirements for our
claims processing contractors and are assessing how their
security measures meet or exceed our requirements. These
assessments will be valuable for future security planning.
Internally we are improving processes for managing access to
data to help ensure that only staff with a legitimate
professional need have access to sensitive information and that
the data are used appropriately. We look carefully at whether
an employee's job entails need-to-know confidential
information. Even our senior staff, including the Chief
Information Officer and myself, cannot browse this information,
because we do not have a need to know.
Additionally, we are increasing awareness of security to
the entire agency and to our contractors, reminding them that
bad habits, such as sharing passwords, could lead to unintended
consequences. Beginning this summer, all HCFA staff will
complete annual training on computer security.
We are working hard to protect confidential health data.
Our goal is to create multi-layered security defenses that when
taken together establish a solid security posture for our
agency. We want to work with you and our partners to make sure
that we protect this information and fulfill all of our
responsibilities to our beneficiaries and the taxpayers.
Thank you for holding this hearing, and I will be happy to
answer questions.
[The prepared statement of Jared Adair follows:]
Prepared Statement of Jared Adair, Deputy Chief Information Officer,
Health Care Financing Administration
Chairman Greenwood, Congressman Deutsch, other distinguished
members of the Subcommittee, thank you for inviting me to discuss the
Health Care Financing Administration's (HCFA) information technology
security efforts and our plans for the future. Protecting the
confidential health information of the Americans who rely on our
programs is a critical responsibility, and we take this duty seriously.
I appreciate the opportunity to share our efforts and plans with you.
Confidential data are essential to carry out many of our business
functions. For example, to pay a Medicare claim, we must confirm the
beneficiary's eligibility for Medicare benefits, obtain information
about secondary payers, review the claims history, and perform other
data-intensive activities. Similarly, for a Medicare managed care
payment, we have to establish the beneficiary's enrollment, calculate
the payment amount, and forward that amount to the plan. In addition,
efforts to encourage high quality care require analysis of the
treatments and complications that Medicare beneficiaries experience. As
manager and custodian of this data, we have a legal and practical
responsibility to assure that proper security safeguards are in place
for maintaining confidentiality, integrity, and appropriate
availability of this data. We take this responsibility seriously, and
the public counts on us to do so.
This Committee and Congress recognized this when they passed the
Government Information Security Reform Act, focusing attention across
the government on information security concerns. While we have not yet
experienced any significant breach of our systems' security, we remain
vigilant in our efforts to protect beneficiary information. Our staff
and partners like the Inspector General (IG) have identified security
vulnerabilities within our systems, and we have taken appropriate steps
to address them. I want to commend the IG, as well as the General
Accounting Office (GAO) and others, for their assistance in
highlighting these vulnerabilities and their recommendations for
solutions. Their work serves as an important roadmap for us as we work
to improve security across our Agency. Moreover, in our recent Chief
Financial Officer Electronic Data Processing audit, the IG acknowledged
that we have made progress with our security efforts. As a result of
increasing use and changing technologies, the demands on our
information technology architecture are greater than ever before, and
security risks continue to evolve. Clearly, we must continue to enhance
and improve security in order to meet today's needs and tomorrow's
challenges.
We recognize that although perfect security is unattainable, we
must constantly and rigorously improve our defenses. As the technology
we use in administering our programs has grown more complex, old
threats have intensified and new security threats have emerged. Even
the smallest technological change can open us to new threats, which
cannot always be anticipated.
As the Deputy Director of HCFA's Office of Information Services and
Deputy Chief Information Officer, I am acutely aware of our computer
system security responsibilities. We have worked hard, especially in
the past 5 years, to identify, correct, and prevent problems with the
security of our computer systems. We have instituted a comprehensive
and effective system security program across our entire enterprise, and
we continue to make great strides in improving security both in our
internal systems and the systems of our external business partners. We
have greatly improved our security, and we have concrete plans to
improve it further.
BACKGROUND
In the history of the Medicare program, there have been no
significant security or privacy breaches with Medicare systems, nor
have there been substantial problems with breaches of confidential
beneficiary or provider data. However, we face considerable security
challenges due to Medicare's current, complex environment. The
complexity of this environment is driven by the increasingly data-
intensive nature of modern health care as we strive to meet our mission
of providing high-quality health insurance coverage to nearly 40
million older and disabled Americans. By law, Medicare fee-for-service
claims are processed by about 50 private sector insurance companies who
each have their own business processes and variations in the use of
Medicare claims processing software, which we are responsible for
overseeing. From a technology standpoint, such decentralization
requires that we transmit data with contractors to ensure that we bring
together up-to-date information on eligibility, enrollment,
deductibles, utilization, and other potential insurance payers. We also
must share eligibility and managed care enrollment data with the
approximately 540 managed care plans providing services to Medicare
beneficiaries.
In addition to these demands, we are striving to make information
about our programs and services more readily available to Medicare
beneficiaries, physicians, and other providers. We need to provide
timely solutions and ready access to information for our customers and
partners so they can research Medicare benefits, billing rules and
procedures, the quality and safety of care, and a host of other
subjects. However, we must balance this need with our responsibility to
protect sensitive information from unauthorized access, such as
preventing ``hackers'' from violating our internal systems via our
public Internet sites. And we must address both of these priorities
within the aging nature of our current information technology
infrastructure.
We learned a great deal about how to address information technology
challenges two years ago when, in partnership with Congress and over
one million health care providers across the country, we successfully
met the Year 2000 challenge. Now, with our resources no longer
committed to that effort, we have resumed efforts to implement
legislative changes mandated by the Health Insurance Portability and
Accountability Act, the Balanced Budget Act of 1997, the Balanced
Budget Refinement Act of 1999, and the Medicare, Medicaid, and SCHIP
Benefits and Improvement Act of 2000. We also have initiatives to
modernize other areas related to our business functions, including
establishing the HCFA Integrated General Ledger Accounting System, to
readily support a ``clean opinion'' on our Chief Financial Officer
audit; and we have refocused on the security responsibility that comes
with using ever-improving information technology.
INFORMATION SECURITY
In 1997, HCFA's first Chief Information Officer, Dr. Gary
Christoph, was hired, and he began an effort to identify security
deficiencies in our internal systems. Under Dr. Christoph, we began
testing for security problems so we could better realize what problems
exist, where they are located, and how we can prevent them. Under this
guiding principle, we became one of the first non-military Federal
agencies to initiate third-party penetration testing of systems. We
used an ``ethical hacker'' to test for vulnerabilities at our Agency
and at some of our claims processing contractors before someone
actually seeking to do harm could discover them. It is imperative to
uncover these vulnerabilities, and in many cases we agreed with and
implemented the contractors' recommendations. In other cases, we
analyzed the findings, considered the recommendations, and developed
solutions that more appropriately fit our business needs while still
addressing the underlying vulnerability. In all cases, we recognize the
seriousness of any vulnerability and know we must carefully balance
security with our other business responsibilities. We do not share
confidential beneficiary information for marketing or other commercial
purposes. We also have been conservative in moving to new e-business
technology, to ensure that adequate protections are in place before we
use this type of technology. Moreover, from Fiscal Year 2000 to Fiscal
Year 2001, our spending on major information technology security
projects increased from $5 million to $11.7 million.
In 1998 we began work on an Enterprise-wide Systems Security
Initiative that follows guidance from the National Institute of
Standards and Technology and the Office of Management Budget Circular
A-130, which established policy for the management of Federal
information resources. The central tenet of our initiative is to
understand and mitigate the risks to our information in the most cost-
effective manner. As you know, this effort slowed when we had to
dedicate the vast majority of our information technology staff time and
resources to Year 2000 remediation efforts. We resumed focusing on the
Security Initiative in 2000, implementing it along two parallel tracks:
one track focuses on security inside the Agency, and one examines our
external business partners, beginning with the Medicare contractors.
The Security Initiative's implementation at the Medicare
contractors began in earnest earlier this year when we published
baseline security requirements for the contractors and followed up with
an assessment tool to compare how their security measures to our core
requirements. The results of those assessments will serve as a valuable
work plan for our security efforts in the future.
Our internal HCFA efforts have been ongoing for a longer period of
time and we have made substantial progress. We continually assess our
internal risks and vulnerabilities and take remedial actions to address
them as aggressively as possible within our available resources. For
example, we have developed improved procedures and tools for managing
access to our data. These efforts help ensure that only staff who have
a proper and legitimate professional need have access to sensitive
information and that the staff use these data appropriately within our
strict guidelines. We look carefully at whether an employee's job
entails a ``need to know'' confidential information. Even our senior
staff, including the Chief Information Officer and I, cannot browse
this information because we do not have a ``need to know.''
Additionally, we are publicizing our intensified data security efforts
to the entire Agency and contractor staff, informing them of their
responsibilities, and reminding them that bad habits, such as sharing
systems passwords, could lead to unintended consequences. And beginning
this summer, all HCFA staff will complete annual training on computer
security. We believe that this strong effort to protect sensitive
material will itself deter individuals from even attempting to violate
our systems.
Throughout our implementation of the Security Initiative, we have
pursued self-testing of our security controls. Periodic recurrent
testing can detect new vulnerabilities that have surfaced because of
new technology, and reaffirm that old vulnerabilities have not been
reopened. We also continue to use third party contractors to conduct
``white hat'' penetration tests of various portions of our computer
network. When we began these tests over 3 years ago, we focused on
looking into the Agency from external networks such as the Internet.
Recently, we conducted more refined testing by looking internally at
our network from the perspective of an authorized HCFA user. This is
important because published industry-wide statistics indicate that
authorized users or employees are suspected as the largest source of
security breaches.
Along with our own self-assessments and contractor testing, audits
performed by the IG have aided us in identifying security
vulnerabilities in our information systems. For example, the IG found
that Agency and contractor employees could have had unauthorized access
to confidential information, because passwords were not being
administered properly or computer programmers could have had
inappropriate access to some files. They also found instances where
people could have had inappropriate access to the areas where computers
were stored. In each of these instances, we have worked hard to address
the vulnerabilities, and we have made significant progress. For
example, we have recertified all of the individuals with password
access to our systems, purging hundreds of individual passwords from
our systems. Additionally, we have secured areas that before permitted
inappropriate access to our computer hardware.
Some of these vulnerabilities were easy to address, while others
are longer-term projects that require more intensive attention. And we
remain open to suggestions of additional ways to improve our security.
Information technology continues to evolve, and we will always have to
strive to keep our health data secure.
CONCLUSION
We have been working hard to protect confidential health data. Our
goal is to build upon a multi-layered series of security defenses,
utilizing firewalls, scanning software, intrusion detection,
administrative controls, access controls, good authorization
procedures, and recurrent security training and education for staff,
among other things. Taken together, these layers of protection
establish a solid security posture for our Agency. We face major
challenges in continuing to implement and improve our computer security
program. Over the next fiscal year, we expect to put our security
policy statements into action and develop specific standards, including
establishing minimum floors for protecting all of our sensitive data.
We want to continue to work with you and our other partners to make
sure that we protect this information and fulfill all of our
responsibilities as effectively and efficiently as possible. Thank you
for your support and assistance, and the opportunity to discuss these
important issues with you today. I am happy to answer your questions.
Mr. Greenwood. Thank you for your testimony, and thank you
for the constructive way that you have approached this
relationship.
Mr. Vengrin.
TESTIMONY OF JOSEPH E. VENGRIN
Mr. Vengrin. We share the committee's concerns regarding
the security of Government information systems, and we
appreciate the opportunity to testify on the vulnerabilities
within the Medicare claims processing system.
As you mentioned, Mr. Chairman, as part of our annual audit
of the Health Care Financing Administration financial
statements, we contract with independent public accounting
firms to test the adequacy of internal controls over Medicare's
information system. The purpose of these tests is to determine
the nature, timing and extent of audit procedures to be
performed during this financial statement review.
Strong internal controls over Medicare systems are
essential to ensure the integrity, confidentiality, and
reliability of critical data and to reduce the risk of errors,
fraud, and illegal acts. However, in the last 5 years we have
noted continuing material internal control weaknesses in
Medicare systems, particularly those operated by the Medicare
contractors.
Material weaknesses are defined as serious deficiencies in
internal controls that can lead to material misstatements of
amounts reported in HCFA's financial statements. Also, such
weaknesses could allow unauthorized access to and disclosure of
sensitive information, malicious changes that could interrupt
data processing or destroy data files, improper Medicare
payments, or disruption of critical operations.
My statement today will summarize the significant problems
noted in the fiscal year 2000 financial statement audit. I will
not go into some of the background on the Medicare system--you
have mentioned that in your opening remarks. We know it is very
complicated and complex.
As we previously reported, the internal control environment
for the Medicare claims processing operation needs substantial
improvement. Our fiscal year 2000 audit identified numerous
weaknesses in general controls, which affect the integrity of
all applications operating within a single data processing
facility and are critical to ensuring the reliability,
confidentiality, and availability of data. Auditors identified
124 general control weaknesses--115 at the sampled Medicare
contractors and the remainder at the HCFA Central Office.
Mr. Chairman, over 60 percent of these weaknesses involved
two types of general controls: access and entity-wide security.
Access controls ensure that system assets are physically
safeguarded and that access to sensitive computer programs and
data is granted only when authorized. Weaknesses in such
controls can compromise the integrity of sensitive information
and increase the risk that data may be inappropriately used or
disclosed.
Access control weaknesses represent the largest problem
area. The most widespread weaknesses concerned poorly
controlled passwords, ineffective implementation of system
security software, and infrequent reviews of access privileges.
We also reported that controls did not effectively prevent
access to sensitive data. For instance, computer programmers
and other technical support staff had inappropriate access to
data files used in the fee-for-service claims process, such as
beneficiary history files.
As part of their assessment of access controls, auditors
performed low-level internal and external penetration testing
at eight contractor sites. This testing revealed additional
access control risks. Systems permitted excessive remote access
logon attempts. Systems disclosed more information about
themselves than necessary. Inadequate password protections
permitted unauthorized access to certain computer systems, and
insufficient controls over print output queues permitted
unauthorized read access to sensitive data. Such weaknesses
increase the risk of unauthorized remote access to sensitive
Medicare information.
Entity-wide security programs ensure that security threats
are identified, risks are assessed, control techniques are
developed, and management oversight is applied to ensure
overall effectiveness of the security measures. These programs
typically include policies on how and when sensitive duties
should be separated to avoid conflicts of interests and
stipulate what types of background checks are needed during the
hiring process. Inadequacies in the programs can result in
inadequate access controls and software change controls
affecting mission-critical operations.
We reported that several contractor sites lacked fully
documented, comprehensive entity-wide security plans, had
inadequate risk assessments and lacked comprehensive security
awareness programs. At the HCFA Central Office, we found no
security assessment of or security plans for significant
application systems, insufficient security oversight of
Medicare contractors, and no formal process to remove system
access of terminated HCFA employees.
With respect to the shared systems, since fiscal year 1997,
we have reported that Medicare data centers have inappropriate
access to the source code of one of the shared claims
processing systems. This unresolved weakness, Mr. Chairman, was
expanded this year to include the Common Working File, which is
shared by all Medicare claims processors. Access to source code
renders the Medicare claims processing system vulnerable to
abuse, such as implementation of unauthorized programs. While
HCFA requires contractors to restrict local changes to
emergency situations, local changes are often not subjected to
the same controls that exist in the standard change control
process.
To briefly conclude, we remain concerned that inadequate
internal controls over Medicare operations leave the program
vulnerable to loss of funds, unauthorized access to and
disclosure of sensitive medical information, and malicious
changes that could interrupt the data processing or destroy
data files. All of the weaknesses that I have described today
are troubling. However, we do not know whether the resulting
vulnerabilities have been exploited in terms of compromised
medical information, fictitious claims, or diversion of
taxpayers' dollars.
On a positive note, to conclude, I would like to report
that HCFA Central Office has continued to make substantial
progress in implementing enhanced control procedures,
specifically in the area of access controls and application
change development controls.
I will now entertain any questions. Thank you.
[The prepared statement of Joseph E. Vengrin follows:]
Prepared Statement of Joseph E. Vengrin, Assistant Inspector General
for Audit Operations and Financial Statement Activities, Department of
Health and Human Services
Good morning, Mr. Chairman. I am Joseph E. Vengrin, Assistant
Inspector General for Audit Operations and Financial Statement
Activities of the Department of Health and Human Services. With me
today is Ed Meyers, Director, Information Systems Audits and Advanced
Techniques. We share the Committee's concerns regarding the security of
Government information systems, and we appreciate the opportunity to
testify on the vulnerability of Medicare claim processing systems.
In conducting annual audits of the Health Care Financing
Administration (HCFA) financial statements, which are required by the
Government Management Reform Act of 1994, we contract with independent
public accounting (IPA) firms to express an opinion on the financial
statements and report on internal control deficiencies. As part of the
body of work underpinning these audits, the IPA firms perform various
internal control tests of the Medicare program, including its automated
systems. The purpose of these tests is to determine the nature, timing,
and extent of audit procedures to be performed during each year's
audit.
Strong internal controls over Medicare systems are essential to
ensure the integrity, confidentiality, and reliability of critical data
and to reduce the risk of errors, fraud, and other illegal acts.
However, since fiscal year (FY) 1996, when we first began the financial
statement audits, we have noted continuing material internal control
weaknesses in the systems, particularly those operated by contractors.
Material weaknesses are defined as serious deficiencies in internal
controls that can lead to material misstatements of amounts reported in
subsequent financial statements unless corrective actions are taken.
Also, such weaknesses could allow (1) unauthorized access to and
disclosure of sensitive information, (2) malicious changes that could
interrupt data processing or destroy data files, (3) improper Medicare
payments, or (4) disruption of critical operations. My statement today
will summarize the significant problems noted in the FY 2000 financial
statement audit.
MEDICARE AUTOMATED SYSTEMS
By way of background, the Medicare program provides health
insurance for 39.5 million elderly and disabled Americans at a cost of
about $215 billion in FY 2000. The program is administered by HCFA, the
largest component of the Department of Health and Human Services.
Medicare services are provided through either fee-for-service
arrangements or managed care plans.
HCFA relies on extensive computerized operations at both its
central office and contractor sites to administer the Medicare program
and to process and account for Medicare expenditures. The HCFA central
office systems maintain administrative data, such as Medicare
enrollment, eligibility, and paid claims data, and process all payments
to health care providers for managed care. The fee-for-service claim
processing system, the Department's most complex and decentralized
system, is operated with the help of more than 50 contractors located
throughout the country. There are two types of contractors:
Intermediaries process claims from institutions, such as hospitals and
skilled nursing facilities, filed under Part A of the Medicare program,
while carriers process Part B claims from other health care providers,
such as physicians and medical equipment suppliers. These contractors
and their data centers use several ``shared'' systems to process and
pay provider claims. Currently, each intermediary uses one of two
shared systems, and each carrier uses one of four shared systems. All
of the shared systems interface with HCFA's Common Working File system
to obtain authorization to pay claims and to coordinate Medicare Part A
and Part B benefits. This fee-for-service network processed over 890
million claims totaling $173.6 billion during FY 2000.
Generally, Medicare claim processing begins when a health care
provider submits a claim to a contractor. The claim is entered into a
shared system which captures, edits, and prices the claim. Once the
claim has passed all shared system edits and has been priced, it is
submitted to the Common Working File for validation, verification of
beneficiary eligibility, and payment authorization.
SYSTEMS CONTROL WEAKNESSES
As we have previously reported, the underlying internal control
environment for Medicare claim processing operations needs substantial
improvement. Our FY 2000 audit identified numerous weaknesses in
general controls, which involve access controls, entity-wide security
programs, application development and program change controls,
segregation of duties, operating system software, and service
continuity. General controls affect the integrity of all applications
operating within a single data processing facility and are critical to
ensuring the reliability, confidentiality, and availability of data.
Of 124 general control weaknesses identified, 115 were found at the
sampled Medicare contractor sites and 9 were found at the HCFA central
office. About 80 percent of these weaknesses involved three types of
controls: access controls, entity-wide security programs, and systems
software.
Access Controls
Access controls ensure that critical systems assets are physically
safeguarded, that logical (e.g., electronic) access to sensitive
computer programs and data is granted only when authorized and
appropriate, and that only authorized staff and computer processes
access sensitive data in an appropriate manner. Weaknesses in such
controls can compromise the integrity of program data and increase the
risk that data may be inappropriately used and/or disclosed.
Access control weaknesses represented the largest problem area. The
most widespread weaknesses concerned administration of the controls
themselves. At several contractors, passwords were not properly
administered, systems security software was not implemented
effectively, or access privileges were not reviewed frequently enough
to ensure their continuing validity. We also reported that controls did
not effectively prevent access to sensitive data. For instance,
computer programmers and other technical support staff had
inappropriate access to the data files used in the fee-for-service
claim process, such as beneficiary history files. Under these
conditions, the Common Working File system was vulnerable to
inappropriate use.
At some contractors, programmers had inappropriate access to system
logs; this provided an opportunity to conceal improper actions and
obviated the logs' effectiveness as ``detect'' controls. At one
contractor, the computer operator could override installation system
security precautions when restarting the mainframe computer system. We
also noted weaknesses in controls over access to sensitive facilities
and media within those facilities. For example, at one contractor,
inappropriate individuals had access to the computer center's command
post. At another, the computer production control area was not secured
during normal business hours.
Penetration Tests. As part of their assessment of access controls,
IPA firms performed low-level internal and external penetration testing
at eight Medicare contractor sites. The purpose of this testing was to
identify real and postulated security risks to, and vulnerabilities of,
the information systems. A variety of common penetration testing
procedures revealed additional access control risks at certain
contractor sites. When dial-up connections were made, computer systems
permitted an excessive number of failed remote access log-in attempts
before disconnection and disclosed more information about themselves
than necessary. In addition, inadequate password protections permitted
unauthorized access to certain computer systems, and insufficient
controls over print output queues permitted unauthorized ``read''
access to sensitive data. Such weaknesses increase the risk of
unauthorized remote access to sensitive Medicare systems and data.
Entity-Wide Security Programs
Entity-wide security programs ensure that security threats are
identified, risks are assessed, control techniques are developed, and
management oversight is applied to ensure the overall effectiveness of
security measures. These programs typically include policies on how and
which sensitive duties should be separated to avoid conflicts of
interest and stipulate what types of background checks are needed
during the hiring process. Entity-wide security programs afford
management the opportunity to provide appropriate direction and
oversight of the design, development, and operation of critical systems
controls. Inadequacies in these programs can result in inadequate
access controls and software change controls affecting mission-critical
operations.
We reported that several contractor sites lacked fully documented,
comprehensive entity-wide security plans that addressed all aspects of
an adequate security program. Inadequate risk assessments, a lack of
comprehensive security awareness programs, and inadequate policies were
among the weaknesses noted at the contractors. At the HCFA central
office, we found no security assessment of, or security plans for,
significant application systems; insufficient security oversight of the
Medicare contractors; no formal process to remove system access of
terminated HCFA employees and contractors; and deficiencies in the
management review and approval process.
Systems Software Controls
Systems software controls help to prevent unauthorized individuals
from using software to read, modify, or delete critical information and
programs. Systems software is a set of programs designed to operate and
control the processing activities of computer equipment. Generally, it
supports a variety of applications that may run on the same computer
hardware. Some systems software can change data and programs on files
without leaving an audit trail.
Weaknesses in systems software controls related to managing routine
changes to the software to ensure their appropriate implementation and
configuring operating system controls to ensure their effectiveness.
Such problems could weaken critical controls over access to sensitive
Medicare data files and operating system programs.
Shared System Weaknesses
Since FY 1997, we have reported that the Medicare data centers have
inappropriate access to the source code of the Fiscal Intermediary
Shared System, which is used by certain Medicare contractors. This
unresolved weakness was expanded this year to include the Common
Working File system, which all shared systems use to obtain
authorization to pay claims. Access to source code renders the Medicare
claim processing system vulnerable to abuse, such as the implementation
of unauthorized programs and the implementation of local changes to
shared system programs. While HCFA requires contractors to restrict
local changes to emergency situations, local changes are often not
subjected to the same controls that exist in the standard change
control process.
CONCLUSIONS
In summary, we remain concerned that inadequate internal controls
over Medicare operations leave the program vulnerable to loss of funds,
unauthorized access to and disclosure of sensitive medical information,
malicious changes that could interrupt data processing or destroy data
files, improper payments, or disruption of critical operations.
Further, because of weaknesses in the contractors' entity-wide security
structures, HCFA has no assurance that information systems controls are
adequate and operating effectively. While all of these weaknesses are
troubling, we do not know whether the resulting vulnerabilities have
been exploited in terms of compromised medical information, fictitious
Medicare claims, diversion of taxpayer dollars, or some other type of
fraud or abuse by an ``insider'' or a hacker.
What most concerns us are the continuing problems identified in
access and entity-wide security controls. HCFA must ensure that
Medicare contractors develop corrective action plans that not only
address identified weaknesses but also attempt to determine the
fundamental causes of the weaknesses. Among the efforts planned and
underway by HCFA is an improved corrective action process. We expect
that HCFA's testimony will fully address that process, as well as other
short- and long-term actions to shore up information systems controls.
We urge HCFA to sustain its focus on these critical internal controls.
Furthermore, HCFA and the Medicare contractors should routinely conduct
penetration testing to ensure the integrity of their information
technology environment.
We in the Office of Inspector General will continue to work with
HCFA to overcome the persistent risks to the security of the Medicare
program. For example, as required by the Government Information
Security Reform Act (GISRA) of 2000, we have begun an independent
evaluation of HCFA's security program. Our evaluation will incorporate
the results of several efforts: the internal control testing conducted
during our annual financial statement audits, our ongoing work to
ensure compliance with Presidential Decision Directive 63, our
additional work focused on access and entity-wide security controls at
selected Medicare contractors, information systems reviews (known as
Statement on Audit Standards 70 examinations) conducted by IPA firms
under contract with HCFA, and other security assessments performed by
consultants for HCFA.
I will be happy to discuss the extent of our GISRA work, as well as
any other matters, in response to your questions.
Mr. Greenwood. Thank you. Mr. Neuman, thank you for being
with us this morning.
TESTIMONY OF MICHAEL NEUMAN
Mr. Neuman. Sure. Essentially, we are ethical hackers, and
our job is to ensure that the implementation of a network, of
an application of a server matches the policy set forth by the
organization and that it matches best industry practices.
Over the course of 1997 to early 2000, we conducted about
six penetration tests, both internal and external, meaning as
an average employee of HCFA and as an average hacker on the
Internet externally. We have also reviewed their architecture.
We have reviewed the desktop PCs that they put on everybody's
desk. We have dialed all their phone numbers looking for
modems. For findings, the bottom line is this: Over the course
of that work, we found several serious vulnerabilities that
could easily have allowed anybody unrestricted access to the
data owned by HCFA.
In our experience with them, these vulnerabilities were
quickly fixed, sometimes in a matter of hours. Management also
really made security a fairly high priority. Then they wanted
to do real security. What we see a lot is people are perfectly
happy to deal with security issues by writing more policies
dealing with it. That is not the answer. What we do is make
sure that the implementation matches that policy. HCFA has made
a real effort to ensure that their implementation does match
their policy.
What we found is this: Absolutely the biggest cause of
vulnerabilities at HCFA is not directly from the fault of HCFA
employees but through their facilities management contractors,
the people who are responsible for running their networks, for
installing new machines, for managing their network
connectivity. By far this was the biggest source of
vulnerabilities that we found. In our experience, we have seen
the contractors actually undermine the security efforts of the
HCFA staff. They removed security protections without HCFA's
knowledge. They misrepresented the security precautions they
were taking. They made serious, serious configuration errors
that were inconsistent with even the most basic industry
security standards.
Unfortunately, HCFA does not have the technical expertise
overseeing these contractors--and, again, these are the
facilities management contractors I am speaking of. They could
not detect that these contractors were making these mistakes.
They did not have the ability to ask the proper questions to
determine if they were doing the right thing. On top of that,
HCFA also was lacking the contractual power to make the
contractors do what they wanted them to. There was nothing in
the contracts which said that they had to perform to a certain
level of security or that they need to take certain
precautions.
Last finding, when we left them, there were a variety of
known risks to third parties, in particular we are talking
about Medicare contractors. There are a variety of insurance
companies, doctors, which are connected both through the MDCN
and through direct connectivity into HCFA's network. There are
a variety of risks there, which I have detailed in my written
testimony.
In the end, we recommend this: HCFA needs to focus on
technical security not just policy. Really every organization
needs a person who is in charge of implementing the security
policy, not just telling people how to do passwords but making
sure that the passwords are correct, making sure that systems
are configured properly, and so forth. They need better control
and technical oversight of their contractors. Again, I am not
talking about Medicare contractors, although that probably is
an issue; in my experience, the facilities contractors.
They need more testing of everything. When they install
remedial fixes, you need to test those fixes after you are done
installing them. You need to test everything from applications
to servers to networks, and it needs to be done regularly.
Threats and vulnerabilities change all the time. And decisions
to ignore those vulnerabilities really need to be taken with a
full awareness of what the actual risks are when they take that
risk.
In the end, if they had the technical expertise and the
oversight of their contractors, virtually every vulnerability
that we found would have been prevented. And we think that is a
significant step they need to take.
[The prepared statement of Michael Neuman follows:]
Prepared Statement of Michael Neuman, En Garde Systems, Inc.
0. SUMMARY
Penetration testing is a critical tool in ensuring the security of
everything from an individual software application to an entire
network. Unfortunately, security is far too complex to provide any
sense of absolutes. Add to that the fact that dozens (if not hundreds)
of new vulnerabilities are discovered every week, and the need to
continuously test the security of a system is obvious.
We have provided services, similar to those we provided HCFA, to
hundreds of companies, and are intricately aware of the ``industry
standard'' state of security. During our tenure providing security
services to HCFA, we found both extremely positive and disturbing
issues. Major recommendations include:
Technical Oversight: HCFA is lacking the specially trained
personnel to oversee their and their contractors' activities and verify
the work for security consistent with policy and best practices..
Third-Party Verification: It should be unacceptable for service
providers to certify themselves as secure. Any vendor of network
services to HCFA should readily accept 3rd party verification of
security and have regular testing a part of their contract performance
requirements.
Security Specified in Contracts: The security expectations and
requirements should explicitly be laid out in contracts with network
service providers.
More Testing is Required: It's necessary to independently verify
the security features of everything from applications to WWW servers to
networks and to do so on a recurring basis.
1. BACKGROUND
En Garde Systems (EGS) provided a variety of security services to
the Health Care Financing Administration (HCFA) between December 1997
and June 2000. During that time, EGS performed a number of penetration
tests and assisted HCFA in devising network security protections.
Specifically, EGS has performed:
External Penetration Tests (4). As an average outsider
connected to the Internet, we attempted to gain access to
internal HCFA resources.
Internal Penetration Tests (2). Given a connection to HCFA's
internal network, we attempted to gain access to internal HCFA
resources.
Wardialing. Given a prototype phone number (for example 786-
xxxx), we dial every phone number looking for computer modems.
When a computer answers, we attempt to gain access.
Architecture Review and Design. Given a complete map of
network resources, we spent extensive time understanding the
various applications HCFA provides and the security needs of
each. We then formulated network architecture changes that
would build security into the fabric of the network.
Test of Internet services hosted by IBM Global Services. At
the time we tested, HCFA outsourced its internal and external
web servers to IBM.
NT Desktop Review. For Y2K, HCFA moved to a Windows NT desktop
system. We were provided with a prototypical NT desktop prior
to deployment to find security vulnerabilities.
HCFA Insider test. We were given a standard user's desktop
computer and asked to gain access to HCFA internal resources.
In this case, we were not allowed to bring in our own software,
floppies, or PC--only what we could retrieve using HCFA's
network.
Intrusion Detection System Review. HCFA ran a ``bake-off'' of
several competing Intrusion Detection Systems and asked us to
perform a variety of tests to determine their efficacy.
Security Training. We provided classes over a several day
period covering everything from good password choice to
Intrusion Investigation and Response.
2. APPROACH
Penetration testing is a critical tool in ensuring the security of
everything from an individual software application to an entire
network. Unfortunately, security is far too complex to provide any
sense of absolutes. Turning on one network service may result in dozens
being turned in non-obvious ways. Connecting a trusted partner to your
network often means you not only trust him, but everyone he trusts as
well. Add to that the fact that dozens (if not hundreds) of new
vulnerabilities are discovered every week, and the need to continuously
test the security of a system is obvious.
Our approach to testing is almost exclusively ``manual''. We rarely
use automated tools, as our experience has shown they are generally
only effective in an extremely small number of cases. Instead, we learn
about the network and create new attacks on the fly. In doing so, we
are doing exactly what a hacker does.
Proposing solutions to vulnerabilities is perhaps the most complex
part of our work. Before we recommend any solution, we need to
determine the:
1) Value of the organization's data. If the data is simply pricing and
personnel information, it is far less valuable to a hacker than
Privacy Act data, for example.
2) Threat to the organization. A government agency will attract far
more interest from the malevolent than a small computer
company, for example.
3) Path of least resistance. It makes no sense to spend a great deal of
effort protecting a network connection to a partner if the
``front door'' is wide open. These relative threats are
determined before any solution is recommended.
4) Cost in man-hours and equipment expenditures. We often make several
recommendations based upon the amount of money the customer
wishes to spend.
3. FINDINGS
We have provided services, similar to those we provided HCFA, to
hundreds of companies, and are intricately aware of the ``industry
standard'' state of security. During our tenure providing security
services to HCFA, we found both extremely positive and disturbing
issues.
3.1 Positive
3.1.1. There is a healthy approach to security from HCFA
management. Whereas many other organizations believe that all security
problems can be solved by writing a policy, HCFA has taken significant
steps to not only inscribe the virtues of security, but to ensure they
practice what they preach.
3.1.2. When we first arrived at HCFA, we found them to be operating
with significant and obvious vulnerabilities. These problems were fixed
within hours of our reports. Over the course of the years, HCFA has
become significantly more secure than the industry standard.
3.1.3. Beyond simply patching vulnerabilities that were found, HCFA
has made significant efforts to find the systemic causes of their
vulnerabilities and fix them wherever possible.
3.2 Negative
3.2.1. Contractors
By far, HCFA's biggest security problems have been the direct
result of the action or inaction of contractors. In general, we have
found HCFA's contractors to be outright obstructive to providing sound
security. Compounding these errors was HCFA's inability to catch or
prevent them.
a. HCFA lacked the technical oversight of their contractors to verify
the contractor was actually implementing the security measures
they claimed. The managerial oversight had no ability to ask
relevant questions.
b. HCFA's contracts had no mention of security expectations of a
contractor. As a result, the contractors were free to implement
(or not implement) any measures they felt as appropriate,
regardless of HCFA's requests.
c. We discovered during our first test that a HCFA contractor ignored
change control, bypassed the firewall policy group, and
installed his own filter rules directly onto HCFA's primary
firewall without anyone's knowledge. These filter rules made
the entire HCFA network vulnerable to a variety of serious
attacks. After bringing the firewall problem to HCFA's
attention, the contractor was directed to remove the rule and
instructed about the use of change control. One year later, we
tested and found the contractor installed the same rule again
without HCFA's knowledge.
d. On several occasions, we witnessed HCFA contractors argue against
improving security stating that changes HCFA asked for were
``difficult'' or ``impossible'' when, in fact, they were not.
e. During our architecture review, we discovered that the HCFA
contractors responsible for network operations could not
provide a complete list of all network connections external to
HCFA. In fact, we spoke to over a dozen groups, and each would
make us aware of another undocumented connection from HCFA to
another organization.
f. Contractors have made extremely poor password and configuration
decisions, violating the most basic security principals and
completely invalidating other security measures put into place.
3.2.2. IBM
HCFA relied on IBM to provide secure network connectivity (via a
product called ``SecureNet'') to MDCN partners as well as for both
external and internal WWW servers. We were contracted to evaluate the
architecture and determine potential risks.
During a meeting with HCFA management (up to CIO level), IBM's
security staff and management responsible for the HCFA contract, and
ourselves, we were told by IBM that we didn't need to test because they
had taken every imaginable security precaution. They described how:
Administrators can only connect from a physically secure
administrative network
WWW administration is done through an encrypted management
connection
Patches are installed immediately after a vulnerability is
announced
They would be happy to share their firewall's access control
lists with us
They perform penetration testing every week
They have a custom designed IDS along with 24/7 response
The firewalls only allow WWW access through
Upon extensive questioning from ourselves and HCFA's CIO, it we
learned from IBM that:
Administrators can also dial-in from home into a generic
``SecureNet'' modem bank, that all other customers use, and
administer machines.
WWW administration can be encrypted, but they haven't enabled
that feature, and probably won't because it's difficult to do
so.
Patches are only installed when an administrator gets around
to it, which is usually in a ``week or two''.
They would not share their access control lists because, ``If
EGS found a vulnerability in HCFA, they would find a
vulnerability in all IBM customers.''
Because HCFA relies so much on the security of IBM to provide
everything from secure connectivity for the MDCN to managed web
hosting, we proposed performing three distinct tests:
1) External test against the web servers hosted by IBM
2) Tests from a HCFA partner connected to the MDCN directed at HCFA and
other partners on the MDCN.
3) Tests from a non-MDCN customer of IBM directed towards HCFA.
It took IBM and HCFA a year of negotiation to come to terms to
allow just the external test against the web servers. We were given
several severe restrictions that made the results of the test
unrealistic. Specifically:
1) We were not allowed to test the firewalls or any other
infrastructure on the IBM network. They did provide us with an
extremely limited subset of filter rules that IBM said were
installed on their firewalls.
2) We were not allowed to touch any IBM system other than HCFA's web
server. This included administrative systems, other customer
servers, or any infrastructure.
3) We were not allowed to route traffic through any other IBM network.
These restrictions meant that we could only test the controls in
place on the web server. We could not check for configuration errors in
access control lists, vulnerabilities in firewalls or routers, or
transitive trust issues (i.e. if we can break into the IBM
administrative network, or another customer's web server, what can we
do then?).
In the end, the restrictions ended up being irrelevant. Using an
extremely old, very well known vulnerability in the WWW server
software, we were able to gain access to HCFA's web server without any
more technical expertise than it takes to point and click. Because of
the way HCFA's web server was configured, and an error made in the
firewall rules set up by IBM, we were then able to access HCFA's
internal network resources. IBM's other claims were then shown either
false or useless:
If they performed a penetration test every week, they would
have discovered this blatant vulnerability
They provided us with the IDS logs collected during the course
of our attack, and we had gone completely unnoticed, despite us
making no effort to hide our tracks.
The firewalls allowed not only WWW access through but also
another protocol that allowed us unfettered access to HCFA's
internal network.
3.2.3. Third Party trust
HCFA has a need to connect with a variety of insurance companies,
doctors, and so forth. Network connections were provided both through
the MDCN and by direct connectivity to other companies. These
connections were configured such that there was no protection of either
HCFA from the company or the companies from each other. Essentially,
HCFA was trusting these companies completely. As a result, HCFA is
subject to whatever security policies and protections are in place by
the trusted company. So, if HCFA trusts company A and company A trusts
company B, then HCFA trusts company B. Without any control over or
auditing of the partner's network, HCFA should not trust that it's
secure.
In addition to threatening HCFA, there is a potential for these
competing insurance companies to use HCFA as a means to attack one
another. HCFA provides the unsecured communications mechanism, and a
company simply uses that to get into another's network.
4. RECOMMENDATIONS
4.1. Technical Oversight
HCFA is lacking the specially trained personnel to oversee their
and their contractors' activities and verify the work for security
consistent with policy and best practices. This position should be
solely technical--it should not have any policy development duties
associated with it. The position should be independent of any
contractors and should be associated with the security policy group.
Essentially, the role is to be the ``security implementer'' of the
organization.
The goal is to have an independent and informed person who can
ensure that the security of the organization is not simply some high-
level goals or a policy on paper. In HCFA's case, such a person would
have prevented the vast majority of vulnerabilities introduced by
either HCFA or HCFA's contractors. Beyond our experience with HCFA,
such a position is direly needed in most organizations.
4.2. Third-Party Verification
It should be unacceptable for service providers to certify
themselves as secure. Recently, it's become popular for service
providers to get an outside certification of their networks or services
and provide that as evidence of their security. In our experience,
these too are insufficient, as the certifiers do not reveal their
methodology or extent of their certification.
Any vendor of network services to HCFA should readily accept 3rd
party verification of security and have regular testing a part of their
contract performance requirements.
4.3. Security Specified in Contracts
The security expectations and requirements should explicitly be
laid out in contracts with network service providers. Without such
clauses, HCFA was essentially powerless to require the use of broadly
accepted industry security standards.
4.4. More Testing is Required
Security is such a complex field, with new vulnerabilities being
discovered daily, that it's impossible for the average Information
Technology professional to keep up. As a result, it's necessary to
independently verify the security features of everything from
applications to WWW servers to networks and to do so on a recurring
basis. In HCFA's case, thoroughly testing the security of the MDCN is
critical to its continued operation and information integrity. As it
stands, there's no way to know if it's really secure or not. Whenever a
new application or service is provided to the public, a new network
connection is established, or a new modem installed, these need to be
tested for proper operation.
5. CONCLUSION
We believe HCFA has done more to identify and remedy security
problems than is common. Despite this, they have experienced a
substantial set of serious vulnerabilities over the course of our
provision of security services to them. Their reliance upon contractors
to operate makes them particularly susceptible to the types of
vulnerabilities we have described within this document.
There is always more work to do, however. Security is not a one-
time fix--it's something that must be integrated into the business of
an organization. It must be continually reinforced, reanalyzed, and
redesigned as circumstances dictate. New services, applications, and
networks need to be tested before deployment.
Mr. Greenwood. Thank you very much.
Okay. Questions. And, Ms. Adair, I am sure you understand
that HCFA is not being isolated and singled out. This committee
is working its way, fairly methodically, through all the
agencies and departments over which we have jurisdiction, and
today just happens to be your day.
I would like to direct your attention, Ms. Adair, to a
document that is in your binder. Do you have one of these
binders available to you? It is document number 1, which is the
current contract HCFA has for the operation of the Medicare
Data Communications Network, the MDCN. If you look at the
second page of this document, toward the bottom, there is a
section on, ``security requirements.'' It says, ``MDCN security
shall be provided/slash maintained/assured by the contractor in
order to prevent unauthorized physical, electronic or virtual
access to telecommunications facilities, to MDCN hardware or
software components and to telecommunications services.'' It
then goes on for two more sentences about how encryption is not
required and that the MDCN contractor must report suspicious
activity on the system to HCFA.
Now, this document, in reality, is over 100 pages long, but
this is only reference to security requirements in the entire
document, my staff informs me--these three sentences. Are we to
assume from this that HCFA does not provide its MDCN contractor
with specific security requirements with respect to access
controls, firewall rules, et cetera, and that instead simply
simply says, ``Give us a `secure,' system''?
This contract also talks about how the contractor will
assure the security of its system from unauthorized attacks,
but it doesn't contain any requirements that the contractor
actually test the security of its system. How can security be,
``assured'' without actual testing? How does HCFA plan to
revise its contracts to address this issue in the future? And I
am heartened to see you and your staff taking notes so far this
morning, so I assume that you intend to take such steps.
Ms. Adair. Yes. And I think, though, that I would ask that
John Van Walker, who is the Senior Advisor for Technology, to
respond to that specific question.
Mr. Greenwood. Mr. Van Walker.
Mr. Van Walker. Yes, Mr. Chairman. It is certainly true
that this is the sole statement in the contract that touches on
security. It is written in 1966--or, actually, the contract was
entered into in 1966, at a time when security was not such an--
--
Mr. Greenwood. Nineteen ninety-six.
Mr. Van Walker. Nineteen ninety-six, sorry, sir.
Mr. Greenwood. If it was 1966, I would be praising you for
your foresight.
Mr. Van Walker. Indeed, and we would have been
appreciative. But in 1996, we viewed the network on a far more
closed basis, and we actually had interaction with essentially
the Medicare contract community. As the network has expanded,
as HCFA's responsibilities have enlarged, and the requirements
for more and more data from more and more partners have
increased, obviously the network has expanded. This paragraph
would be completely inadequate in a contract written today. In
any future contracts, we certainly would be far more elaborate,
sir.
What we have done to deal with this situation is institute
and even intensify, as incidents such as those reported by Mr.
Neuman have come to our attention, our direct interaction with
the contractor. We now meet with the contractor every week.
That meeting involves not only face-to-face contacts but the
IBM and AT&T security specialists dial in to that conversation
from the locations around the country so that we can stay on
top of these issues and work through them on a united basis.
Mr. Greenwood. How long have you been doing that, sir?
Mr. Van Walker. We instituted those meetings, sir, roughly
18 months ago at that level of intensity. There were always
weekly meetings for MDC and management, but we have certainly
increased the level of interaction of the number of
participants, especially on the security side, in the past 18
months.
Mr. Greenwood. When does the current contract expire?
Mr. Van Walker. This contract expires for--and I should
point out that the web hosting contract is actually, because of
the interaction between AT&T and IBM, a subcontract within the
MDCN contract itself. So they expire simultaneously in December
of this year.
Mr. Greenwood. Okay. And are you in the process or where do
you stand in terms of drafting the new contract?
Mr. Van Walker. We are using a GSA contractor to assist us
in identifying requirements for the new vehicle. We are having
discussions with GSA, with the Department of Interior, with
other agencies about vehicles they already have in place. And
in whatever contract we issue, the explicit types of security
requirements that you and the other witnesses have outlined
would be included in that.
Mr. Greenwood. How about testing?
Mr. Van Walker. Testing, obviously, is one of those
requirements, and the types of ongoing, sustained testing
programs clearly is something that we agree is a necessary base
requirement.
Mr. Greenwood. We have found that consistently, as we have
been involved in this process for some time.
Let me address a question, if I could, to Mr. Vengrin. I
would like you to refer, if you would, to document number 3 in
the binder. Do you have that before you? This is the
Department's accountability report for fiscal year 1997. On
page 23, it says--I will let you turn to page 23--it says,
``data security remains a major concern at the HCFA Central
Office. Our prior year review demonstrated weaknesses in EDP,
which stands for electronic data processing controls, through a
system penetration test in which we obtained access privileges
to read or modify sensitive Medicare enrollment, beneficiary,
provider, and payment information. Although HCFA immediately
corrected the prior year vulnerabilities, our current year
tests resulted in penetrating the mainframe data base. We
obtained the capability to modify managed care production
files.''
You tell me about this test that penetrated the mainframe,
and is it true that you were able to actually alter Medicare
payment amounts without HCFA's knowledge?
Mr. Vengrin. Yes, Mr. Chairman. I remember that event very
well. With the permission of HCFA, we entered the system with a
very low-level password, and one of their employees was sitting
at the terminal. By entering this system and accessing it with
a low level password, an individual from one of our contractors
was able to go in and identify basically common passwords that
were left on when the system was first put on, like ``Hot
Site''; that password was not removed, and it was a high-level
password. And with that, we were able to upgrade the low level
and enter the managed care file. And HCFA wanted a
demonstration that we explicitly could alter a payment, so we
identified a beneficiary payment. We actually altered it, put
``zero, zero'' in there, and that concluded the test. So we
effectively penetrated the system.
Mr. Greenwood. And the purpose of that exercise, I presume,
is to demonstrate that an unethical hacker could in fact steal
money from HCFA by altering the amounts due on bills to
virtually any number he choose.
Mr. Vengrin. That is correct, sir. Passwords such as those
should be removed. I believe immediately after that test they
did remove that password.
Mr. Greenwood. Sort of like breaking into Fort Knox.
What was HCFA's response to this test?
Mr. Vengrin. Mr. Chairman, they did immediately remove that
specific vulnerability, and also they advised us that they
would have to go back and check and cross check to make sure
that the alteration of the payment amount didn't actually get
out to the beneficiary. It did take several days to reconstruct
it and validate their data base, so they did kind of complain
that it was a disruption to the operation.
Mr. Greenwood. Well, isn't it true that not only did they
complain but they refused to permit subsequent testing that
would be that in-depth ever again?
Mr. Vengrin. I believe it would be correct to say that we
specifically have not reperformed that level of testing. In
talking this level of testing over with Dr. Christoph, I think
he would prefer to do a higher level of penetration----
Mr. Greenwood. Could you identify him, for the record?
Mr. Vengrin. Dr. Christoph, I am sorry, is the CIO at
Health Care Financing Administration. And he would prefer to do
that level of testing with individuals that he would choose,
which we don't have a problem with.
Mr. Greenwood. Do you have any indication that in fact he
has done that?
Mr. Vengrin. Again, he did contract with En Garde to do
some of the higher level penetration testing.
Mr. Greenwood. Okay. In 1997--let us see--do you think that
the CFO audit tests that you have been conducting since 1997
have been sufficient when it comes to penetration tests? And if
not, what would you propose?
Mr. Vengrin. No, sir. As we have told many of the committee
members, since fiscal year 1998, or actually from 1997, our
objective was to do more of the higher level intrusion testing
procedures. But as we proceeded in fiscal year 1998, it was
pretty unanimous that the Medicare contractors refused to allow
us to do the high-level procedures. They wanted specific
indemnification. Should our contractors do this process, the
higher level scans, and disrupt operation, the medical
contractors specifically wanted to be indemnified for any loss.
For many of these contractors, Medicare is a small part of
their business function--in some cases it could be 40 percent--
so if it resulted in a disruption of operation, they wanted to
be paid for it. And, unfortunately, we have not been able to
successfully resolve that issue. There are legal ramifications,
which HCFA can address.
Mr. Greenwood. Well, how valid is that concern? Should they
be concerned that there is some real exposure there at these
tests that require that kind of indemnification?
Mr. Vengrin. Mr. Chairman, I have consulted with experts in
the field, and as some of our colleagues here have testified,
depending on bad configuration, yes, it could shut the
operation down. As you do this intense scan, some of the
configuration could identify this as a vulnerability, and
basically the walls would come down and shut off operations. So
no one can guarantee us, sir, that that is not a potential, and
hence we would be very dubious about doing further work.
Mr. Greenwood. Let me ask Mr. Neuman a question in that
regard. This is what you do for a living. Is the state-of-the-
art such that you can't do these kind of in-depth penetrations
without in fact risking clobbering the system like that?
Mr. Neuman. We have done tests for over 100 customers, and
we do very in-depth testing. In one case, we brought down a
system that we did not intend to. It was back up in a couple of
minutes. But there is the possibility of stopping access for at
least a short period of time. The possibility of corrupting
things such they are unrecoverable is probably very low, but
denying service for a few minutes is a reasonable risk.
Mr. Greenwood. Okay. Back to you, Mr. Vengrin. This
document that I refer to also states, ``Moreover, our system
penetration tests revealed additional control problems, which
could be exploited by unauthorized individuals to compromise
one or more of HCFA's computer systems.'' Can you explain what
these additional control problems were?
Mr. Vengrin. Mr. Meyers?
Mr. Greenwood. Or Mr. Meyers. And, Mr. Meyers, if you--yes,
thank you.
Mr. Meyers. Yes. The work that we do as a part of the CFO
audit splits down between the general control and the
application control reviews, as well as the intrusion
protection review. The bulk of the focus thus far has been on
intrusion protection, but when you get into the area of general
controls, entity-wide security, which is the big issue, as well
as access control, we found numerous repeat conditions present
since 1997. Some of those areas involve the security program
that is being developed at either HCFA Central Office and/or
its contractors.
Those programs could be viewed as an umbrella operation to,
one, bring the proper level of management oversight into the
whole security environment. It would deal with the
accreditation of systems as mandated by various legislation or
guidance, like OMB A-130 or the FIP Publications, a very
critical function in ensuring that you have an effective
security environment to deal with this process. We have also
noted findings in the area of system software, findings in
service continuity, and findings in the application control
area, which were alluded to earlier, in the area of change
development and application controls.
Mr. Greenwood. Thank you. Question to Mr. Neuman. I would
like you to refer in your binder, if you would, to document
number 6.
Mr. Neuman. All right.
Mr. Greenwood. That is your document, I believe, written by
En Garde to HCFA, dated November 16, 1998, in which En Garde
states, ``Given the trust vested in the secured network run by
IBM at the time, provisions for independent third party
penetration testing should be negotiated with IGS and added to
the contract. Recommend at least annual testing of all servers
hosted by IGS and the blank firewall maintained by IGS for
HCFA.''
Now, if you would skip a sentence, and then it reads, ``In
addition, recommend testing to verify that HCFA cannot be
reached from the Internet through the secured network or from
another customer site on the secured network.'' These sound
like very sensible recommendations. What was HCFA's reaction to
this memo, and did they permit you to conduct all of these
recommended tests?
Mr. Neuman. Their reaction was that they were good ideas.
We were permitted to perform the test of their web server. We
were not permitted to test from other secured network partners
and other secured network customers which were not partners
with HCFA. So we tested one out of the three of our
recommendations.
Mr. Greenwood. Ms. Adair, a subsequent document dated July
6, 1999, it is document number 7 in your binder. Do you have
that there? It is a work order for a statement of work that
includes the three En Garde recommended tests. HCFA's Internet
vulnerability, MDCN partner vulnerability, and non-MDCN/IBM
customer vulnerability. We know that En Garde was permitted to
do the first test under very limited conditions. That is what
Mr. Neuman just spoke of. But why hasn't HCFA followed through
on these other two tests in the 2\1/2\ years since they were
made? Do you not think it is important to conduct such tests of
the alleged secure network?
Ms. Adair. I believe, sir, that the answer to the question
is, as you pointed out, that we did the first one, we
negotiated that, and we have, to date, not been able to
negotiate the capability to do the additional tests that are
listed here.
Mr. Greenwood. Negotiate with whom?
Ms. Adair. The MDCN contractor.
Mr. Greenwood. Can you elaborate on that? I mean what has
prevented in 2\1/2\ years--they work for you, right?
Ms. Adair. Yes.
Mr. Greenwood. What do you pay for that contract?
Mr. Van Walker. The current billings under the MDCN
contract, Mr. Chairman, I believe, are in the area of $18
million for all services combined.
Mr. Greenwood. Annual figure?
Mr. Van Walker. That is this year's figure. It would be in
the neighborhood of $15 million to $20 million in every year,
sir.
Mr. Greenwood. Okay. So we are paying these guys that
amount of money, and in 2\1/2\ years you have not been able to
negotiate with them to have these other tests performed.
Mr. Van Walker. Right.
Mr. Greenwood. Which were recommended by your own
independent contractor.
Mr. Van Walker. Essentially, the position taken by the
vendor in this case is that indeed they were surprised that we
were even able to negotiate such an arrangement on a one-time
basis with the web hosting vendor, that it is not standard
industry practice to allow this, that the danger we would bring
to their ability to manage their entire network and the
operations of their other customers is so severe that it is
simply inappropriate for them to do so.
We continue to have discussions about how we can get around
this and even have gone so far as to talk to them, if we can't
do it using our own third part resources, what are the
possibilities of using their internal white hat ethical hacking
teams to do it in a situation in which HCFA would largely
define the terms of that and would have access to additional
information. That seems at least to be a possibility, and we
are continuing to explore that, sir.
Mr. Greenwood. Mr. Neuman, I would be interested in your
response to that. From what we have just heard, one would
conclude that you recommended two tests that their vendor says
are highly unusual and not state-of-the-art and not willing to
engage in. So one would tend to think that either you are
making unrealistic recommendations or the vendor has
unrealistic expectations.
Mr. Neuman. Well, the first test that we did, I believe,
took over a year to negotiate with them. So I am not terribly
surprised that they are making it difficult. What we are
proposing is very simple. What we are proposing is simply to go
from an MDCN partner, see what you can do to HCFA, from a non-
MDCN partner, see what you can do to HCFA. That is it. Touching
the infrastructure in the middle is--you are not really hurting
the contractor in any way.
Mr. Greenwood. And I would assume that you have not been
able to negotiate this pursuant to existing contract. What
about the future? What does the future hold in terms of
contractual language that would enable you to do this?
Mr. Van Walker. Certainly we would attempt to get this
clause that there are some limitations here. While web hosting
is pretty much a commodity practice and we could, without too
much disruption to our operations, replace that vendor with
another one who might be more willing to allow this kind of
testing at the network level--and the HCFA network is somewhat
unique. It is not based on current Internet technologies. It
uses a combination of Internet technologies and older SNA
technologies to do very specific things that are largely
concentrated in the financial and insurance industries.
Replacing the vendor would be a difficult multi-year
process for us, so our efforts are focused on attempting to
work out an accommodation with the vendor that would allow us
to do these tests or have these tests performed by them, using
guidance, strictures, requirements for which we would get
assistance perhaps from the Inspector General's Office, perhaps
from firms like Mr. Neuman's to attempt to work out a situation
in which we would have further assurances, as you have pointed
out, that what they say they are doing is indeed what they are
doing. And we have routine, ongoing security briefings from
them about the various types of technologies that are being
deployed and about ongoing enhancements to the network. But the
ability to compel them is not within our power at this time.
Mr. Greenwood. But you can tell them in your discussions
that you are under intense pressure from the Oversight
Investigations Subcommittee now.
Mr. Van Walker. I believe reading the testimony on your web
site will more than accomplish that, Mr. Chairman.
Mr. Greenwood. Thank you. Turn to Mr. Neuman again. In a
memo that you wrote to HCFA on October 14, 1990, which is
document number 10 in your binder, you alerted HCFA to the
serious configuration problem with the IBM web servers. You
identified this problem as a major vulnerability, because,
``Anyone on the Internet can access internal HCFA systems.'' In
particular, you focused on an architectural problem that the
external HCFA web servers are, ``dual-homed.'' Your testimony
talks about the ease with which that attack was accomplished
remotely and the lack of sophistication that was required.
In the memorandum you sent, document number 10, you state,
``The web server had absolutely no protection from remote
modification.'' In the full report you issued to HCFA about the
successful attack, which is document number 11, you stated
that, ``The compromise of the external server allowed us, from
the Internet, to send and receive arbitrary data with internal
HCFA systems.'' What does that mean in lay terms, and can you
explain what you could have done with this level of access to
the web server if you had been intent on malicious activity?
Mr. Neuman. In layman terms, it means exactly that. From
the Internet, we were able to access any system inside HCFA's
network. No fire walls prevented us, no filters, nothing
blocked us from connecting to any service, any server on the
HCFA network. We weren't tasked to go any further than simply
gaining access, so we weren't told to go and try to modify
patient data or anything like that.
Mr. Greenwood. Okay. At the time of you work, in a report
issued on October 27, 1999, which is document number 11, you
recommended that HCFA discontinue dual homing of its web server
to prevent someone from being able to do what you did--attack
the web server to get access to internal networks and computer
systems. Can you explain what it means for a web server to be,
``dual-homed,'' and explain why that poses such a vulnerability
for HCFA?
Mr. Neuman. Sure. This particular web server was connected
both to the Internet and it had a separate distinct connection
to the secured net. And through the secured net, it was
connected into HCFA's internal network. So dual homing means it
not only is connected to one network but two. And in fact in
this particular machine, it was actually triple-homed. It was
connected to the Internet, to the secured net, and to an IBM
administrative network, which sat off somewhere else. We
specifically were not allowed to test the IBM administrative
network. We were not allowed the test the firewalls, any of the
infrastructure, anything else there, just the web server
itself, and from the web server find out what we can do to HCFA
from there.
So there are more serious implications for this multi-
homing. Eliminating the dual-home into the MDCN is good, but
remember it is also still connected into the IBM administrative
network. So if I can get into the administrative network, where
can I go from there? There is lots of transitive trust issues
which are interesting. A trusts B, B trusts C, therefore A
trusts C. It is the same thing. So there are a lot of potential
problems that exist, even with removing that back channel,
because HCFA still has a connection to the MDCN. It is lots
better than it was before. If you are going to attack HCFA, the
most obvious target is to go to their web server. That avenue
has been directly eliminated. But there are some indirect
attacks which remain.
Mr. Greenwood. Yesterday, HCFA notified the committee that
after 2 years it has finally decided to eliminate the backend
web server connection that you exploited. Does this solve all
the problems--I think you referred to this, but let me ask you
formally, for the record--does this solve all the problems
associated with remote penetration of HCFA's internal systems
and its Medicare Data Communications Network?
Mr. Neuman. Not at all. It helps a lot, as I said. It does
not completely solve the problem, because IBM is doing things
that they don't tell us about. And we know for sure that they
have multi-home systems that still exist. In addition, this is
the way that they have been providing web servers for a long
time. So not only is HCFA's web server dual-homed into the
secured network and the Internet but all the web servers are.
So, again, if you can break into one of them, what does that
mean to HCFA? There are some serious implications there.
Mr. Greenwood. Okay. Ms. Adair or Mr. Van Walker, either
one of you, 2\1/2\ years ago you have got the recommendation
about the dual homing. Nothing happens to respond to this in
terms of the disconnection until a couple of days ago. One
might have reason to think that the fact that you called
yesterday to tell us that you made that disconnection might
have something to do with this hearing. What happened in the
intervening 2\1/2\ years? What caused you to decide a few days
ago to disconnect? And what is the--is that a permanent change?
Ms. Adair. Excuse me. Immediately after the report that we
got from En Garde, we did some corrective actions that we
believe would assist us. There were some firewalls
misconfigured that we had immediately corrected. It is true
that----
Mr. Greenwood. Did you follow up and test those changes
after you--test the system after you did this?
Ms. Adair. No, we did not. We did not. But in conversations
that we had with some of your staff last week and when we went
back and conversed amongst ourselves, we decided that, in
taking another look at it--something we should always be doing
in taking a look at security is looking and relooking--that it
was indeed a risk that we no longer wanted to take. And so we,
in fact, what is commonly referred to, I guess, is air-gapped
ourselves from that. And we thought it was a prudent thing to
be doing.
Mr. Greenwood. Does it create any problems for you?
Ms. Adair. It causes us, in order to update--I mean it is a
web server to which we put public information out. It does
cause a little bit more cumbersome process for us to be doing
the uploading, but we have decided now that that is a burden
that we are willing to take. I would, again, mention that
subsequent to getting--immediately subsequent to getting--the
report, changes were made in our updating relationship,
changing the router, putting the communication in one way. But,
again, in conversation last week with your staff, as we
relooked at it, we decided to take an additional step in air-
gapping.
Mr. Greenwood. We will keep these staff on board for a
little while.
Mr. Neuman, back to document number 11. You recommended
that HCFA, ``Consider adding a substantial firewall between its
secured network and the HCFA internal network.'' Why was this
recommendation so important, and how would it have helped HCFA
with its security problems?
Mr. Neuman. Well, the problem is that right now--well, at
the time that I last tested, that this test was done, there is
absolute trust of the secured network by HCFA. There is no
protection there at all. There was no protection there at all.
So putting all of your trust into a contractor that won't
divulge its methods, that has had known vulnerabilities that we
couldn't fully test seemed a prudent thing to do.
Mr. Greenwood. My understanding is that some of the
contractors, the fiscal intermediaries, have in fact taken this
recommendation and employed it. Is that your understanding?
Mr. Neuman. I have no knowledge.
Mr. Greenwood. Okay. Let me go back to you, Ms. Adair, if I
could. I understand that HCFA chose not to implement either of
En Garde's recommendations: discontinued dual homing of the web
server between the Internet and HCFA's secured network, and
also it chose not to add the recommended substantial firewall
between the secured network and the internal network. As an
attachment to document number 16, HCFA provided the
subcommittee with an internal email in which a HCFA employee
states--do you have that in front of you, document 16, ``I had
discussions with our techs, and we decided not to install the
firewall to MDCN at this time. We know that this should be
done, and we will do so once a plan is developed and after Y2K
Day One.'' Y2K Day One was 18 months ago. Has HCFA added the
firewall specifically recommended by Mr. Neuman and apparently
agreed to by HCFA? And if not, why not?
Mr. Van Walker. Just one moment, please, Mr. Chairman.
Mr. Greenwood. Take your time.
Mr. Van Walker. I guess there are two points there, Mr.
Chairman. In as far as the dual homing goes, just to
recapitulate on that one, what HCFA did at the time, Mr. Neuman
had actually recommended that we do those exchanges using a
virtual private network, an encrypted Internet technology, a
fairly standard technique. What HCFA chose to do during that
period instead, prior to the air-gapping of this week that you
have already discussed, was to establish a situation in which
the HCFA connection into the web hosting forum at IBM was
essentially a one-way path. Protections were placed on that
circuit so that HCFA could move content up to IBM, but no one
from the IBM facility could use that same circuit to get back
down into HCFA and into its stated infrastructure. The step
that we took this week was to actually create a machine that is
not connected to anything else at HCFA at all to serve that
purpose. That is what air-gapping means in this case.
As far as the extended network, HCFA's step for that
protection is not to allow anyone who has access to MDCN to
access any facilities at the HCFA Data Center or its other
contractors. We use a technology or a process called access
control list to determine which of our partners can do which
things and use that then to filter, as you would, the traffic
coming into HCFA. So it is not accurate to state that anyone
who has access to the network can get to HCFA and get to the
underlying resources. And we use this technology, I believe, on
all of the HCFA routers. So, in a sense, the HCFA routers are
providing a functionality similar to what firewalls would
provide.
Mr. Greenwood. Well, let me ask Mr. Neuman if he would
comment about that. You heard Mr. Walker's response. He seems
to think that the routers are accomplishing what the firewall
would have accomplished. It is my understanding that, again,
that the--you said you didn't have information about this, but
it is my understanding that some of the blues have--they don't
have the trust of the network that you seem to have, and they
have erected these firewalls. Let me first ask Mr. Neuman if
you would respond to what you heard Mr. Walker say.
Mr. Neuman. I think it is possible to do filters correctly;
again, it needs to be tested.
Mr. Greenwood. And you have not tested yours.
Mr. Van Walker. We have not conducted the type of third
party penetration test, but we certainly have gone through the
rules and reviewed them----
Mr. Greenwood. And that is because you have not been able
to get that negotiated----
Mr. Van Walker. To conduct the type of test we talked
about, sir, yes.
Mr. Greenwood. Ms. Adair, as part of the materials provided
by your office to the subcommittee, HCFA provided document
number 19, which describes HCFA's new contractor security
initiative. This document, dated June 26, 2000, indicates that
as of that time, HCFA's contractor security requirements were
not current and had not been updated since 1992. Specifically
noting that this was, ``Before the days of email, Internet,
hackers, viruses.'' It also states that current HCFA
requirements, ``Do not reflect requirements from GAO and IRS
audit guides,'' and, ``Don't include all requirements for
HIPAA, which is the Health Insurance Portability Act,
Presidential Decision Directive 63, HCFA internal policies or
industry best practices.''
I understand that on January 26, 2001 HCFA implemented a
new security memorandum to program intermediaries, finally
updating the outdated requirements, document 21, which is--
document 21 describes what I just read. What is going on here
and why did it take HCFA almost 10 years to update its outdated
contractor security requirements?
Ms. Adair. I believe that during that time, since 1992,
sir, what we had been doing is not necessarily updating our
manual and putting in one place what all of our requirements
were. We had been putting them out in individual memorandums to
our contractors. We had been talking to them about them in
meetings. And we felt that in starting down the path of our
security initiative that it was important to bring them all up
to date in one place and be very clear about what our
expectations were to our contractors. That, in essence, putting
out the clear expectations was the first way that we could
start to really fulfill our oversight responsibilities. We
needed to be clear about what our expectations were and what we
were going to hold them responsible for.
Mr. Greenwood. In the reports provided to the subcommittee,
the only penetration tests of Medicare contractor security that
were provided were limited penetration tests conducted in 1998
of four specific Medicare contractors. This was a penetration
test performed for HCFA by an independent accounting firm of
only 4 of the over 55 Medicare contractors, and there does not
appear to have been any more recent testing done by HCFA of its
Medicare contractors. Why hasn't HCFA required more substantial
testing of its Medicare contractors?
Ms. Adair. The four tests that you are referring to were of
the Medicare contractors, we did do those and we used those as
an opportunity for us to shape what our security initiatives
should look like, that we needed some input as to what was the
state of what was out there. And we used that as input.
There is a period of time in there, sir, that HCFA, as many
other organizations, put a moratorium on much of our IT work as
we were doing the remediation efforts for Y2K. Coming out of
the Y2K effort, however, we have put, as I indicated in my last
answer, we have put out there a security initiative with what
our expectations are. And the contractors right now are in the
process of evaluating their own performance relative to our
requirements. We will be talking to them about how it is they
are going to get up to our standards, and we will be going back
and testing subsequent to them making their remediations.
It is also important to note that during that period of
time there were other avenues of oversight of our Medicare
contractors in these areas. The IG does in fact do testing for
the CFO audits. There are what we refer to as statement of
auditing standards, which are internal control processes that
happen at our contractor shops. These corrective actions come
in to us, we evaluate them for reasonableness, and then ask
them to follow up. In addition, the IG, after having done a
full-blown CFO audit, the next year goes out and does a follow-
up if there are findings. And we use the information of those
to oversee our contractors.
Mr. Greenwood. Thank you. The Chair notes the arrival of
the vice chair of the subcommittee, Mr. Whitfield. And if he is
ready, recognizes the gentleman for 5 minutes for questions.
Mr. Whitfield. Mr. Chairman, thank you very much, and I
apologize for being late to this important hearing. I was
actually in another hearing, and delighted I made it over here
before you all recessed or concluded your remarks.
Mr. Neuman, I was looking through this book last night, and
this document 18 in the binder, the En Garde Systems document
test report, which is dated June 7, 2000, was a test conducted
by your company of HCFA's internal systems and internal
penetration tests from the perspective of a HCFA employee that
should not have access to sensitive data bases. Now, your
report found quite serious problems in this desktop
environment, which I understand HCFA has acknowledged and is
moving to remedy. But the document on page 3 of that report
says, ``While it is clear that HCFA has put in place many of
the proper precautions, the practice of creating all accounts
with administrative permissions negates almost all the security
precautions taken on the internal network.'' And I was
wondering could you just elaborate or explain what that
statement actually means or refers to?
Mr. Neuman. Sure. The way that the desktop PCs were set up
there was no delineation between administrators who had
complete access to everything on every system on the entire
network and normal users. And, in fact, normal users had access
to everything on every machine on every network. Once you have
that level of access, it is trivial to gain access to anything
else on the network you want to. You capture that machine, you
watch and see them type passwords or log into machines or do
whatever. You have unlimited access to PCs at that point.
So we feel that that is a significant risk in the sense,
first of all, you really don't want average users to have
unlimited permission; second, their ability to destroy things,
even accidentally, is pretty high too, so there are both
management and security reasons why you probably don't want
this kind of setup.
Mr. Whitfield. But that is the current setup; is that
correct?
Mr. Neuman. Well, we last tested early 2000 so I don't
know.
Mr. Whitfield. Okay. This report also went on to say that
``Problems reside with the policy and access configuration
management and security administration. Several major findings
include poor choice of administrator passwords by contractors,
loosely configured network infrastructures, like printers and
token ring cards, administrative privileges given to every new
user.''
And then on the next page, it reads, ``That it was possible
to obtain the encrypted passwords for accounts on the machine.
We also downloaded, through the HCFA web proxy, that is a
password cracking tool, and using this tool we were able to
crack passwords on our machine. And then using those passwords
were able to obtain further encrypted passwords from virtually
every configured machine.'' I wondered can you describe just
how easy it was to guess or crack these passwords, including
those of the systems administrators who have unlimited access
to the system?
Mr. Neuman. It was a trivial event. We found probably 50 to
60 passwords that were the users' name. So, for example, your
user name is Whitfield, your password is Whitfield, that sort
of thing. The administrator password, if I told it to you, you
would laugh; it was that badly done.
Mr. Whitfield. Okay. Well, don't tell me then.
Of course you were not asked to fully penetrate the system,
but based on the level of access that you were able to obtain,
do you think you could have obtained sensitive--access
sensitive medical information of Medicare beneficiaries?
Mr. Neuman. Without a doubt. I had the ability to control
anybody's PC in the organization.
Mr. Whitfield. You did? Okay.
Now, Ms. Adair, to follow up on this, roughly 8 months
after receiving that June 2000 report, HCFA hired another
ethical hacker called Allied Technology to conduct essentially
the same set of tests on your desktops. And Allied found
virtually identical results, I have been told, and in fact
document 23 in this binder says that ``The security assessment
of the HCFA work station environment shows that an internal
user with normal access may uncover vulnerabilities during an
exploit attempt of the HCFA network that would allow further
exploit of the HCFA network enterprise and its connected
systems.''
And then it goes on to say that, ``In its attempts to
successively subvert several user and administrator passwords,
Allied Technology discovered blank easily cracked and poorly
managed passwords, both from user as well as administrator
accounts.'' And then further down, it says that ``Allied
Technology was able to use remote-shared connectors to install
a password-cracking tool downloaded from the Internet, which
was then used to crack passwords on other shared systems.''
So it would appear on these two sets of audit results that
HCFA made virtually no progress in addressing the deficiencies
identified in the prior year, including the basic actions such
as preventing the downloading by HCFA employees of hacker tools
on the Internet. Why not and why would HCFA spend the money to
do the same battery of tests without taking some corrective
actions?
Ms. Adair. Let me address, first, your question on the
passwords. Passwords are something that we are working very
hard on. It is trying to convince people to not use easy
passwords. It is a cultural change for individuals. We have a
lot of numbers or passwords that we have to remember, for your
ATM, for your whatever, and people have a tendency to want to
use something such as their children's name, their last name.
We are trying very hard to convince people that that is ripe
for problems. We work difficult--we work--in trying to work--I
am not saying this sentence well, I apologize. We are trying to
work with them to enforce that those kinds of bad habits have
unintended consequences for us.
In addition, we are exploring technology that we could use
that would allow us to go in and take a look at passwords and
notify people, ``You have passwords that are way too easy. Let
us move away from that.'' As well as something that would allow
us, through technology, to enforce the policy standards that we
have put out since that test result. We are making that kind of
progress since that time.
Let me think what your other question was, sir. The systems
administrator, as I understand it, is that we right now have
allowed privileges at the desktop that I think that many of us
would say should not be there. And the reason that we have done
that is that we think there is, at this point in time, for us,
an outweighing benefit, which is it allows us to push out anti-
virus updates that we get on a timely basis that we would
otherwise have to go out and touch each machine to do. And
therefore it would not allow us, as effectively, to counteract
such things as the Melissa or the ``I Love You'' virus that
were out there.
We don't believe it is the best place for us to be, but in
order for us to be there, we had to initiate from the first
report a rather long life cycle to move us to a place, and we
believe that we will be there in the November timeframe. As was
discussed earlier, that when we get some of these findings,
some of them are fixes that we can do within an hour. Other
fixes take us a longer period of time in our complex
environment to get us, and this was one of those fixes.
Mr. Whitfield. But do you feel comfortable in the progress
you are making at this point?
Ms. Adair. I believe we are making progress. I certainly
would like it to be faster progress.
Mr. Whitfield. So you don't feel comfortable with it.
Ms. Adair. I believe that we are doing what we can, yes.
Mr. Whitfield. Okay. Okay. Now, the Allied report also
found that the HCFA network was susceptible to certain denial
of service attacks, mostly due to HCFA's failure to stay up to
date with software patches issued by your vendors. In fact,
this report said that you are several service packs behind,
leaving a system with dozens, if not hundreds, of known
vulnerabilities. Now, why can't HCFA expedite the process of
updating its patches?
Ms. Adair. Before we apply a patch, sir, to our system, we
go through a rather rigorous testing scheme, and perhaps we, in
that process, are not as quick as we could be.
Mr. Whitfield. You go through a what now?
Ms. Adair. Rigorous testing regime to make sure that the
patch to the system we are putting in doesn't have an
unintended consequence to something else or how we have set up
our operation.
Mr. Whitfield. And that is pretty time consuming?
Ms. Adair. It can be, yes.
Mr. Whitfield. Mr. Chairman, I don't have any other
questions.
Mr. Greenwood. Thank you. I just have a couple more
questions. Let me address one to Mr. Vengrin. There is a
document that was provided to us by HCFA that is dated October
14 of 1999, and it is number 8 in your binder, if you would
turn to that. Got it? It references a penetration test
conducted by your office's contractor, Ernst & Young, of HCFA's
Central Office for fiscal year 1999.
The document states, ``HCFA provided a detailed documented
description of the testing to be performed and the list of IP
addresses to be targeted. This is a deviation from the approach
Ernst & Young has used for the other selected HCFA contractor
sites and does not allow Ernst & Young to fully explore
possible vulnerabilities and new exploits.''
Can you explain why it is that HCFA took this approach to
this test, how it differed from your tests of other HCFA
contractor sites, and what the implications of these changes
were for understanding the full extent of HCFA's central
vulnerabilities?
Mr. Vengrin. Yes, Mr. Chairman. And Ed can elaborate more
on this. I believe our contractor was attempting to do more
work, but HCFA was going to contract with others, such as En
Garde, to do this work. And, therefore, the scope of the CFO
work was to be curtailed and cut back. So a lot of the Central
Office work that we had planned under the auspices of the CFO
Act just has not been performed since fiscal year 1997.
Mr. Greenwood. Ms. Adair, do you concur with that? Or Mr.
Van Walker, either of you.
Ms. Adair. Pardon me, I am sorry?
Mr. Greenwood. Either one of you, do you concur with that
assessment?
Ms. Adair. As you know, we have engaged contractors to take
a look at ourselves, and I believe that we do want to work with
the IG to ensure that we are not duplicating but in fact
complementing our work efforts, that we would not want to--both
of us have precious resources, and we would want to ensure that
they went as far as they could.
Mr. Whitfield. Just one more question. Mr. Vengrin, in your
fiscal year 2000 audit report, which was document 22 in our
book here, you stated that on several occasions that internal
users of the Medicare system had inappropriate access to
sensitive beneficiary information. And I was wondering if you
might just be able to describe some of the examples from your
individual site reports?
Mr. Vengrin. Yes, sir. We noted cases in which programmers
had inappropriate access to system logs. This provided an
opportunity to conceal improper actions and obviated the log's
effectiveness as ``detect'' controls. There were a number of
cases where the programmer had inappropriate access to
beneficiary history files. There should be a segregation of
duties so that a programmer would not have access to this level
of production. That would give them an opportunity to go in
there and possibly effectuate a payment. We found numerous
instances of these types of problems.
Mr. Whitfield. Where they effectuated a payment?
Mr. Vengrin. No, sir; where there is an opportunity.
Mr. Whitfield. An opportunity.
Mr. Vengrin. Yes, sir.
Mr. Whitfield. Okay.
Mr. Vengrin. There is just the potential.
Mr. Whitfield. All right. Now, this same report also
discusses the external threat to the contractor systems. How
real do you think that the Internet-based threat is at the
contractor sites?
Mr. Vengrin. Sir, unfortunately, we have been doing a very
low level of testing. That said, vulnerabilities have been
detected through footprint analysis and some of the war
dialing. We have identified cases where manufacturers'
identification of passwords was left on. Second, very, very
simplistic passwords were identified. For example, ``manage''
or ``manager.'' We could actually do a penetration test had we
been permitted to go further. So we noted numerous instances
where passwords were a problem.
Mr. Whitfield. Okay.
Mr. Meyers. If I may add to that.
Mr. Whitfield. Yes, sir.
Mr. Meyers. Additionally, when you are trying to make a
determination on the risk, you sort of have to look at it as a
math formula. You have a vulnerability, and we know that
vulnerabilities exist in these systems. You then have to factor
in whatever potential impact there may be to that
vulnerability, and then offset it with the controls that are
present.
As HCFA goes through its current information security
reassessments and enhancements, that business impact, that
financial impact potential has to now be rolled into all the
identified vulnerabilities that we know are present. Once you
do that, then you come up with the appropriate countermeasure
or control, and your risk then becomes a management decision as
to ``Do I want to accept this level of risk; can I live with
it, or is it a situation where the controls have to be
augmented immediately?'' But the benefit and the cost cannot
adequately be addressed until you factor in the potential
impact of all the identified vulnerabilities.
Mr. Whitfield. Okay. Thank you. I appreciate that comment.
Mr. Greenwood. Thank you, Mr. Whitfield.
One final question for Ms. Adair, and then we will break
for lunch. We will adjourn the hearing. Tell us what HCFA's
computer security resources consist of. How many people do you
have focused specifically on computer security to monitor daily
network and web hosting transactions, to evaluation operational
procedures, to ensure staff and contractor compliance of
security requirements, and to recommend enhanced security
policies? How many people do you have doing this? Are we
looking at them?
Ms. Adair. No, sir. We fortunately have more than this. We
actually have--we have doubled the number of people like in the
last 3 years that are dedicated to computer security. I would
say that we have gone from somewhere in the 30 area, and we are
now essentially at 60 FTEs. And I point that out, because it is
not necessarily people per se, but sometimes they are in our--
for example, in our regional office, those that are going out
and doing the oversight of our Medicare contractors. They may
be doing some other additional activities. So I think that we
have made some great strides there.
Mr. Greenwood. Have you made a specific request for
additional funds from the $30 million that the Secretary has
testified before one of our subcommittees that he intends to
seek for computer security purposes?
Ms. Adair. As you point out, sir, that is in the budget
request this year, so we have not yet made any requests against
it. It has not yet been appropriated. I think that we would
certainly view that as additional security needs come up that
we would apply, I think would be the right words, for those
funds should it be appropriated.
Mr. Greenwood. Okay. We thank you. One suggestion I might
make is that you said that with regard to passwords that you
are encouraging your employees to change their passwords. You
might want to just tell them to do that.
Ms. Adair. And I probably did not say it. We have changed
the policy, and it is. If I may take a second of your time?
Mr. Greenwood. Please.
Ms. Adair. It was, I think, earlier this month at about the
time that I was talking to your staff that I was addressing a
security session that we had in our auditorium, and I took the
opportunity at that time to tell our staff not only that we
were having conversations with you and use that to in fact
enforce to our staff how important this was, but at the same
time to discuss the passwords. So hopefully the two of those
being mentioned together was of assistance to us.
Mr. Greenwood. Okay. Thank you.
Ms. Adair. Thank you.
Mr. Greenwood. When I came to Congress 8 years ago, I
remember that the Congressional Institute put on a conference
that they annually do, and all of the Members of Congress went
out to conference for a couple of days. And one of the things
that they had available to us was an opportunity to surf the
World Wide Web, and nobody knew what it was. And I think that
is telling all of this has happened very quickly. This
technology has emerged very quickly and changed the way we do
business. This whole hearing would have been completely
unintelligible to people just a very few years ago. So we know
that the technology changes very quickly, that the challenges
emerge very quickly.
As I said in the beginning, we are pleased with much of
what HCFA has done. I think this whole process leading up to
this hearing as well as today's dialog gives us--hopefully
gives HCFA some direction as to what our expectations are.
Hopefully the recommendations that I specifically made in my
opening statement--I will provide you written copies of that if
you would like--will be implemented, particularly in connection
with the new contracts that you are in the process of
negotiating. We look forward to working with you in the future
to follow up on these discussions. And thank you again for
being here.
I would ask unanimous consent to enter into the official
record all of the documents that we have referenced today.
Hearing no objections, it is so ordered.
Mr. Greenwood. Thank you again, and the hearing is
adjourned.
[Whereupon, at 12 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
[GRAPHIC] [TIFF OMITTED] T2833.072
[GRAPHIC] [TIFF OMITTED] T2833.001
[GRAPHIC] [TIFF OMITTED] T2833.002
[GRAPHIC] [TIFF OMITTED] T2833.003
[GRAPHIC] [TIFF OMITTED] T2833.004
[GRAPHIC] [TIFF OMITTED] T2833.005
[GRAPHIC] [TIFF OMITTED] T2833.006
[GRAPHIC] [TIFF OMITTED] T2833.007
[GRAPHIC] [TIFF OMITTED] T2833.008
[GRAPHIC] [TIFF OMITTED] T2833.009
[GRAPHIC] [TIFF OMITTED] T2833.010
[GRAPHIC] [TIFF OMITTED] T2833.011
[GRAPHIC] [TIFF OMITTED] T2833.012
[GRAPHIC] [TIFF OMITTED] T2833.013
[GRAPHIC] [TIFF OMITTED] T2833.014
[GRAPHIC] [TIFF OMITTED] T2833.015
[GRAPHIC] [TIFF OMITTED] T2833.016
[GRAPHIC] [TIFF OMITTED] T2833.017
[GRAPHIC] [TIFF OMITTED] T2833.018
[GRAPHIC] [TIFF OMITTED] T2833.019
[GRAPHIC] [TIFF OMITTED] T2833.020
[GRAPHIC] [TIFF OMITTED] T2833.021
[GRAPHIC] [TIFF OMITTED] T2833.022
[GRAPHIC] [TIFF OMITTED] T2833.023
[GRAPHIC] [TIFF OMITTED] T2833.024
[GRAPHIC] [TIFF OMITTED] T2833.025
[GRAPHIC] [TIFF OMITTED] T2833.026
[GRAPHIC] [TIFF OMITTED] T2833.027
[GRAPHIC] [TIFF OMITTED] T2833.028
[GRAPHIC] [TIFF OMITTED] T2833.029
[GRAPHIC] [TIFF OMITTED] T2833.030
[GRAPHIC] [TIFF OMITTED] T2833.031
[GRAPHIC] [TIFF OMITTED] T2833.032
[GRAPHIC] [TIFF OMITTED] T2833.033
[GRAPHIC] [TIFF OMITTED] T2833.034
[GRAPHIC] [TIFF OMITTED] T2833.035
[GRAPHIC] [TIFF OMITTED] T2833.036
[GRAPHIC] [TIFF OMITTED] T2833.037
[GRAPHIC] [TIFF OMITTED] T2833.038
[GRAPHIC] [TIFF OMITTED] T2833.039
[GRAPHIC] [TIFF OMITTED] T2833.040
[GRAPHIC] [TIFF OMITTED] T2833.041
[GRAPHIC] [TIFF OMITTED] T2833.042
[GRAPHIC] [TIFF OMITTED] T2833.043
[GRAPHIC] [TIFF OMITTED] T2833.044
[GRAPHIC] [TIFF OMITTED] T2833.045
[GRAPHIC] [TIFF OMITTED] T2833.046
[GRAPHIC] [TIFF OMITTED] T2833.047
[GRAPHIC] [TIFF OMITTED] T2833.048
[GRAPHIC] [TIFF OMITTED] T2833.049
[GRAPHIC] [TIFF OMITTED] T2833.050
[GRAPHIC] [TIFF OMITTED] T2833.051
[GRAPHIC] [TIFF OMITTED] T2833.052
[GRAPHIC] [TIFF OMITTED] T2833.053
[GRAPHIC] [TIFF OMITTED] T2833.054
[GRAPHIC] [TIFF OMITTED] T2833.055
[GRAPHIC] [TIFF OMITTED] T2833.056
[GRAPHIC] [TIFF OMITTED] T2833.057
[GRAPHIC] [TIFF OMITTED] T2833.058
[GRAPHIC] [TIFF OMITTED] T2833.059
[GRAPHIC] [TIFF OMITTED] T2833.060
[GRAPHIC] [TIFF OMITTED] T2833.061
[GRAPHIC] [TIFF OMITTED] T2833.062
[GRAPHIC] [TIFF OMITTED] T2833.063
[GRAPHIC] [TIFF OMITTED] T2833.064
[GRAPHIC] [TIFF OMITTED] T2833.065
[GRAPHIC] [TIFF OMITTED] T2833.066
[GRAPHIC] [TIFF OMITTED] T2833.067
[GRAPHIC] [TIFF OMITTED] T2833.068
[GRAPHIC] [TIFF OMITTED] T2833.069
[GRAPHIC] [TIFF OMITTED] T2833.070
[GRAPHIC] [TIFF OMITTED] T2833.071
�