[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
EXAMINING OBAMACARE'S FAILURES IN SECURITY, ACCOUNTABILITY, AND
TRANSPARENCY
=======================================================================
HEARING
before the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 18, 2014
__________
Serial No. 113-156
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PUBLISHING OFFICE
91-961 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia PETER WELCH, Vermont
THOMAS MASSIE, Kentucky TONY CARDENAS, California
DOUG COLLINS, Georgia STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan Vacancy
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on September 18, 2014............................... 1
WITNESSES
Mr. Gregory C. Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office
Oral Statement............................................... 7
Written Statement............................................ 9
The Hon. Marilyn Tavenner, Administrator, Centers for Medicare
and Medicaid Services, U.S. Department of Health and Human
Services
Oral Statement............................................... 24
Written Statement............................................ 26
Ms. Ann Barron-DiCamillo, Director, U.S. Computer Emergency
Readiness Team, U.S. Department of Homeland Security
Oral Statement............................................... 38
Written Statement............................................ 40
APPENDIX
Answers to questions for the record by Ms. Tavenner, submitted by
Mr. Issa....................................................... 82
Correspondence by the OGR Majority Staff and DHS, submitted by
Mr. Issa....................................................... 97
Data Breach Prosecutions and Investigations, submitted by Mr.
Issa........................................................... 100
Emails from Ms. Tavenner, submitted by Mr. Mica.................. 171
GAO Report ``Healthcare.gov: Actions Needed to Address Weaknesses
in Information Security and Privacy Controls''................. 173
Obamacare Articles............................................... 251
Majority Staff Report 9-18-14.................................... 262
EXAMINING OBAMACARE'S FAILURES IN SECURITY, ACCOUNTABILITY, AND
TRANSPARENCY
----------
Thursday, September 18, 2014
House of Representatives,
Committee on Oversight and Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 11:11 a.m., in
room 2154, Rayburn House Office Building, Hon. Darrell E. Issa
[chairman of the committee] presiding.
Present: Representatives Issa, Mica, Duncan, Jordan,
Chaffetz, Walberg, Lankford, Amash, Meehan, Farenthold,
Collins, Meadows, DeSantis, Cummings, Maloney, Clay, Lynch,
Connolly, Speier, Cartwright, Kelly, and Lujan Grisham.
Staff present: Ali Ahmad, Professional Staff Member;
Melissa Beaumont, Assistant Clerk; David Brewer, Senior
Counsel; Steve Castor, General Counsel; John Cuaderes, Deputy
Staff Director; Adam P. Fromm, Director of Member Services and
Committee Operations; Linda Good, Chief Clerk; Meinan Goto,
Professional Staff Member; Christopher Hixon, Chief Counsel for
Oversight; Mark D. Marin, Deputy Staff Director for Oversight;
Emily Martin, Counsel; Tamara Alexander, Minority Counsel;
Aryele Bradford, Minority Press Secretary; Jennifer Hoffman,
Minority Communications Director; Una Lee, Minority Counsel;
Juan McCullum, Minority Clerk; Dave Rapallo, Minority Staff
Director; and Cecelia Thomas, Minority Counsel.
Chairman Issa. The committee will come to order.
Without objection, the chair is authorized to declare a
recess of the committee at any time.
The Oversight Committee exists to secure two fundamental
principles: First, Americans have a right to know that the
money Washington takes from them is well-spent; and, second,
Americans deserve an efficient, effective government that works
for them. Our duty on the Oversight and Government Reform
Committee is to protect these rights.
Our solemn responsibility is to hold government--
government--accountable to taxpayers because taxpayers have a
right to know what they get from their government. It is our
job to work tirelessly, in partnership with citizen watchdogs,
to deliver the facts to the American people and bring genuine
reform to the Federal bureaucracy.
Over the past 4 years, the Oversight and Government Reform
Committee has conducted vigorous oversight of the
implementation of the Affordable Care Act, often called
``Obamacare,'' including the design and launch of
HealthCare.gov. Today the committee focuses on the
interconnected issues of security of the Website,
accountability within the administration, and, most of all,
transparency to the American people.
The Government Accountability Office released a report this
week on security of HealthCare.gov. The GAO found the
administration failed to take appropriate and sufficient steps
to protect HealthCare.gov and associated systems against
security and privacy risks. More importantly, the GAO report
strongly asserts that security testing is not complete and
security weaknesses continue to plague the Website.
One of the principal authors of the GAO report will testify
before us today.
The committee has released a report detailing several
breakdowns in both accountability within the administration and
transparency to the American people during the design and
implementation of HealthCare.gov. It is important to understand
that, with private-sector, high-profile losses of information
due to hackers, there are huge repercussions to those
companies, and the government often comes in and further
victimizes the companies who have, in fact, been victimized by
hackers. And yet, when the government fails to protect
involuntarily taken personally identifiable information, there
is nobody but people on this dais to try to hold government
accountable.
Documents obtained by this committee show factions
developed within the agency in charge of implementing
Obamacare, the Centers for Medicare and Medicaid Services, or
CMS. These factions fought over several issues, including over
Website security.
CMS often fought to keep information from their colleagues
within the larger Department of Health and Human Services. And,
additionally, the administration endeavored to keep the truth
and the true nature of the Website's problems out of the public
eye. Following the collapse of HealthCare.gov, administration
officials refused to admit to the public that the Website was
not on track to launch without significant functionality
problems and substantial security risks.
Last month, CMS denied the Associated Press access to
security documents requested under the Freedom of Information
Act. Even more recently, CMS refused to provide the Government
Accountability Office documents related to the 13 incidents
that we are going to hear about in vague detail here today.
I want to make something very clear. Refusal to cooperate
with the GAO, a nonpartisan, government-created entity, refusal
to allow access by the whistleblowers under Freedom of
Information Act, and refusal to cooperate with even the
inspectors general, something we saw here just a few days ago
with 47 inspector generals out of 73 complaining with the lack
of access even within the executive branch, this is not the
most transparent administration in history. And, certainly, the
transparency we see here today was only done under subpoena.
We will probably hear today that CMS has offered to brief
GAO on these 13 incidents. It is not acceptable after the
public scrutiny reveals that they exist and they have been
denied, on the eve of a hearing and only after an audit is
completed, to then say, ``We would be glad to brief you.'' That
is unacceptable and, quite frankly, one of the most
disingenuous things I have ever seen. There were 5 months
during the audit to comply with a reasonable request by the
Government Accountability Office, and it wasn't done.
Questions of security can no longer be easily dismissed by
the administration. In late July, HealthCare.gov suffered a
malicious attack from a hacker, and it took nearly 2 months for
CMS to identify the intrusion. CMS Administrator Marilyn
Taverner, who is with us today, will testify, and we will
discuss that in addition to the GAO report.
I am sure we will hear that there was no loss of data, that
this was not the main site, and so on. That doesn't change the
fact that security risks exist whenever you fail to secure not
just the main site but backdoors. Too often, backdoors have
been what we have discovered.
In the case of another investigation of this committee, we
discovered that the backdoors were something as simple, in one
case, as a stolen laptop on which those who stole it later
added peer-to-peer software, which then made information on
that data base available to the public, potentially. The
Federal Trade Commission opened an investigation, and a
plaintiff's trial lawyer sued and won money on behalf of people
whose information was never actually released. But, in fact,
both the government and plaintiff's bars thoroughly enjoyed
going after a nonprofit AIDS clinic. I cannot and will not
allow our government to put itself at a different standard of
accountability.
Last month, the Center for Medicare and Medicaid Services
informed the committee that, once again, there were lost emails
in response to the committee's subpoena and documents related
to HealthCare.gov. This is not an uncommon pattern; this is a
pattern of predictability. This administration has not complied
with nor caused their key executives, including political
appointees, to comply with the Federal Records Act.
Administrator Tavenner admitted to deleting her own emails
during the time period of Obamacare implementation.
Madam, your actions hinder Congress' investigation and also
prevent the public from accessing information under the Freedom
of Information Act. It appears as though this administration
holds itself to a different level of compliance with historic
Federal documents than the last administration or any
administration since the passage.
We are also today joined by the Department of Homeland
Security's U.S. Computer Emergency Readiness Team, or CERT. The
committee has concerns about the team's transparency regarding
a hack reported earlier this month.
The administration has already spent a billion dollars on a
Website that is still not fully operational and fully not
secure. The same government officials responsible for the lack
of transparency and accountability a year ago remain in the
position of authority.
Questions of security, accountability, and transparency go
beyond whether or not you support the President's healthcare
law. Many of these issues are not limited to health care and
mirror the transparency and accountability concerns raised,
again, by 47 out of 73 inspector generals in an unprecedented
letter to this and other committees of Congress in August.
Minutes before HHS announced publicly on September 4th that
HealthCare.gov had experienced a malicious attack in July of
this year, an HHS official contacted my office to give them
limited details of the successful hack. During the brief call,
HHS gave my staff the name and phone number of a contact at the
Department of Homeland Security and suggested my staff contact
DHS for more information about the hack itself and the
government's response to the hack.
My staff reached out to HHS's suggested contact at DHS on
Monday of last week, followed up on Tuesday, and were told that
DHS was running--and in parentheses, the request--back with HHS
to see if we can all jointly get on the phone, seeing if
tomorrow will work. However, my staff followed up on Wednesday
and Friday and then on Monday and Tuesday, with no response
from DHS.
I would like to note that, despite a week of persistent
emails from my staff, DHS was unable to make time to brief our
committee even by phone. However, 2 days ago, the minority
staff notified me that they were asking for our witness today,
DHS, to appear as a witness at today's hearing. I accepted it
even though, clearly, this is a witness from an organization
that has refused to answer questions or cooperate with the
investigation.
When the minority staff reached out to ask if DHS would
appear as a witness, DHS was able to produce a witness
prepared, apparently in detail, to provide testimony before
this hearing today. However, DHS has still not arranged to
properly brief our staff or to answer questions that we will be
asking here today.
I would like to introduce into the record at this time the
correspondence between the staff and DHS as an example of what
appears to be a very different treatment from this
administration to a request from the majority staff versus a
request from the minority staff. And, without objection, it
will be placed in the record.
Chairman Issa. Let's cut to the chase. I have with me three
witnesses. Two, very clearly, are not part of transparency in
government.
I have no doubt that your organizations have worked
diligently with the minority to try to make this hearing good
for you. It is not our job to try to make this hearing bad for
you, but the American people deserve the truth, not a cozy
relationship between the people of your President's party, in
covering up the ongoing failure to secure a Website that cost
over a billion dollars.
And, with that, I am pleased to recognize the ranking
member for his opening Statement.
Mr. Cummings. Thank you very much, Mr. Chairman.
First of all, I want to apologize for running late. The
Speaker asked us to be at a joint session of Congress to hear
the President of the Ukraine, and many of us were there.
One of our most important jobs in Congress is to help
protect the interests of the American people. They demand that
government and private companies safeguard their personal
information, safeguard their Social Security numbers, their
credit cards, and their health information. Nobody wants to get
a call from a credit card company saying, your personal
information has been compromised. It could upend your entire
life, and it can cause serious financial problems for years.
I believe our committee has the potential to perform a very
valuable function in this area. With our extremely broad
jurisdiction over multiple Federal agencies and corporate
entities, we can help promote robust security standards across
the entire government and private sector. To date, however, we
have not fulfilled this potential.
Today's hearing is our 29th on the Affordable Care Act and
our sixth on HealthCare.gov. I completely agree that the ACA
Website must be secure. That is why I am so heartened that,
despite all of the challenges with the rollout last year,
nobody's personal information has been compromised to date as a
result of a malicious attack. Nobody's personal information has
been compromised to date as a result of a malicious attack.
Now, that could change, so we have to remain vigilant. After
all, this is our watch. But, so far, no attacks have been
successful in that regard.
There certainly have been attempts. Last week, the Centers
for Medicare and Medicaid Services reported that hackers
uploaded malware onto a server. But there are several key facts
to know about the attack. First, it was not directed at
HealthCare.gov alone but a much wider universe of targets.
Second, the server that was attacked was a test server that had
no personal information on it. Third, the most important,
nobody's personal information was compromised as a result.
That incident was investigated by the United States
Computer Emergency Readiness Team and the Department of
Homeland Security. The director of that team, in her written
testimony for today, reports, and I quote, ``There is no
indication that any data was compromised as a result of this
intrusion,'' end of quote.
Although our committee has spent a tremendous amount of
time focusing on the Affordable Care Act and its Website, where
no cyber attacks have compromised anyone's personal information
to date, we have been disregarding much more serious attacks
that have actually compromised a massive amount of personal
information of our constituents. We are talking about hundreds
of millions of people--hundreds of millions.
For example, on January 14th, more than 8 months ago, I
sent a letter requesting a bipartisan hearing with senior
officials from Target. As I wrote, ``Up to 110 million
Americans were subjected to one of the most massive information
technology breaches in history when their credit, debit, and
other personal information reportedly was compromised,'' end of
quote.
On September 9th, I sent a letter requesting a bipartisan
hearing on a major data security breach at Community Health
Systems, the Nation's largest for-profit hospital chain. I
explained that, quote, ``hackers broke into its computers and
stole data on 4.5 million patients,'' end of quote. As I noted,
this was, quote, ``the largest hacking-related health
information breach ever reported,'' end of quote.
On September 11th, I sent a letter requesting a bipartisan
hearing to examine the recent security breach at Home Depot,
where our constituents shop. I explained that Home Depot,
quote, ``has more stores in the United States and a higher
total annual sales volume than Target,'' end of quote. And,
quote, ``it appears to have experienced a data security breach
for a longer period of time than the data security breach that
occurred at Target,'' end of quote.
And just this Monday, I sent a letter requesting a
deposition with the CEO of USIS, the company that conducts more
background checks for the government than any other contractor
and which had its own breach this summer. And I wrote, and I
quote, ``Although press accounts have reported that the attack
may have compromised the personal information of up to 27,000
Federal employees, government cybersecurity experts now believe
this number is a floor, not a ceiling,'' end of quote. I am
talking about the people who work on Capitol Hill. I am talking
about the people who work for the Federal Government--up to
possibly 27,000.
In response, I received a letter back from the chairman
yesterday thanking me for my requests over the past year and
acknowledging, and I quote, ``These serious incidents merit
further review,'' end of quote.
Mr. Chairman, I thank you for that. I hope we can start on
this right away. After all, these are our constituents.
Let me close by highlighting that this is much broader than
HealthCare.gov--much broader. GAO, which is also represented
here today, warns that the number of cyber attacks is
increasing against targets across the Federal Government, and,
obviously, the same is true of the private sector. So oversight
is certainly called for, and I hope that our committee seizes
the opportunity and rises to the challenge.
With that, I yield back.
Chairman Issa. I thank the gentleman.
Chairman Issa. At this time, I would like to place in the
record examples of State attorney generals' prosecution and
relief on private-sector and even public-sector entities and
the history of their going after entities for financial damages
that allow breaches.
Without objection, so ordered.
Mr. Lynch. Mr. Chairman, can I get a copy of that?
Chairman Issa. We will make copies available to all of you.
It is all public information. And we did include both your
Massachusetts attorney general, Vermont's attorney general, and
Maryland's attorney general's actions on behalf of your
constituents.
Mr. Lynch. I appreciate that. Thank you.
Chairman Issa. Members may have 7 days in which to submit
opening Statements for the record.
Chairman Issa. We now welcome our witnesses today.
Mr. Gregory Wilshusen is the Director of Information
Security Issues at the Government Accountability Office and the
subject, obviously, of some frustration before he got here
today.
Ms. Marilyn Tavenner is the Administrator for the Centers
for Medicare and Medicaid Services at the Department of Health
and Human Services, thereafter called ``CMS'' today.
Ms. Ann Barron-DiCamillo is the Director of the U.S.
Computer Emergency Readiness Team at the Department of Homeland
Security, hereafter probably called ``CERT.''
Pursuant to the committee rules, all witnesses are to be
sworn. Would you please all rise, raise your right hands to
take the oath?
Do you solemnly swear or affirm that the testimony you are
about to give today will be the truth, the whole truth, and
nothing but the truth?
Please be seated.
Let the record reflect that all witnesses answered in the
affirmative.
In order to allow sufficient time for your panel and then
what I suspect will be a robust series of questions, I would
ask that you limit your opening Statement to 5 minutes,
although your entire Statements, including additional
information that you may want to make available, will be placed
in the record.
So, Mr. Wilshusen, please continue.
WITNESS STATEMENTS
STATEMENT OF GREGORY C. WILSHUSEN
Mr. Wilshusen. Thank you, Mr. Chairman.
Chairman Issa, Ranking Member Cummings, and members of the
committee, I am pleased to be here today as you examine the
implementation of the Patient Protection and Affordable Care
Act.
As you know, the act requires the establishment of a health
insurance marketplace in each State to assist consumers and
small businesses in comparing, selecting, and enrolling in the
health benefit plans offered by participating private insurers.
CMS is responsible for creating a federally facilitated
marketplace for States that do not establish their own. This
marketplace is supported by an array of IT systems, including
HealthCare.gov, the Website that provides the consumer portal
to the marketplace.
My Statement today will summarize the key findings from our
recently issued work on the security and privacy protections of
the systems supporting HealthCare.gov.
But before I proceed, Mr. Chairman, if I may, I would like
to recognize several members of my team who are instrumental in
performing this work. With me today is John de Ferrari, Marisol
Cruz, Justin Palk, and Mark Canter. In addition, members from
GAO's e-Security Lab also participated: Lon Chin, Wes Coile,
Duc Ngo, and Michael Stevens.
Chairman Issa. Could you all please stand so that we can
all, at least for a moment, realize your contribution?
Thank you. You may continue.
Mr. Wilshusen. Thank you.
HealthCare.gov-related systems, including the core systems
of the federally facilitated marketplace and Federal Data
Services Hub, represent a complex system that interconnects a
broad range of Federal agency systems, State agencies and their
systems, and other entities, such as contractors and issuers of
health plans. The complexity and interconnectivity inherently
introduces risk. Ensuring the security of such a system poses a
significant challenge.
To meet that challenge, CMS has undertaken a number of
activities to enhance the security and privacy of systems
supporting HealthCare.gov. For example, CMS has developed and
documented security-related policies and procedures. It
developed a process for remediating identified security
weaknesses. CMS also created interconnection security
agreements with the Federal agencies with which it exchanges
information. And it instituted certain required privacy
protections, such as notifying the public of the types of
information that will be maintained in the system.
However, CMS has not fully or effectively implemented key
technical security controls to sufficiently safeguard the
confidentiality, integrity, and availability of the federally
facilitated marketplace and its information. For example, CMS
did not always require or enforce strong password controls, did
not sufficiently restrict systems from accessing the Internet,
and did not consistently implement patches in a timely manner.
CMS also had shortcomings in its information security and
privacy management program. For example, system security plans
for the federally facilitated marketplace and data hub
generally contained most required information, but each plan
was missing key security information. CMS had also undertaken a
series of security-related testing activities that began in
2012, yet these control assessments did not fully identify and
test all relevant controls prior deploying the systems. In
addition, CMS did not fully assess privacy risk in its privacy
impact assessments and had not fully established an alternate
processing site for HealthCare.gov systems to ensure that they
could be recovered in the event of a disruption or disaster.
To assist CMS, we made six recommendations addressing the
shortcomings with the information security and privacy program
and 22 recommendations to resolve technical security weaknesses
related to access controls and configuration management. CMS
concurred or partially concurred with all 28 recommendations
and noted that it was taking actions to address each of them.
In conclusion, while CMS has taken important steps to apply
security and privacy safeguards to HealthCare.gov and its
supporting systems, weaknesses remain that put these systems
and the sensitive personal information they contain at an
increased and unnecessary risk of compromise.
Mr. Chairman, Ranking Member Cummings, and members of the
committee, this concludes my opening Statement. I would be
happy to answer your questions.
Chairman Issa. Thank you.
[Prepared Statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. Ms. Tavenner?
STATEMENT OF THE HON. MARILYN TAVENNER
Ms. Tavenner. Chairman Issa, Ranking Member Cummings,
members of the committee, thank you for the opportunity to be
here today.
And I want to makeeveryone aware that CMS strives to be as
responsive as possible. I understand that we have already
provided over 140,000 pages of documents to this committee.
Transparency is important, and that is why I am pleased to be
here today and have the opportunity to answer your questions.
And we will continue to produce documents.
In the almost 5 years that I have had the privilege to work
at CMS, my focus has been on how we can best serve our
beneficiaries, including seniors on Medicare, adults and
children on Medicaid and CHIP, and consumers enrolling in the
marketplace. When I come to work each day, I work to expand
coverage and competition, reduce cost, improve quality in ways
that make a difference in people's lives.
And we are making real and important progress. As of August
15th this year, we have 7.3 million Americans enrolled in the
health insurance marketplace coverage, and these are
individuals who have paid their premiums. We are encouraged by
the numbers of consumers who have paid their premiums and
continue to enroll in the marketplace coverage every day
through special enrollment periods.
This is the most recent count of people who have coverage
throughout the marketplace. Each month, this number will change
slightly as consumers transition in and out of coverage as
their life circumstances change--everything from getting a new
job to moving to a new State or becoming eligible for Medicaid
or Medicare.
There is also good news about Medicare. Spending per
Medicare beneficiary is growing slower than the overall
economy. The Medicare trustees recently projected that the
trust fund that finances Medicare's hospital insurance coverage
will remain solvent until 2030, 4 years beyond what was
projected just 1 year ago.
We strive to make health care safer and better. In the last
5 years, we have seen a 9-percent reduction in harm in
hospitals, such as decreased healthcare-associated infections.
This represents over 500,000 injuries, infections, and adverse
events avoided; over 15,000 lives saved; and approximately $4
billion in avoided costs. This adds up to better health care at
a better price, and I know that makes a real difference for
real people.
Consumers also trust us with their personal information,
and I take that trust very seriously. Security and privacy are
one of our highest priorities. CMS has decades of experience in
operating the Medicare program and its supporting systems, and
we successfully protect the personal information of both
beneficiaries and providers. However, we must continue to be
vigilant and evolve our assessments and actions to keep up with
ever-changing threats.
Consumers can use the marketplace with confidence that
their information is safe and take comfort in knowing that no
personally identifiable information has been maliciously
accessed from the site. Our systems are designed with security
in mind, and our focus on security is ongoing. It did not end
when the marketplace launched. CMS conducts continuous
monitoring using a 24/7, multilayer, professional security team
and penetration testing. Our systems comply with FISMA and
standards promulgated by NIST and the Office of Management and
Budget.
There is risk inherent in any system. It is simply, sadly,
a part of the cyber world in which we all live. We appreciate
the work done by the GAO to suggest additional controls to help
us further protect against these risks and are always seeking
to improve upon the security protections in place.
As we look forward to our second enrollment period, our
goal is to buildupon this progress and to address outstanding
challenges. We are working to make it as seamless as possible
for people to reenroll in coverage and reinforcing our outreach
to help more uninsured consumers enroll in coverage. We are
making management improvements with clear accountability and
are committed to being transparent.
This coming year will be one of visible and continued
improvement but not perfection. As problems arise, we will fix
them, just as we always have. Throughout my career as a
hospital executive, nurse, and public servant, my focus has
been on providing people with high-quality health care. I am
proud of the progress we have made at CMS, and I hope to
continue to work with Congress on our efforts.
Thank you.
Chairman Issa. Thank you.
[Prepared Statement of Ms. Tavenner follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. Ms. Barron-DiCamillo? Is that closer? OK. I
will try to do better. Thank you.
STATEMENT OF ANN BARRON-DICAMILLO
Ms. Barron-DiCamillo. Chairman Issa, Ranking Member
Cummings, and members of the committee, thank you for the
opportunity to appear before you today.
We are also making every opportunity and every effort to be
transparent at DHS--to be as transparent as possible.
My name is Ann Barron-DiCamillo. I am the Director of US-
CERT within the National Cybersecurity and Communications
Integration Center, also known as NCCIC. We lead the Department
of Homeland Security's efforts in cyberspace to respond to
major incidents, analyze threats, and share critical
cybersecurity information with trusted partners around the
world.
US-CERT is a 24/7 operations center and receives and
analyzes hundreds of incident reports a day. We work with
public-and private-sector partner organizations and are
committed to the protection of privacy and civil liberties for
all Americans. At US-CERT, we strive for a safer, stronger
Internet for all Americans.
Established in 2003, US-CERT initially focused on securing
U.S. Federal systems and networks. DHS's cybersecurity
capabilities have grown immensely since the establishment of
US-CERT, and we are working more closely than ever with
partners across public and private sectors to develop a
comprehensive picture of malicious activity and mitigation
options.
Cybersecurity is a shared responsibility and a continuous
process. Our focus is helping our partners build a resilient
and secure ecosystem in cyberspace. Protecting our networks
requires coordination across a global cyber community to
enhance others' capabilities as we continue to mature our own.
While DHS leads the national effort to secure Federal civilian
networks, agency heads are responsible for assessing the risk
to their systems and taking appropriate measures to secure
their networks. US-CERT supports agency heads and chief
information officers in carrying out these responsibilities.
I am here today in a technical capacity to provide findings
from our analysis of the compromised test server at
HealthCare.gov.
US-CERT was notified of an incident by CMS, who has the
oversight responsibility of HealthCare.gov. We conducted
analysis of the images provided to us by CMS and found evidence
of malware on a test server. As Stated by Ranking Member
Cummings, our analysis concluded that there was no indication
of personally identifiable information--also known as ``PII''--
exposure and no indication of data exfiltration. Additionally,
there is no evidence of any lateral movement within the network
or further infection.
We have provided CMS a report with these findings as well
as mitigation recommendations. Additionally, we were able to
share indicators from our analysis so that agencies, partners,
and stakeholders could better protect their own networks. We
are currently in discussions with HHS to provide further onsite
support.
DHS remains committed to working with its Federal and
private-sector partners no create a safe, secure, and resilient
cyberspace. And I look forward to answering any questions that
you might have.
Chairman Issa. Thank you.
[Prepared Statement of Ms. Barron-DiCamillo follows:]
[GRAPHIC] [TIFF OMITTED]
Chairman Issa. I will start with you then.
When did you find out you were going to appear here today?
Ms. Barron-DiCamillo. I believe I was informed on Monday.
Chairman Issa. And when did you begin preparing for today's
hearing?
Ms. Barron-DiCamillo. When I was informed on Monday.
Chairman Issa. OK.
Has CERT done a security testing of HealthCare.gov?
Ms. Barron-DiCamillo. We were provided images from CMS of
the compromised test servers, and we provided analysis----
Chairman Issa. I appreciate that. The question was, has
CERT conducted any security testing of HealthCare.gov's
vulnerabilities?
Ms. Barron-DiCamillo. No. As I Stated in my opening
remarks, we----
Chairman Issa. So when Ms. Tavenner says there have been no
loss of personally identifiable information, if you don't know
the vulnerabilities, how would she know that to be true?
Ms. Barron-DiCamillo. I believe that CMS conducts their own
scanning and testing, but I am happy to----
Chairman Issa. Did you verify their scanning and testing to
be sufficient?
Ms. Barron-DiCamillo. We would be happy to provide that
information----
Chairman Issa. Did you?
Ms. Barron-DiCamillo. I haven't been provided any details
on the scanning----
Chairman Issa. So you don't know that?
Ms. Barron-DiCamillo. Within the test network?
Chairman Issa. Yes. It boils down to, you are here as an
expert that I didn't expect from an organization that refused
to give my staff any briefing related to it----
Ms. Barron-DiCamillo. And I do apologize for that. I was
under the impression that our staff was working with your staff
to answer those questions. I'm happy to answer----
Chairman Issa. No. As of yesterday afternoon, they put
people who didn't have technical expertise on, who told us they
would get back to us. That is after more than a week of
information we have already put in the record where we were
denied that.
Maybe I will go on to GAO.
I am going to ask, first of all, your indulgence. When this
hearing is over, I would like you to accept the--pardon me?
Mr. Cummings. No, I----
Chairman Issa. Oh, OK.
Mr. Cummings. I wanted to hear what you had to say.
Chairman Issa. That can happen.
I would like you to accept a briefing and do a supplemental
related to the 13 breaches.
Mr. Wilshusen. OK.
Chairman Issa. Ms. Tavenner, I am going to presume that you
will agree that he will have full access to all information
related to that so that GAO may develop specific additional
recommendations based on the actual breaches, if you will, the
13 incidents.
Ms. Tavenner. Yes, sir.
Chairman Issa. OK. That will allow us to get what we don't
have here today, and I appreciate that.
But, Mr. Wilshusen, you have gone through an extensive
amount. Would you describe for the committee the level of
cooperation you believe you got? We have heard what you didn't
get. Are there some good-news stories in the cooperation as you
did your investigation, or your audit?
Mr. Wilshusen. Well, there is some good news and then some
not-so-good news, Mr. Chairman.
As we began our audit--and, generally, we do receive good
cooperation from the agencies that we audit as it relates to
receiving information requests that we provide. In this case,
initially, there were delays in providing certain documents
that we had requested. In addition, CMS attempted to put
certain restrictions on some of the documents. And----
Chairman Issa. Did they cite why they were restricting? Are
you just not trustworthy?
Mr. Wilshusen. No, no. I think they indicated that they
were concerned about the security--the sensitive security
information in----
Chairman Issa. So they don't trust you.
Mr. Wilshusen. I wouldn't say that, sir, no.
But we elevated the issue within GAO and within the
Department, and we reached and agreement to where we would be
able to and they did provide the information for us to look at.
Chairman Issa. So, at the end of it all, there was no
reason--after it was elevated, there was no reason that they
should have denied it to begin with.
Mr. Wilshusen. In my view, no. They should have provided it
earlier. But, at the same point, you know, they had a concern
about the security of the information, so they tell us. But,
you know, their motivation would be probably better addressed
by the Administrator.
Chairman Issa. OK. Limited time, and I want to sort of set
the stage for what others on both sides of the aisle may ask
here.
When you looked at the robustness of how they determined
with such certainty that there had been no breaches, no loss of
personally identifiable information, were you satisfied that
all those procedures were robust enough that, with the
certainty that Ms. Tavenner said that no losses had occurred,
that no losses had occurred?
Mr. Wilshusen. Well, we did not receive actual security
incident reports on these incidents, at least on the 13. We did
receive a written response to an interrogatory, in which they
indicated that, at least for the 13, that there was certain PII
that was compromised or disclosed to an individual, but it was
a consumer. It was due to a technical glitch in----
Chairman Issa. Wait, wait, wait. I want to understand.
Mr. Wilshusen. Right.
Chairman Issa. So personally identifiable information was
lost or disclosed?
Mr. Wilshusen. Was disclosed, according to their
description. But----
Chairman Issa. OK.
Ms. Tavenner, others will ask additional questions, but
your opening Statement said none had been lost. How can we
reconcile ``none has been lost'' with a sworn Statement that
some has been lost?
Ms. Tavenner. I think what my Statement said is there were
no malicious attacks on----
Chairman Issa. Oh. Oh, so if you just screw up and put the
public's information out, it is OK because it wasn't a
malicious attack?
Ms. Tavenner. No, sir, I don't think any time we put
consumer information out there it is OK. But I think----
Chairman Issa. OK. So my time has expired, and I want the
ranking member to have full time.
I just want to make it clear that wordsmithing of ``no
malicious was done'' versus ``accidental''--just as we
discovered at the time of the launch that, if I went to the
section above, you know, where the URL normally is, when that
thing was launched, if I simply typed in a different number or
a different State code, I could have looked at somebody else's
record. That was part of what you guys had wrong on the day of
the launch, is that you could simply go to somebody else's
record by changing that long streak at the top, meaning no
code. That wouldn't have been malicious, I guess, except that
if somebody were doing it to see what they would get, that
would be a little bit malicious.
So when you say no personally identifiable information was
lost through malicious, what you are saying is you don't know
how much was lost, you just believe that the definition of
``malicious'' wasn't met. Is that right?
Ms. Tavenner. I actually--and I think this relates to the
personal incidents. And I do think that we want to cooperate
with the GAO on that, and we are happy to review those. And I
think----
Chairman Issa. Thank you. Your desire to want to cooperate
after we bring you here involuntarily for a hearing is most
appreciated, but, quite frankly, you should have cooperated
with the GAO beforehand.
Ms. Tavenner. Sir, I think the--I always like to cooperate
with the GAO and the OIG. And we have had over 140 open audits
underway, and I think we have cooperated. I would also like to
say I came here voluntarily.
Chairman Issa. Thank you.
The distinguished gentleman from Missouri is now recognized
for 5 minutes.
Mr. Clay. And thank you, Mr. Chairman. Thank you for--and
thank the ranking member for yielding his time.
Mr. Wilshusen, GAO found that HealthCare.gov had security
weaknesses when it was first launched in part because of a lack
of adequate oversight of security contractors. Is that right?
Mr. Wilshusen. We found that, with respect to when it was
first deployed--and recognize that our audit occurred
subsequent to the initial deployment--we found that, based on a
review of the documents, there were certain vulnerabilities in
controls that had not been tested at that time and that there
were a few vulnerabilities that had been identified through
testing through which the CMS had accepted in order to provide
an authority to operate----
Mr. Clay. Those responsibilities were incumbent upon the
contractor, correct?
Mr. Wilshusen. Well, overall responsibility, it rests with
the----
Mr. Clay. With the contractor? Or----
Mr. Wilshusen. I believe--I think, in some cases, there may
be incidents and we did identify weaknesses that were operated
on systems operated by a contractor. But that was subsequent--
--
Mr. Clay. OK.
Mr. Wilshusen. That was during the course of our audit,
not--that doesn't necessarily pertain to prior to the
deployment of the system.
Mr. Clay. Sure. And the GAO report found that there was not
a shared understanding of how security was implemented among
all entities involved in the development and security testing
of the Website. Is that correct?
Mr. Wilshusen. Yes, that's correct. And what we found, too,
is that in certain instances where CMS told us who was
responsible, or the contractor that was responsible for certain
tests, such as implementing security on a firewall----
Mr. Clay. Yes.
Mr. Wilshusen [continuing]. It went to that contractor. The
contractor indicated that it was not his responsibility, that
it was another contractor, and that responsibility was not
identified in that contract's Statement of work.
Mr. Clay. Yes, but scenarios like this obviously increase
the likelihood of security risks. Is that correct?
Mr. Wilshusen. Yes, sir.
Mr. Clay. And was there a specific CMS official or group
that was responsible for overseeing the security testing of
HealthCare.gov? Is there a group?
Mr. Wilshusen. Well, overall, the CMS CIO and CISO--I'm
sorry--Chief Information Officer and Chief Information Security
Officer have, I would say, overall responsibility for reviewing
and assuring the security over the system.
Mr. Clay. Now, for a project of this magnitude, shouldn't
an agency official with a broad understanding of IT security
testing oversee contractors?
Mr. Wilshusen. I would say yes.
Mr. Clay. And was that the case here?
Mr. Wilshusen. I would say that, you know, there is--that
CIO/CISO would be the individuals that would have that
responsibility overall.
Mr. Clay. OK. So who would the CMS official be that would
have that kind of understanding of IT security testing? Was
there a person in place?
Mr. Wilshusen. Yes. Either they had the CMS CISO. In
addition, there are several individuals that were responsible
for aspects related to the security over the HealthCare.gov.
There is also an information systems security officer that has
responsibility for assuring that, you know, security controls
are properly implemented.
Mr. Clay. And, you know, the issues with IT security
management did not start with HealthCare.gov. As a matter of
fact, this is a broader government problem that needs to be
addressed, don't you think?
Mr. Wilshusen. GAO has been reporting information security
and Federal information security as a governmentwide high-risk
area since 1997. And so, sadly, yes, it is a broad government
issue.
There have been weaknesses--just as an example, for Fiscal
Year 2013, 18 out of the 24 major Federal agencies covered by
the Chief Financial Officers Act reported either a material
weakness or a significant deficiency in their information
security controls for financial reporting purposes. Twenty-one
out of the 24--or IGs at 21 out of the 24 agencies also cited
information security as a major management challenge. So yes.
Mr. Clay. And so it would be fair to say that all Internet-
facing systems, both in the Federal Government and the private
sector, involve some risk. Is that correct?
Mr. Wilshusen. Given the nature of the Internet and the
capabilities and prevalence of hackers who might try to exploit
vulnerabilities, yes. The answer is there is risk in conducting
online transactions.
Mr. Clay. Thank you so much for your responses.
And, Mr. Chairman, I yield back.
Chairman Issa. I thank the gentleman.
We now go to the gentleman from Florida for 5 minutes.
Mr. Mica. Thank you, Mr. Chairman.
And I have a copy of your report dated September 2014. And,
in that, you, in fact, State and GAO found--first of all, I
think you found that the testing was not complete and that the
whole program was rolled out with weaknesses in security and
protection of privacy. Would that be an accurate Statement?
Mr. Wilshusen. Yes.
Mr. Mica. OK.
I also see that you say that the GAO report strongly
asserts that testing of the Website still remains insecure. Is
that correct?
Mr. Wilshusen. I would say that the testing of
HealthCare.gov and the supporting systems has not been
comprehensive----
Mr. Mica. So even to date we have risks. Is that correct?
Mr. Wilshusen. Today we have risks.
Mr. Mica. Security risks, privacy information risks. OK.
Thank you.
And there was a--the rollout--they actually rolled this
out, I saw in the report too--I guess four States had not even
taken action to secure privacy?
Mr. Wilshusen. I would characterize it more as they had not
met CMS's----
Mr. Mica. Right.
Mr. Wilshusen [continuing]. Security requirements.
Mr. Mica. Security requirements. And we will have those for
the record, the States.
Mr. Mica. So it is incomplete testing.
Then I see, basically, a coverup of the failure that took
place. Did you see any of that?
They were trying--I went through some of these emails and
some of the record the committee has. I don't know if you saw
this. But it looks like quite a coverup, or they tried to not
let the public know the failure of the rollout and the failure
of them to protect this information. Is that correct?
Mr. Wilshusen. I'm sorry, I could not comment on that
because I have not seen the----
Mr. Mica. Oh, I can tell you. It is page after page. I
mean, I can't even use some of the language used here.
Mr. Chairman, I would like to have some of this submitted
in the record, this report.
Chairman Issa. Without objection, so ordered. The entire
report will be placed in the report.
Mr. Mica. OK.
It is astounding. Again, ``This is a [blanking] Disaster.''
I mean, this is one of the HHS people who saw what was going on
at CMS.
Politico has a 2-day story that talks about the issues and
most detailed explanation, but it is just stating overwhelming
traffic that couldn't have been replicated and tested.
I mean, just one point after another of the coverup. And I
think, unfortunately, people like Ms. Tavenner were involved in
some of the coverup.
Did you ever attempt, ma'am, to have any emails or records
deleted as to what was going on in the failure?
Ms. Tavenner. I'm not aware of the emails. I've not seen
the emails you are responding to, so I can't answer that.
Mr. Mica. Uh-huh. Uh-huh. Well, I have one email here, and
you had asked that it, in fact, be deleted. And I can supply
you with a copy of it. But it says, ``Please delete this
email.'' And it goes on to detail what was going on, the
failure that was going on.
First of all, there was a company by the name of Serco that
was employed to--or retained, a contract of $1.2 billion, is
that correct, to process the paper applications?
Ms. Tavenner. We retained Serco. I don't have the amount in
front of me.
Mr. Mica. Uh-huh. Well, again----
Ms. Tavenner. I'm happy----
Mr. Mica [continuing]. This email talks about Serco and the
failure of the proper processing. There were problems with
processing the paper applications.
Ms. Tavenner. Congressman Mica, I'm happy to take a look at
the email.
Mr. Mica. Yes. And you had nothing to do with the awarding
of a $1.2-billion contract, you would tell the committee too,
right?
Ms. Tavenner. I don't understand the question that you're
asking me.
Mr. Mica. Of the Serco contract to process paper.
Ms. Tavenner. I'm actually not part of the----
Mr. Mica. Here you're talking about Serco and the problems
of the paperwork. You're asking for deleting of information.
Then I looked a little bit into Serco, and the Serco
scandal grows. Did you know that Serco had been awarded the
contract, a $1.2-billion contract, while they were being
investigated? It's a British, U.K. Firm, and they were being
investigated for some fraudulent activities in the U.K. As they
were being awarded a $1.2-billion contract.
Ms. Tavenner. No, sir, I did not----
Mr. Mica. You weren't aware of any----
Ms. Tavenner. And I think I Stated that last year in a
hearing.
Mr. Mica [continuing]. Of the background.
Again, I think we need to put this--Mr. Chairman, I would
like to put this email in the record, where the witness asks
that we delete this particular email and it dealt with the
problems at Serco at that point.
Chairman Issa. Without objection, so ordered.
Mr. Mica. Finally, are you aware that you violate Federal
law when you ask to delete information like this?
Ms. Tavenner. Again, Congressman, I would need to see the
email in order----
Mr. Mica. OK.
We'll provide the witness, if we could, with----
Chairman Issa. We will pause quickly.
If you will send it down to her. I think you might as well
get it quickly done.
I would ask unanimous consent to stop the clock and give
her an opportunity to read it.
Thank you.
Mr. Mica. Just simply, is that your email, and did you ask
to have it deleted? At the beginning, it States pretty clearly
your intention.
Mr. Chairman, I'll defer to you to get a response from the
witness.
Ms. Tavenner. This email is from me, yes, sir. That's
accurate. And this email was written to Julie Bataille, who at
the time was involved in the call center. And I think this is
about the call center information. And I think that I asked
that she delete this email because it involved sensitive
information regarding the President's schedule, and I think
that's actually the area that's redacted.
But, no, it is not normally my custom to ask--sometimes I
would ask that things be ``close hold'' or ``do not forward.''
But, in this case, it involved the President's schedule, if I
remember this correctly.
Mr. Mica. So, again, Mr. Chairman, I would also--I want the
entire content of the email entered into the record and the
reference further down to Serco.
Thank you. Yield back.
Chairman Issa. Thank you.
I would just briefly, if I could have an indulgence--why
would the President's schedule after the fact have any
relevance to being needed to be deleted? I hear you, but the
President's schedule becomes very public in realtime within a
very short period of time.
Ms. Tavenner. So I can't answer the reason why this is
redacted. I didn't make the decision to redact it. That's done
by our oversight----
Chairman Issa. But you were surmising that it had to do
with the President's schedule. The President's schedule is not
all that secretive, and, after the fact, it has no relevance
for protection.
Ms. Tavenner. I understand.
Chairman Issa. And, under the Federal Records Act, your
communication is to be retained, correct?
Ms. Tavenner. And it was retained. My immediate staff was
copied on that, and that's why you have it. It was retained.
Chairman Issa. OK. So deleting it doesn't change the fact
that it had to be retained for the Federal Records Act.
Ms. Tavenner. It is retained.
And, in fact, if you are asking about our response to NARA,
we did that out of an abundance of caution because we weren't
sure. Because I didn't necessary retain some emails if they
related to scheduling changes and this sort of thing. So, going
back to the issue of transparency and trying to be forthcoming
about information, we decided to notify NARA.
Chairman Issa. OK. I would hope that the unredacted
versions of all this would be made available to the GAO. And I
would ask simply that unredacted versions be seen by the GAO to
see if, in fact, it's consistent with what we're hearing here
today.
Mr. Mica. Mr. Chairman, a unanimous request----
Chairman Issa. The gentleman will State his request.
Mr. Mica. I have articles about ``Serco Scandal Grows'' and
people paid to do nothing and processing Serco's checkered
past, ``White House Hired Sham Foreign Company for Obamacare,''
and a Forbes article, ``The Unhealthy Truth About Obamacare's
Contractors.''
I'd like these to be----
Chairman Issa. Without objection, so ordered.
Mr. Mica. Thank you.
Chairman Issa. And, with that, we'll go to the gentleman
from Pennsylvania for 5 minutes.
Mr. Cartwright. Thank you, Mr. Chairman.
And thank you to the witnesses for joining us here today.
One of the most critical features of the Affordable Care
Act is that it expands Medicaid eligibility to millions of low-
income American adults. Prior to the ACA, Medicaid eligibility
was restricted primarily to low-income children, their parents,
people with disabilities, and seniors. In most States, adults
without dependent children were not eligible for Medicaid.
According to a study issued in April 2014 by the Kaiser
Family Foundation, only about 30 percent of poor, non-elderly
adults had Medicaid coverage in 2012 and uninsured rates for
poor adults were more than double the national average.
Under the ACA, Medicaid eligibility can be expanded to
cover all non-elderly adults with incomes below 138 percent of
the Federal poverty level.
Administrator Tavenner, is that correct?
Ms. Tavenner. Yes, sir, I believe that is correct.
Mr. Cartwright. All right.
So the Federal Government pays States 100 percent of the
costs for the first 3 years and then phases that down--phases
its match down to about 90 percent in 2020. Despite this
enormous level of Federal assistance, more than 20 States have
decided not to participate in the expansion, leaving millions
of their own citizens without health care.
Administrator Tavenner, can you comment on the coverage gap
that is resulting from these decisions not to expand Medicaid
in those States?
Ms. Tavenner. Yes, sir.
I would start first by saying, with Pennsylvania's recent
decision, we are now at 27 States, I believe, plus the District
of Columbia, whohave decided to expand Medicaid. And,
obviously, if you look at a lot of independent studies, there
is a noticeable difference in the States that have decided to
expand Medicaid in terms of lowering the number of uninsured.
We're going to continue to work with those remaining 20-
something. And we meet with them on a regular basis to do what
we can to encourage folks to expand.
Mr. Cartwright. Now, by not participating, aren't the
States that aren't leaving billions of Federal dollars on the
table that could be used to improve the health of their own
citizens?
Ms. Tavenner. Yes, sir, they are. And it also has economic
consequences for those States, as well.
Mr. Cartwright. Of course.
Now, recently, some Republican Governors, as you have
alluded to, who had originally refused to expand Medicaid have
now reconsidered their original decisions and have submitted
Medicaid expansion plans for CMS's approval. For instance, in
my own State of Pennsylvania, as you mentioned, they decided to
expand Medicaid, which will now provide health insurance to
600,000 low-income adult individuals in our State.
Administrator Tavenner, how will Medicaid expansion in
Pennsylvania impact the health of its citizens?
Ms. Tavenner. I certainly can get you information from
independent studies, but there is a definite correlation
between coverage of insurance and long-term health improvement.
Mr. Cartwright. Good.
Now--and I don't want to leave this question out. Other
than political posturing by the Pennsylvania Governor, are you
aware of any good reason why 600,000 good Pennsylvanians went
without coverage for an extra 9 months from the rest of the
States that expanded Medicaid right away?
Ms. Tavenner. No, sir. We want everyone to expand and
expand quickly.
Mr. Cartwright. Well, Administrator Tavenner, why do you
think Republican Governors are so divided on the issue of
Medicaid expansion?
Ms. Tavenner. Sir, I can't answer that. I'm not sure. I'm
sure each State has their reasons. We just try to work with
them and meet them where they want to be.
Mr. Cartwright. All right.
Do you expect to work with additional Governors who
previously opposed Medicaid expansion but are now considering
reversing their decisions?
Ms. Tavenner. Absolutely.
Mr. Cartwright. Well, I want to say I thank you for coming
here today, and I thank for you testimony.
I hope that Governors in States that have so far not
elected to expand Medicaid will reconsider, will consider the
impact on their communities, to take advantage of this historic
opportunity to lift up all of the Americans in their States, as
well.
Thanks again, Administrator Tavenner.
And I yield back.
Chairman Issa. Would the gentleman yield?
Mr. Cartwright. I am out of time.
Chairman Issa. Oh, OK. Well, at some future time, I'm happy
to work with you and explain Republican Governors to your
satisfaction.
With that, we go to gentleman from Utah, perhaps a man that
will someday be a Republican Governor, for 5 minutes.
Mr. Chaffetz. Reclaiming my time, I thank the chairman.
And thank you all for being here.
Ms. Tavenner, a question for you about the Oregon exchange.
The American taxpayers put in some $304 million to develop that
State exchange. Now they want to come over and make a
transition.
Did you or anybody at CMS conduct a cost-benefit analysis
to determine that the switch to the Federal exchange was the
most cost-effective for the taxpayers?
Ms. Tavenner. Yes, sir. We did an analysis of what it would
cost for us to bring in the two additional we're bringing in
this year, Nevada and Oregon. And we did--I wouldn't say it
would be a sophisticated analysis, but we did a cost analysis.
And, as you might imagine, when we already have 36 States in
the exchange, adding 2 more is cost-effective.
Mr. Chaffetz. Could you share that analysis with us? Is
that something you could provide to us?
Ms. Tavenner. Certainly.
Mr. Chaffetz. What is the additional cost?
Ms. Tavenner. I don't have that in front of me, but I'm
happy to get it for you.
Mr. Chaffetz. When is a good time--when would I raise the
flag and say, ``All right, that's been long enough''? Can you
give me a sense of the time?
Ms. Tavenner. We should be able to get you that in a few
days.
Mr. Chaffetz. Very good. Thank you. I appreciate that.
Ms. Tavenner. It is part of our bill that is ongoing???????
Mr. Chaffetz. A few more questions about that.
What is being done to claw back--I mean, there's $304
million. Is that money all gone? Is there some of that coming
back? Is somebody going to jail? What's going on with it?
Ms. Tavenner. Each State--and, again, I am----
Mr. Chaffetz. I want to talk specifically about Oregon.
Ms. Tavenner. Yes.
Mr. Chaffetz. That seems to be the most egregious.
Ms. Tavenner. I think Oregon has very actively gone after
their contractor, and I think that's been in the press. But I
am happy to get you more details----
Mr. Chaffetz. But what is the Federal Government doing? It
was Federal taxpayer dollars--correct?--that went into it.
Ms. Tavenner. Yes. These were actually grants awarded to
States, and so the contract is between the State and the
contractor. So the States were working that initially.
Mr. Chaffetz. So CMS, Health and Human Services, Department
of Justice, the Federal Government--I mean, pick your entity--
we're doing nothing to claw back those dollars?
Ms. Tavenner. Ultimately--I think it's a little early in
the decisionmaking right now. States are going after it on the
basis of their individual contracts.
Mr. Chaffetz. But the Federal taxpayers give $304 million,
and we just say, ``Well, it's up to Oregon to figure out what
to do.''
Ms. Tavenner. We are obviously working with the State.
Mr. Chaffetz. When we gave these grants, was there no
condition or expectation that it would work? I mean, was there
a deal that said that--did we just literally hand them over the
money and we don't care what happens? I mean, it ultimately
didn't work, correct?
Ms. Tavenner. What we did are a series of progress reports
and requirements with the States. And I'm happy to get you that
information, as well.
Mr. Chaffetz. I'm just trying to get some degree of
specificity. I haven't heard you yet say we're doing something
to try to claw back nearly a third of a billion dollars.
Ms. Tavenner. I think what I've said is that States are
doing that right now. And we are cooperating with States.
Mr. Chaffetz. And so--but why is the Federal Government not
doing anything?
Ms. Tavenner. We are cooperating with States. The contract
is between the State----
Mr. Chaffetz. So we're just waiting for Oregon to tell us
something.
Ms. Tavenner. We are working with Oregon and other States.
That's all I can say right now.
Mr. Chaffetz. And, Mr. Chairman, I mean, I don't know how--
--
Chairman Issa. That's all--just what she said, it's all
she's going to say. She won't answer your question.
Mr. Chaffetz. I know. I just think it is something that the
Congress legitimately should look at. We give out $300-plus
million, and we just call it a day and move on?
Ms. Tavenner, is there any criteria or guidance for States
who want to drop out and move to our exchange? Have you
issued--or how do you evaluate those? Or do you just say
``yes''?
Ms. Tavenner. Well, we obviously have a list of criteria
and requirements for the State to move from a State-based
exchange to move to the FFM.
These entities stay State-based exchanges. They can
continue to do their marketing, their outreach. What we are
doing is the FFM support. And there are criteria they have to
meet for us to move them back into the system. And I am happy
to share that with you.
Mr. Chaffetz. OK. So you can--in that package?
Ms. Tavenner. Yes. We have that.
Mr. Chaffetz. Yes. In a few days, you'll share that with
me, as well. I appreciate that.
Ms. Tavenner. We have a lot of documentation.
Mr. Chaffetz. Yes, OK. Thank you. I appreciate it.
And, again, for my colleagues here, I just--we really have
to look at this. It's stunning to think that we would hand out
by the hundreds of millions of dollars to States and have no
recourse, and if it doesn't work, we just kind of throw up our
hands and say, ``Well, it's up to somebody else to figure it
out.'' That is not the way we should operate. It is pretty
stunning and very dissatisfying and doesn't produce results.
It's not responsible, it's not accountable, and very
frustrating.
I yield back.
Chairman Issa. I thank the gentleman.
We now go to the gentleman from Massachusetts who was here
first, Mr. Lynch.
Mr. Lynch. Thank you, Mr. Chairman.
I want to thank the members of the panel for your
willingness to come here and help the committee with its work.
Ms. Tavenner, generally, the way things work is that the
private sector has far more resources than, oftentimes, our
government entities, and they are better prepared, better
incentivized to keep data secure. And that troubles me because
I see a list of--I am also on the Financial Services Committee,
as well. And we've been dealing with Home Depot. We've been
dealing with Target. We've been dealing with JPMorgan Chase,
the largest bank in the United States of America. We're still
not sure about the breadth of that breach, but we're concerned
about it.
We have Heartland Payment Systems; that was 134 million
people in the United States. KB Financial Group, 104 million
people. Global Payments system, 950,000 people to 1.5 million;
we're not sure yet. They even breached the Iranian banks, about
3 million people. That was probably us who did that.
Morningstar, 184,000 people. Citigroup, 360,000 people.
So you've got all these big firms. Especially JPMorgan
Chase, they've got some very, very smart people. They have an
extreme financial interest, as well as a reputational interest,
to hang on to that data.
And so I'm just worried with the--with, sort of, the
botched rollout, the difficulty with the State exchanges,
including in my State of Massachusetts. We've had a bunch of
data breaches related to health care.
Are you sure that you can sit here under oath today and
tell me that nobody's breached the, you know, HealthCare.gov
site and that the folks whose healthcare information, tax
information, personal information--that it remains secure today
as we sit here?
Ms. Tavenner. So let me answer that in a couple of ways.
And I will go back to the chairman's point about transparency,
as well.
I dare say there is very little that concerns me more on a
daily basis than the security of this Website, for a host of
reasons. It's a new project. It has been very, very visible in
the press on a daily, if not hourly, basis. And we do have the
difficulty in the rollout.
We have, even within our limited resources, spent a great
deal of time and money securing the Website. We have been able
to meet FISMA standards, OMB standards, HIPAA standards. But I
will always worry about the safety and security of the Website.
We've talked about the earlier incident with the malware.
And yesterday I was informed of another case, not related to
HealthCare.gov, but an independent site, if you will, that was
working with the cloud, with Website material, where there was
another malware incident. Now, there was no personal
information. This is something that I don't even have the
details of. But these are the types of things that worry me
every day.
We meet about security weekly. We review every----
Mr. Lynch. Yes. I'm not hearing the answer to my question.
And I appreciate all of that. Believe me, I really do. But I
only have a minute left, and I think you're going to burn all
my time here.
So there's no guarantee that therehas been no breach. I
don't want to put it that way, but you don't seem to be able to
give me a guarantee that there is not----
Ms. Tavenner. Well, to date, we have had no malicious
breach. We've had no breach of personal information.
Mr. Lynch. OK. OK. That's fair enough.
Let me ask you: One of the problems we're having with out
credit card issuers--and I am just using this as an analogy--is
that, for them, you know, that's product. They sell
information. I think sometimes, by selling it, they bring on
the breach themselves. But they also compile it so that these
credit card companies have 15, 20 years' worth of data there
all sitting there waiting to be hacked. So my purchases at Home
Depot, you know, 10, 15 years ago are still part of that data
grouping.
Do we do anything to put firewalls up so that if there is a
breach of the medical information that we can somehow limit the
damage?
Ms. Tavenner. So, first of all, yes, it's part of the
design of the system. If you remember the hub, no information
is stored on the hub. So that was one step.
Second, we do not keep any medical information. There is
some personal information, but we don't have a need for medical
information. So that's not stored within the FFM.
The only thing that is stored in the FFM itself, separate
from the hub, is the ability to work appeals of cases for
people who say, ``I didn't get a tax credit. I should have
gotten a tax credit.'' So we keep it minimal, but we do have
some storage----
Mr. Lynch. But is that tax information in there?
Ms. Tavenner. No. There's not tax information. There can
be--sometimes people can State their income, but there is not
tax information.
Mr. Lynch. OK. All right.
My time has expired. Thank you for your indulgence, Mr.
Chairman.
Chairman Issa. Thank you. Thanks for a very good round of
questioning.
We now go to Mr. Meadows.
Mr. Meadows. Thank you, Mr. Chairman.
Ms. Tavenner--I'm over here. Want to go ahead, and I'll
speed through some of these questions.
Ms. Tavenner, can you confirm that CMS will not change
their open enrollment dates? I know we had so many different
dates that changed before. Can you confirm to the American
people and, really, to the providers that those open enrollment
dates will not move?
Ms. Tavenner. The open enrollment date for this year is
November 15th through February 15th.
Mr. Meadows. And those will stay firm?
Ms. Tavenner. Yes, sir.
Mr. Meadows. No changes.
Ms. Tavenner. No changes.
Mr. Meadows. They can count on it. OK. That's good news.
All right. How about window-shopping? Last time, you had to
actually enroll, put your--I had to go on--when I was shopping,
I actually had to sign up to be able to figure out what I want.
Is that going to be available?
Ms. Tavenner. Window-shopping will be available, and you
would not have to sign up this year.
Mr. Meadows. So we're going to be able to compare plans----
Ms. Tavenner. That's right.
Mr. Meadows [continuing]. Without having to put in any
personal data.
Ms. Tavenner. Yes, sir.
Mr. Meadows. OK. Great.
So let me go a little bit further into this. Bryan Sivak
has come and shared testimony here with this committee. Are you
familiar with who he is at HHS?
Ms. Tavenner. I know who Bryan is, yes.
Mr. Meadows. OK.
Let me read--when we were looking at the rollout, he says,
``So to your question''--this was him in an email--``So to your
question, how am I feeling about the launch, not good. Kind of
heartbroken, actually. Whatever launches, if functional, will
only technically meet the criteria of launching the exchange.
It will be riddled with confusing and hard-to-use compromises.
But I really don't know. I'm not seeing anything that's being
delivered. It's just piecing things together kind of through
the grapevine.''
And so there was not a real communication going on between
CMS and HHS during the whole HealthCare.gov launch?
Ms. Tavenner. I am not familiar with that email. At least I
don't think I am. I----
Mr. Meadows. Well, I mean, I guess the question is, was
there a whole lot of coordination between HHS and CMS
technology people going through? Because I have been led to
believe that HHS only found out really what was going on
through informants.
Ms. Tavenner. Well, we did weekly updates with HHS on the
Website----
Mr. Meadows. So they didn't have to have informants to find
out what was going on?
Ms. Tavenner. I can't remember if Bryan was in those
meetings or not, but I wouldn't think they would need
informants.
Mr. Meadows. OK.
Did Bryan recommend to you that the Website launch should
be delayed because of security testing concerns?
Ms. Tavenner. Bryan did not recommend to me that the launch
should be delayed. Bryan did discuss in a----
Mr. Meadows. Because he shared with the committee that he
did. So are you sure that he did not say that we should not
delay the launch because of security concerns?
Ms. Tavenner. I think I need to finish my sentence.
Mr. Meadows. My apologies.
Ms. Tavenner. That's all right. The rest of that sentence
is: There was a discussion about would it be possible to beta
test or launch a few States as opposed to bringing up the
entire FFM. And I and the team did not think that was possible.
Mr. Meadows. And why did you not follow his advice?
Ms. Tavenner. About the beta site?
Mr. Meadows. Well, about delaying it.
Ms. Tavenner. Yes. So----
Mr. Meadows. I mean, you say ``beta site,'' I say
``delay.''
Ms. Tavenner. Yes.
Mr. Meadows. But whether you're right or I'm right, why did
you not follow his advice?
Ms. Tavenner. Well, I didn't think that it was possible,
the way that the FFM was configured, to do that, nor did I
think that it was necessary.
Mr. Meadows. OK. You shared your testimony earlier; you
shared your resume. What part of your resume included IT
background? Because that was his expertise. You sounded like
you're a healthcare provider, not an IT expert.
Ms. Tavenner. Well, I am a healthcare provider. I've
probably become more of an IT expert in the last year. But I
was taking----
Mr. Meadows. But at this particular--this was in January.
So at what particular point did your IT expert outweigh his?
Ms. Tavenner. Actually, taking the recommendations of our
IT expert team inside CMS, as well as our CMS contractors, who
I felt were a lot closer to this issue than Bryan----
Mr. Meadows. All right. So now we can look backward and
realize that the rollout was a disaster. So what do you think
of your IT expertise within CMS today? Was Bryan right, we
should have delayed it?
Ms. Tavenner. I don't know that Bryan was right. I know
that----
Mr. Meadows. Was he closer to right than your team?
Ms. Tavenner. Not necessarily. I know that we have come a
long way in our launch. And, as I said earlier, we have 7.3
million people paying premiums across----
Mr. Meadows. I didn't ask how many had signed up. This is
about security, and he had a concern in January about security,
and yet you ignored his advice. Why would that have been?
Ms. Tavenner. Because I had my own IT team who conveyed to
me that they were confident in the project.
Mr. Meadows. All right.
I yield back. I am out of time.
Chairman Issa. If either of the other witnesses want to
comment on the answer to the gentleman's question about, a year
ago, was the site ready and should it have launched in
retrospect?
Mr. Wilshusen. Well, I would just say that, at the time it
was launched, that CMS did accept increased risk from a
security perspective.
Ms. Barron-DiCamillo. Not having reviewed the data that the
CMS IT team had, I wouldn't feel comfortable in commenting
associated with that. I think it's important to have eyes on
the project and be part of the team to make those decisions.
It's very difficult as a third-party partner participant to
make that kind of assessment without the actual knowledge and
data.
Chairman Issa. Well, as a former businessman, I would say
that a site that couldn't accommodate a few hundred people
simultaneously signing on and people waiting for weeks or
months, security wasn't the reason that that should not have
launched. But I appreciate that you're here on security today.
The gentlelady from New York, a place where IT comes first
for many of her constituents, is recognized for 5 minutes, Ms.
Maloney.
Mrs. Maloney. That's true. And that's true of the west
coast, too.
I just want to note that this is the committee's 29th
hearing on the Affordable Care Act and the sixth on the
Website.
Chairman Issa. We've got two more to go.
Mrs. Maloney. Oh, come on. Please.
I want to focus on some very positive things, and that is
the cost growth is slowing to historic lows. And that was one
of the huge challenges that we confronted the whole time that I
have been in Congress, is just the whopping cost in health care
in our country.
Now, contrary to some of my colleagues' claims that the
Affordable Care Act is causing healthcare costs to skyrocket,
there have been multiple reports recently that show that the
growth of healthcare spending in the United States is slowing
to historically low levels. And that is good news for everyone.
Administrator Tavenner, earlier this year, the Centers for
Medicare and Medicaid Services issued its national health
expenditure report. Are you familiar with that report?
Ms. Tavenner. I am familiar with that report.
Mrs. Maloney. Well, the report found that national health
spending grew by just 3.7 percent in 2012, a near-record low,
and the fourth consecutive year of slow growth of healthcare
costs.
In your opinion, what factors are driving this historically
low rate of growth?
And I'd like the others to chime in, too, if you would like
to add to her response.
Ms. Tavenner. I think that we all felt it was a combination
of things: certainly, the recession early on; but as time went
by and we continued to see this historic low growth, I think
some of the actions in the Affordable Care Act have made a
difference.
And it is an ongoing conversation I have with my actuary.
And I think he would agree, if he were siting here with me,
that it's both. But the Affordable Care Act has made a
difference.
Mrs. Maloney. Mr. Wilshusen?
Mr. Wilshusen. I'm sorry, that was outside the scope of my
review, so I can't really comment on it.
Mrs. Maloney. OK.
Any comment, Ms. Barron?
Ms. Barron-DiCamillo. That is something that I have not
been involved in as the Director of US-CERT.
Mrs. Maloney. OK. Fine.
Well, earlier this month, CMS released its national health
expenditure projections for 2013 through 2023. And according to
these estimates, national health expenditures grew just 3.6
percent in 2013. Is that correct?
Ms. Tavenner. I believe that is.
Mrs. Maloney. This is the lowest rate of growth since the
Federal Government began keeping such statistics since 1960. I
would call this a very positive development in public policy.
Would you agree, Ms. Tavenner?
Ms. Tavenner. I would totally agree.
Mrs. Maloney. What about the next 10 years? We're always
looking ahead. I know CMS projects an uptick in health spending
overall due to the large number of people who are newly insured
through the Affordable Care Act, but what about per-enrollee
health costs?
Ms. Tavenner. So, going back to that report, I think the
trend is expected to move back up, with the number of
individuals in Medicare and others. But I think that stresses
the importance of our success in tying together delivery system
reform, payment and quality, and why that works is critical
that we continue it.
Mrs. Maloney. Well, why will they grow more slowly than
before the Affordable Care Act?
Ms. Tavenner. I think because of some of the measures that
we've put in place with the Affordable Care Act, such as tying
payment to quality, tying payment to outcome, looking at things
such as accountable care organizations, kind of transforming
the delivery system, which is a work in progress.
Mrs. Maloney. Now, the Kaiser Family Foundation recently
released an annual employee health benefit survey. And this
report indicates that the slowdown in health spending also
extends to employer-sponsored insurance--more good news. And
according to Kaiser, premiums in employer-sponsored health
plans grew only 3 percent in 2012.
So I would like to ask you--that's tied for the lowest rate
of growth since Kaiser started measuring the growth of employer
healthcare plans. And is that report correct? Do you agree with
the Kaiser report with the data you've been looking at?
Ms. Tavenner. Yes, I've reviewed the Kaiser report, and
employer insurance does tend to follow what we're seeing in
Medicare and Medicaid. So yes.
Mrs. Maloney. Well, this seems to be very good news for the
American consumers and our overall delivery of healthcare
service. So I'm very pleased with these reports. And what do
they say? Numbers don't lie. And the numbers are showing that
it's showing an improvement. So I want to congratulate you and
your colleagues on your work to help brings this to the
American people.
Thank you.
Ms. Tavenner. Thank you.
Chairman Issa. Thank you.
The gentlelady from California, Ms. Speier.
Ms. Speier. Mr. Chairman, thank you.
And thank you to our witnesses.
First of all, I'd like to congratulate you. You have lived
through the real-life ``Survivor'' show and have succeeded.
I find the fact that we have engaged in the most thorough,
repetitive review of the implementation of the ACA as an
incredible waste of your time.
Now, there is a lot of good news, as my good colleague from
New York has just underscored. And it is really quite
interesting to me that, for the longest time, there were all
those who were panning the Affordable Care Act, saying, we'll
never get the numbers. And then, lo and behold--and you
announced it earlier, Ms. Tavenner, I believe--over 7.3 million
subscribers. Correct?
Ms. Tavenner. Correct.
Ms. Speier. And then the hew and cry was, well, they won't
pay for it; they'll pay 1 month, and then they won't pay any
longer, and it will fall on its face.
That hasn't been the case either, has it?
Ms. Tavenner. No, ma'am.
Ms. Speier. OK.
So the chairman of the committee and a number of
Republicans just sent you a letter, and I want to read it out
loud, one segment of it.
``In order to enroll beneficiaries in the exchange,
HealthCare.gov collects, obtains, and retains massive amounts
of personally identifiable information about millions of
Americans. This information includes Social Security numbers,
personal addresses, income and employment records, and tax
return records. It is extremely important that CMS and the
other Federal agencies involved in the exchanges properly
protect and maintain this sensitive information.''
Now, I actually agree with that Statement, and I presume
you agree with that Statement.
Ms. Tavenner. Yes, I do.
Ms. Speier. And having agreed with that Statement, have
you, to date, had any cyber attacks that have resulted in
personally identifiable information being stolen?
Ms. Tavenner. We have not had any malicious attacks on the
site that have resulted in personal identification being
stolen. As the chairman rightfully brought up earlier, we did
have some technical issues on the front end that we had that
were our own doing that we had to----
Ms. Speier. That's right. But we're in the present day, and
let's look to where we are and where we're going. OK.
Now, meanwhile, Target's security breach included 110
million Americans that were potentially affected. That's 110
million. You're certainly aware of that.
Ms. Tavenner. Yes, I am.
Ms. Speier. So my staff checked the U.S. Census Website,
and it says the total population of the United States is 319
million. So more than a third of Americans potentially had
their personally identifiable information breached, stolen, as
the result of that Target data breach. But, strangely, there
wasn't any interest by this committee to have a hearing on
that, affecting potentially a third of the American people.
Let's see, 110 million people affected and no hearing; zero
people affected, and we've had dozens of hearings. It seems
like our priorities are not quite on what the American people
would be interested in.
Now, we do know, as a result of Target, that the hacking
came from outside this country. It appears it came from Russia
or from some region near there. And rather than trying to find
out where these hackers are coming from and how we can
forestall them, we're going to waste more of your time asking
you a number of questions about issues that haven't even
impacted.
Now, some would say, well, except that's a private
business. Well, how about USIS? USIS has a contract with the
Federal Government. It does security checks. And 27,000 people
have had their personal information stolen from USIS, a Federal
contractor. And have we had a hearing on that? Nope. It appears
that's not important either.
So I want to just commend you all for recognizing that you
have to do this no matter what, come to these committee
hearings. You do it with great respect, and we appreciate that.
I hope we can send you back to do work that the American people
would like you to do.
And I yield back.
Chairman Issa. We now recognize the gentlemen from Maryland
for 5 minutes.
Mr. Cummings. I want to thank all of you for being here
today as we come to the end of this hearing.
I'd just--you may--Ms. Tavenner and others, you may never
hear the full thank-yous of people who are going to stay alive
because of what you and your colleagues have done. And I really
mean that. There are people--there's a mother who is now going
to be alive, that may have been suffering from cancer, breast
cancer, like a lady in my district, couldn't get treatment, but
she's alive. She got treatment.
I have a sister that does a lot in the area of breast
cancer, and they were waiting--they had women who had been
tested, and they were waiting for the Affordable Care Act to
pass and to come into effect so they could get treatment. I
have come to you today and to your colleagues to thank you.
I tell the story that, when the Affordable Care Act came
up, I had one prayer. I came to the floor early. I sat on the
front row, and I had one prayer. I said, ``God, do not let me
die before I vote for it.'' And the reason why I said that is
because I've seen so many people who were sick and could not
get well.
You know, Johns Hopkins is smack-dab in the middle of my
district--a great hospital, one of the greatest in the world.
People fly from all over the world to come to Johns Hopkins.
And there are people standing on the outside, could not get in,
but the treatment was in there.
And so, you know, I know your colleagues are looking on,
and I just don't want--I know they have been through a lot.
And I remember when we had the Website problem, and many
were saying, oh, we can never get through this, oh, you know,
this is just so horrible. And everybody was warning that
everything would collapse. But you know what I said? This is a
can-do nation. This is a can-do nation. And we need to
definitely do when it comes to the health of every single
American.
And I listened to what you said a moment ago about how, day
after day, you worry about making sure that people's
information is protected. We could not pay you enough or pay
your colleagues enough to go through what they have been
through and to worry as you have worried and to do everything
in your power to be protective of the American people. And,
yes, you're going to be criticized. Yes, folks are going to try
to say all kinds of things about you. But I have come here at
this moment to simply say thank you. Thank you for my
constituents. Thank you for constituents--our constituents all
over this country.
And, you know, sometimes I think about illness, and a lot
of people--I wonder if people have not been ill themselves when
they see other people in the position of getting sick or sicker
and dying. I wonder whether or not they have ever been ill. And
that troubles me because--I think President Obama said it best,
and I wish I had coined this phrase myself. He said, sometimes
we have an empathy deficit--an empathy deficit.
And so I take just a moment to thank you and just have just
a few questions.
I'd like to ask you about the attack by the hackers last
summer against HealthCare.gov. It is my understanding that this
attack was not limited to HealthCare.gov alone but included a
broader universe of targets. Is that right?
Ms. Barron-DiCamillo. So based upon the analysis that our
team did, it was a typical kind of malware that's dropped for
denial-of-service attacks. So, basically, they were trying to
create a node and a botnet to use for denial-of-service
attacks. So, yes, they look at resource servers like this to
use them for those types of attacks.
Mr. Cummings. And the hackers were able to place malware on
a server, but it was a test server that did not have any
personal information. Is that correct?
Ms. Barron-DiCamillo. Based upon the analysis that our team
did, it was a test server that was deployed with its out-of-
the-box configuration, meaning that the password--the default
password hadn't been updated.
Mr. Cummings. I just have two more questions.
As I understand it, the type of malware at issue is called
denial-of-service----
Ms. Barron-DiCamillo. Uh-huh.
Mr. Cummings [continuing]. Malware, which is designed to
slow down or even shut down the system but not extract
information. Is that right?
Ms. Barron-DiCamillo. Correct. The malware is to use the
resource of the server as part of this botnet. And so it wasn't
targeting the server; it was using the resource of a server as
part of the botnet for another victim.
Mr. Cummings. And so how common are these kinds of denial-
of-service malware attacks?
Ms. Barron-DiCamillo. I'm sorry?
Mr. Cummings. How common are they?
Ms. Barron-DiCamillo. They're very frequent. They happen
every day across the globe on the Internet.
Mr. Cummings. So the bottom line is, at least as of now, no
personal information was transmitted outside the agency. Is
that right?
Ms. Barron-DiCamillo. Correct. The breach was discovered by
CMS. It was alerted to us. We looked at the images that were
provided. There was no exfiltration of data. There was no loss
of PII due to the segmentation of the network. This is a test
network separate from the production network. So there was no
lateral movement into the production network associated with
this activity.
Mr. Cummings. All right. Thank you.
Ms. Barron-DiCamillo. Thank you.
Chairman Issa. Well, I guess--I've still got more
questions, but let me just make some Statements, and then I'll
ask a couple more questions.
You know, Ms. Speier has left, and it's unfortunate because
Mr. Lynch was here earlier, and when this was all being said
about when are we going to hold all kinds of hearings, they
forgot to mention that there's a committee that Mr. Lynch
belongs to, the Financial Services Committee, and they've held
hearings because they oversee the financial community, meaning
Home Depot, Target, these other companies they're referring to.
Those fall under that committee's primary oversight because
these were financial-transaction-related.
My staff also mentions that the Federal Trade Commission,
the Department of Justice, the CFPB, and the FDIC also are
looking into each and every one of those.
So, with tens of millions of dollars, countless agencies
and individuals looking at each of these, the question is, Ms.
Tavenner, who's been looking at you?
Mr. Wilshusen, in a nutshell, one of the things that you
said at the beginning was they didn't have strong passwords, so
somebody could put in a short password and not change it. Is
that correct?
Mr. Wilshusen. That's correct. We identified several
technical security control weaknesses with HealthCare.gov and
its supporting systems.
Chairman Issa. So somebody who didn't change the password
created a huge vulnerability, particularly if they had a high
level of access. Is that right?
Mr. Wilshusen. If they used a weak password that could be
easily guessed, that would be an increased risk.
Chairman Issa. So ``Marilyn'' and her birth date, if that
were used, would have been easy to guess, certainly would have
been tried.
Did they have advanced lockout systems in detection and
reporting?
Mr. Wilshusen. One of the things--I don't want to get too
detailed into the types of security controls so we don't give
any information----
Chairman Issa. Yes, we don't want to tell how weak it still
is. I understand that, so I'll be a little bit careful on that.
But there are techniques that, if they were in place, would
have been much more secure.
Mr. Wilshusen. Sure. And the weaknesses that we identify
are all--can be corrected and resolved almost immediately.
Chairman Issa. So what you found a year into this site was
they were not using best practices.
Mr. Wilshusen. We identified several weaknesses that
increased risk and unnecessarily increased preventable risk.
Chairman Issa. We pay a huge premium for CIOs, Senior
Executive Service. We, the Congress, have authorized special
high pay, a quarter of a million dollars and more, to get
certain people with special expertise. And we've had some of
them before this committee.
You're telling us, a year into this site, they simply have
not put in what people would consider best practices in some
cases, such as a requirement for a strong password and periodic
changing of them and a lack of redundancy on passwords--common
things that protect sites, right?
Mr. Wilshusen. Yes, those things should be done. Yes.
Chairman Issa. You know, what's amazing is Target and Home
Depot had those kinds of protections, but there was a malicious
attack from a foreign nation with advanced tools, some of those
tools being exactly the tools that our CIA and NSA use to go
after the worst of the worst, and we succeed all the time.
So what I'm finding here today is that everyone wants to
talk about organizations that employed, in many cases, best
practices, that did their best, and then were targeted by very
advanced networks, criminal networks, networks that may even
have had the KGB's successor helping them hack. And they want
to talk about those rather than a lack of commonsense, simple
practices to secure a Website. Isn't that true?
Mr. Wilshusen. I would say that probably the majority of
Federal incidents that occur within the Federal Government
could be resolved, perhaps prevented, if agencies would
practice strong cybersecurity. There's always going to a risk
that you come across an entity, a foreign intelligence service
that has very sophisticated techniques that may be difficult to
protect against, at least to prevent. But, by and large, many
security incidents could be corrected and prevented if the
agencies practiced strong security controls.
Chairman Issa. Now, even without seeing the 13 compromises
that occurred, you were able to make, and CMS accepted, a lot
of suggestions that are improving the site here today.
Mr. Wilshusen. Yes. We've looked at the security controls
over those devices that we looked at and identified
vulnerabilities that could be corrected. And CMS concurred with
each of the 22 technical recommendations that we're making.
Chairman Issa. So all of the talk about this robust team,
all of those experts brought in from Silicon Valley, special
people that worked on the President's reelection, all those
people had missed those 22 points.
Mr. Wilshusen. That I can't answer in terms of----
Chairman Issa. Well--but when suggested these, did they
say, oh, we were already doing them, we just forgot? Or did
they say, we weren't doing them and now we will?
Mr. Wilshusen. I would just say that we identified them
during the course of our review, and they've accepted our
findings and indicated that they will implement our
recommendations.
Chairman Issa. You're very kind.
Ms. Tavenner----
Mr. Meadows. Would the gentleman yield for just one quick
point?
Chairman Issa. Of course.
Mr. Meadows. A lot has been talked about in terms of the
different sites and Home Depot and Target. And I was one of
those that shopped at Target, and I have a new credit card
today.
There are two distinct differences. One is I'm not
compelled by law to shop at Target. I am compelled by law to
sign up for Obamacare. There's a huge difference.
Mr. Chairman, what happens is that those are voluntary
transactions, of which I don't have to give my Social Security
number to them. I give them a credit card, and I do a
transaction. It's very different for HealthCare.gov.
I thank the gentleman.
Chairman Issa. That's very true. I thank the gentleman.
We now go to the gentlelady from New Mexico, who has
arrived, for a round of questioning.
Ms. Lujan Grisham. Mr. Chairman, thank you very much for
recognizing me.
And I want to thank the panel here today.
And I share many of my colleagues' concerns that we should
be doing the very best to protect information. And, certainly,
we've led in the private-sector world, with HIPAA and related
requirements, on security protections and working diligently
and tirelessly to make sure that patient protection, patient
privacy, and now financial information must be protected.
And I think that the point is important that every person
must sign up and be insured through the Affordable Care Act.
And I want to just read this because I think it bears--in the
context of this hearing, I think it bears repeating.
So, in GAO, in the March 2013 report, found that the
Federal Government continues to face cybersecurity challenges,
including designing and implementing risk-based cybersecurity
programs at Federal agencies, establishing and identifying
standards for critical infrastructures, and detecting and
responding to and mitigating cyber incidents.
And, since that report, we've got 28 GAO additional
recommendations that I know that we've been talking about today
in this hearing.
In fact, GAO has designated Federal information security as
a high-risk area in the Federal Government since 1997. And I
think that there isn't anyone in this committee or anyone in
Congress or the public that doesn't think that more should be
done and that, in fact, that we embrace every potential
positive, productive, professional recommendation moving
forward.
And so, given that, Ms. Tavenner, knowing that the upcoming
November open enrollment period is coming for millions of
Americans who will be shopping on the exchanges, how prepared
are you to take these 28 recommendations and others to assure
protection?
Ms. Tavenner. Yes, ma'am. Let me start with the 22
technical recommendations. Nineteen of those have been
resolved, fully mitigated, or will be further reviewed prior to
open enrollment. So those will be handled. Of the six other
recommendations, we are in the process of either completing--
have completed those or will complete those prior to open
enrollment.
Ms. Lujan Grisham. And based on the 19 that you have
identified, Ms. Tavenner, and the remaining measures to
implement, you are confident that not only are they implemented
but they're tested and will have, to the greatest degree--I
mean, I might disagree with some of my colleagues, that we can
do everything in our power, and those hostile, those negative,
those who intend us harm and intend to access that information
for their own gain will find ways to do that. I want to make
sure that we are doing everything that we know that mitigates
and prevents and gives us the opportunity to also detect when
there has been a problem.
You're confident that these will be tested and in place by
the open enrollment period?
Ms. Tavenner. I am confident. But we will never quit
continuing to try to improve the process. Our work with the
Department of Homeland Security, our work with GAO, OIG will
always be looking for improvements.
Ms. Lujan Grisham. I appreciate that. And given that we
know we are working on another issue in my State, I appreciate
your attention to that and your coming.
Mr. Chairman, we're working a behavioral health issue. For
me, it all ties to making sure that consumers have confidence
that they're protected in a way that CMS is responsible to
protect those citizens, that they are clear that your
responsibility and oversight is paramount to the work that you
do, and that the access to health care is only as good as
making sure that the information and the protections that are
required by law are, in fact, in place and that they can go to
CMS when there is a problem and have that resolved objectively
and appropriately.
And I really appreciate your attention to all those
matters.
Ms. Tavenner. Thank you.
Mr. Cummings. Would the gentlelady yield?
Ms. Lujan Grisham. I yield.
Mr. Cummings. Ms. Tavenner, I just want to make sure that I
understood what you just said, that--and I agree with every
word that my colleague just said. But you're saying that there
are six recommendations left. Is that right?
Ms. Tavenner. There were six major--and please correct me,
Greg, if I get any of these wrong--there were six major
recommendations. And we're in the process of completing those,
and some of them are done. And the answer to those is all of
them would be done prior to open enrollment.
Mr. Cummings. And open enrollment starts when?
Ms. Tavenner. November 15th.
Mr. Cummings. So we can--can this committee--would you let
us know officially when they are done?
Ms. Tavenner. Yes, sir. I think----
Mr. Cummings. To the chairman and myself? I'd really
appreciate that.
Ms. Tavenner. Yes, sir.
Chairman Issa. If the gentlelady would further yield?
The earlier report we had is you didn't agree to all six,
but you agreed to three out of the six. You now will agree and
complete all six?
Ms. Tavenner. So I think in some of them we partially
concurred, but we're getting the work done, whether we totally
agreed or not.
I think there were some things--for instance, there was a
different description of how we did security testing versus
what GAO wanted. That wasn't an action we would change, but we
understand where they're coming from. We just have a different
way of getting the security testing done.
The rest of these, things such as the privacy impact
Statement, we will have that done. That was a documentation
issue. The computer matching agreements with Peace Corps and
OPM, we agreed with that, and we'll get that in place prior to
open enrollment. Also a security agreement governing Equifax,
we agreed with that; we'll complete that.
Of the 22 technical recommendations, 19 we have already
done, the others we're reviewing. And I'll be happy to do
something in writing back to the chairman and to the ranking
member.
Chairman Issa. I think we both would appreciate it.
Ms. Tavenner. All right.
Chairman Issa. The gentlemen from North Carolina?
Mr. Meadows. I wanted to followup on one thing, Ms.
Tavenner. And, really, as we start to focus on some of these
other issues, it takes our eyes off of the core issue, and
that's what the ranking member was talking about, is providing
health care really to the American public. And that is your
primary responsibility. I can tell that you take that
seriously.
It is a distraction, to say the least, when we have a
billion dollars spent on a Website that doesn't work, security
issues that are there. But along that same time, there was a
rule that came out with regards to Medicare Part D in January,
a rule that really would limit some of the options of our
seniors, a rule that you came, much to your credit, and said we
are not going to do. And I want to say thank you for doing that
on behalf of millions of senior citizens who would have seen
choices limited.
Do I have your assurances here today that we are not going
to put forth a rule that is similar in nature to that rule that
was brought back? I very rarely have an opportunity to have you
in a public forum under oath. And so, on behalf of millions of
Americans, do I have your assurances that we are not going to
do it?
I think you made a good decision. My mom, who is a senior
citizen, thinks that you made a good decision. So do I have
your assurances that we will not see a similar rule?
Ms. Tavenner. I am not interested in bringing back the
pieces that we pulled.
Mr. Meadows. OK. That is a good almost answer. So do you
have your----
Ms. Tavenner. Well----
Mr. Meadows [continuing]. Assurances, yes or no?
Ms. Tavenner. You have my assurances that I won't bring
back the things I just pulled. How about that? I don't have the
whole----
Mr. Meadows. Or something similar.
Ms. Tavenner. Or something----
Mr. Meadows. Let me tell you the reason why. And it gets
back to--CBO indicates that much of the reason it is working so
well is the competitive nature that we have. I mean, that is
what the study says. And yet we are going to limit competition.
We are going to limit options for our seniors--some cancer,
some antidepressants, some antiepileptic. These are serious
things.
And so you and I can banter back and forth, but really what
I need is, on behalf of the American people, your assurances
here today that that is not going to happen.
Ms. Tavenner. Now you are bringing in specifics. I am not
interested in bringing back the drug categories, if that's the
question. I am not interested in bringing that back.
I am interested in promoting competition, promoting private
market. And I think we have tried to do that with the
marketplace rules, as well. So we would continue to work----
Mr. Meadows. So we are not going to limit competition, and
we are not going to narrow what people can get.
Ms. Tavenner. That would be my preference, yes, sir.
Mr. Meadows. That's your assurance?
Ms. Tavenner. That's my assurance.
Mr. Meadows. All right. Thank you.
I yield back.
Chairman Issa. Could you yield to me?
Mr. Meadows. Sure. I would be glad to.
Chairman Issa. Briefly, item four from the GAO says,
``Perform a comprehensive security assessment of the FFM,
including the infrastructure platform and deployed software
elements.''
Now, initially, that was one you said ``no'' to. Are you
saying you will perform that full system-wise test and have it
done by November 15th? Because that's sort of the one that GAO
couldn't--we can't know what we don't know until you do that.
Is that right?
Ms. Tavenner. I think we get into a discussion of style
here. It is our intention--and we will complete a full, end-to-
end assessment, security assessment, prior to open enrollment,
yes, sir. That is scheduled for later this month or October.
I think where we got into a different conversation had to
do with infrastructure and platform in our definitions, but I
think our intentions are the same.
Chairman Issa. Why don't we let--Greg, if you would give us
the rest of that.
Mr. Wilshusen. Right. As long as the tests that they
perform include how the applications interface with the
operating platforms--and the infrastructure to look at it in
totality is going to be critical. Because certain
vulnerabilities on levels or layers of the security could
affect the security of the other components of it because there
are a number of components involved with this Website and its
supporting systems and a number of different entities involved
with their operation----
Chairman Issa. And so, for the layperson out there, would
it be fair so say that, for example, when software opens a
portal on a particular piece of equipment that that can create
a vulnerability in one type of hardware that it wouldn't in
another, that that's the kind of thing--that they have to look
at the actual hardware they are using, what it interfaces with
and so on. Isn't that right?
Mr. Wilshusen. To include looking at the firewalls and the
routers and switches that support it, as well as the operating
systems and how they're being configured, yes, sir.
Chairman Issa. And, I presume, any remote access devices,
any VPNs, any of that, would be part of it. Because all it
takes, if I understand right, is one PC that has a VPN
connection that isn't in the software, but once you put it in,
it can create a separate vulnerability, right? And that's what
you're looking for.
So if I saw the heads nod--and I like that--the two of you
are going to--one of you is going to come back to the ranking
member and myself if this agreement that you're going to do
that by November 15th doesn't happen. Is that right? Maybe both
of you.
Mr. Wilshusen. I would be willing to work with your staff
to do some follow-on----
Chairman Issa. I think that's all that Mr. Cummings and I
would like to know, is that since you're shaking your heads and
smiling now, that if that stops between now and November 15th,
one of you will tell us.
Mr. Wilshusen. Yes, sir.
Chairman Issa. Mr. Cummings?
Mr. Cummings. I mean, I'm going to encourage you to do
that. Just do it, please.
Ms. Tavenner. We will do that.
Mr. Cummings. And I'm not trying to be smart. I mean, Ms.
Tavenner, I know that--and all of you--I know you're trying to
do what is in the best interests of the American people. I
understand that. But it seems as if what we want is the highest
level of best practice.
Am I right, Mr. Chairman? The highest level.
Chairman Issa. Absolutely.
Mr. Cummings. And, Ms. Tavenner, I couldn't help but--when
I was thanking you on behalf of my constituents, I could see a
tear come up in your eye. And, you know, so often I think
Federal employees--a lot of people don't realize that a lot of
our employees, most of them, are not in government for the
money. They're in it--and I have people coming trying to work
for our committee all the time who are willing to take
reduction of salaries from the private sector because there's
something about this that feeds their souls, something about
lifting up the public and making their lives better.
And so, to all of you and to all of the Federal employees
who may be listening out and the ones behind you, Ms. Tavenner,
and all the ones that may be in the audience and up here, I
just want to thank you very much.
Thank you.
Chairman Issa. Thank you.
And I understand the gentlelady from New Mexico--did you
have any followup questions, Ms. Grisham?
Ms. Lujan Grisham. Mr. Chairman, I don't. I was thanking
you. And I appreciate both the leadership of the chairman and
the ranking member to assure that we get feedback. And they
represented very effectively all of my concerns and points. So
thank you very much for your leadership.
Chairman Issa. Thank you.
I've got a couple very quick wrap-ups that came out of
these. And big smile because we're nearing the end.
There was a question about more people being insured. And I
just have to ask, is Medicaid insurance?
Ms. Tavenner. In my opinion, Medicaid is insurance for
sure.
Chairman Issa. So----
Ms. Tavenner. But that was not part of what I was----
Chairman Issa. But the actual level of insurance under
Medicaid that was talked about, it's Medicaid insurance. That's
what's lowering the number of uninsured, is Medicaid.
Ms. Tavenner. Plus the marketplace. Both are lowering that
number.
Chairman Issa. Which is then subsidies, primarily.
Ms. Tavenner. So----
Chairman Issa. The actual number of people who are
receiving unsubsidized health care has gone down. Is that
right?
Ms. Tavenner. You know,--and I don't have all the reports
in front of me, but, actually, the number of people insured off
the exchange without subsidy is also rising. I don't have the
latest private insurance. Private insurance had a negative
trend that had been going on for the last 10 years. That seems
to have kind of stabilized out. If you add Medicaid and you add
the marketplace exchange with or without subsidy, I think
that's what you're seeing----
Chairman Issa. Sure.
Well, the reason is that--those questions led to this, sort
of, feeling that everything was better, but isn't it true that
the Medicare trustee Charles Blahous--or ``Blahous''--he
projected that by 2021 the impact of the Affordable Care Act
will be a $346-billion to $527-billion increase in the deficit,
essentially because the government is going to pay that 190
percent for Medicaid, the government is going to provide those
subsidies. And the government is, in fact, the taxpayer. So the
deficit will rise based on the money that buys that insurance.
Is that true?
Ms. Tavenner. I am not familiar with that report.
Chairman Issa. OK. But the government is--general tax
revenues are, in fact, paying for these subsidies and for
Medicaid. It doesn't come out of a trust fund. Medicaid is
ordinary income tax. Is that correct?
Ms. Tavenner. I'm sure that you know that, Mr. Chairman. I
don't----
Chairman Issa. For the record, Medicaid is paid out of
income tax, and much of Medicare is paid out of income tax. The
trust fund, when we talk about it, pays only a small part of
what our seniors reflect.
Now I have really the final question, and it's one that
deeply concerns me. And it wasn't the main topic today, but
it's right in your lane.
On May 15th, you projected 8 million as an enrollment
number. August, it's now 7.3 million. What happened to that
700,000 to 800,000 people? Why was there such a precipitous
drop?
Ms. Tavenner. So the 8 million individuals--and I think
that number was after the end of open enrollment--had signed
up. And I think, during the course of the next several months,
individuals may have either gotten employer-sponsored
insurance, they may have found out they were eligible for
Medicaid instead of the marketplace, and some individuals may
have decided not to go forward and pay.
I think there was always----
Chairman Issa. Well, that's a great question. And the
reason I asked that question is, you know, people were
asserting that signing up meant nothing and paying meant
everything.
How much of that 700,000-plus drop were people who did not
pay? Or do you know?
Ms. Tavenner. I don't know that information.
Chairman Issa. Wouldn't it be all of those people did not
pay?
Ms. Tavenner. I don't think we'll know that till the end of
the year. And then we will probably----
Chairman Issa. Well, let me ask the question a different
way. Because, you know, I am an old businessman. People signed
up; they were, therefore, insured. Is that correct? They
enrolled; they were insured.
Ms. Tavenner. These were people who signed up for a plan.
But, in order to get insured, you had to make a payment.
Chairman Issa. Well, no. They were insured right away, and
then, if they didn't make the payment, they went off.
Ms. Tavenner. Within 90 days, right.
Chairman Issa. So they basically got a free ride; 700,000
people got a free ride. They had coverage, and if something
catastrophic happened, they could make a payment. And if
something catastrophic didn't happen, they could just let it
drop.
Ms. Tavenner. I don't think we know that information.
Chairman Issa. Oh, no, this is a structural question that I
know you must know or the technical people behind you must
know.
If 8 million people sign up--let's just say 8 million
people sign up, and not the 700,000 who dropped, but let's just
say 50 people out of 8 million had a health event, and they
weren't going to pay, they just signed up on a lark because
it's a free ride to sign up, but then they had a health event,
did they get to go to the doctor during that 90 days because
they had signed up and hadn't yet paid?
Ms. Tavenner. Yes.
Chairman Issa. So the system as it is today is an
incredibly easily gamed system, if I understand correctly.
Three hundred and 16 million Americans could all sign up and
get 90 days worth of free insurance, and if nothing happens,
there's no downside to their just letting it lapse by not
making a payment. Is that right?
You don't done them. You don't go after them. You don't
followup. You don't sue them for the coverage they had but
never paid for, do you?
Ms. Tavenner. Which, I think, is why it's important to know
that, as of August, 7.3 million were making their payments and
were still continuing the insurance----
Chairman Issa. So 7.3 million people may have made small
payments because they were highly subsidized or larger payments
because they weren't. Are you prepared to release those figures
anytime soon so we understand, of the 7.3 million, how many of
them, if any--well, there would be some--were completely
unsubsidized, how many were partially subsidized, how many were
substantially subsidized?
Ms. Tavenner. Yes, we will have that information. And as
soon as we have it, we will release it. But, yes, we will be
able to talk about numbers.
Chairman Issa. Estimate of when?
Ms. Tavenner. I don't have an estimate, but I'm happy to
get that for you.
Chairman Issa. OK.
Being an old businessman, I must admit that giving people
90 days free and no retrospective look to find out whether, in
fact, they were maybe dual-insuring, maybe just signing up for
a lark, to me, means that your initial figures are of no value
and that people should be cynics and say we don't know how many
people have signed up.
But next year, starting November 15th, I'm presuming that
if GAO is going to estimate the signups, they are going to be
able to only use--that if you get 8 million again, they can
assume that 7.3 is the net number, right?
Ms. Tavenner. I think 7.3 is a really strong number. And I
would remind you that those individuals who sign up and get tax
credits still have a reconciliation process next April. Right?
Chairman Issa. Yes, we're looking forward to that part to
see if there's a clawback.
My parting question: This committee held a hearing on the
issue of over $15 billion owed to the American people by the
State of New York for excess payments in violation of the law,
in violation of CMS maximums. That falls under your watch. Have
you done anything to reclaim that $15 billion?
Ms. Tavenner. Yes, sir, we have. We initiated----
Chairman Issa. And have you gotten any of it back?
Ms. Tavenner. We recently initiated that. I don't think we
have gotten any of it back yet, but we sent the--basically the
request for recovery.
Chairman Issa. You've made a request for recovery.
Ms. Tavenner. We follow our normal process.
Chairman Issa. Do you have the authority to simply
withhold, the way you would to a private entity? You know, if
I'm a doctor and I overbill $15 billion or maybe some minor
amount less than that if I'm less hardworking, the first thing
you would do is would cutoff payments for services, right? You
simply wouldn't send them a penny.
You're sending millions or billions of dollars to New York
every month, aren't you?
Ms. Tavenner. So I can brief you or your team on this in
some detail. Initially, what we would do, whether it's a doctor
or an entity or whatever, is we ask them how they would like to
repay us. And we normally----
Chairman Issa. I wish that were true.
Ms. Tavenner. I think that----
Chairman Issa. I've had too many healthcare entities who
make it very clear, your people come in, you make a
determination, the moment you make a determination they
basically have to quit their practices and go into an appeal
process, and in the meantime they're not receiving a penny, and
you claw back.
So do you want to State that in a way that the private-
sector people don't call me up and say, how did you let her say
that you give people lots of time and ask them how they'd like
to repay it?
Ms. Tavenner. Well, and I think you know I was on that
private-sector side for quite a period of time. And so if there
is a question of overpayment, yes, CMS will make you aware of
an overpayment situation----
Chairman Issa. And then claw back real fast.
Ms. Tavenner. Unless you want to pay them up front, in
which case----
Chairman Issa. If you're able to write a $15-billion check,
they won't deduct from the revenue.
Ms. Tavenner. Right.
Chairman Issa. Is New York prepared to give you a $15-
billion check?
Ms. Tavenner. I can't speak for New York.
Chairman Issa. But right now New York and perhaps others
owe the American people money from excess payments, and they're
not being treated the way private sector is being treated.
They're being treated a little bit with kid gloves. Fifteen
billion is a lot of money.
Ms. Tavenner. Actually, we went through the first year, and
we made a request or demand for the money. And I'm happy to
brief your staff on that.
Mr. Meadows. Will the gentleman yield?
Chairman Issa. Of course.
Mr. Meadows. You have hit on an area that we have had a
number of hearings already with regards to RAC audits. And I
would implore you to treat New York the same way you're
treating the constituents in my home State of North Carolina.
Because very quickly what you do is you put private companies
out of business because you deny the claim and you say, you
either pay up or you go home.
And if you're not going to treat New York the same way you
treat North Carolina, I've got a real issue with it, Ms.
Tavenner.
Ms. Tavenner. So we would treat New York the same way we
treat every other State. And----
Mr. Meadows. Well, no, I'm talking about government versus
private.
Ms. Tavenner. We would treat----
Mr. Meadows. Because I'm talking about private companies.
Ms. Tavenner. I'm sorry. We would treat New York the same
way we would treat anyone who owes us funds.
Now, New York--I just got this information from my staff--
has appealed this decision, which is the same option that
anyone has.
Mr. Meadows. Right. And a private company, when they
appeal, the answer is the same: Pay up in 5 years or go out of
business.
Ms. Tavenner. I understand.
Mr. Meadows. I mean, the statute says 60 months. I know it
very well.
Ms. Tavenner. I know. We have treated States the same way
we treat providers.
Mr. Meadows. All right. So they are going to have to pay up
within 60 months, New York?
Ms. Tavenner. I'm happy to get you information. I just
don't have it in front of me. But we treat----
Mr. Meadows. All right.
I yield back. Thank you, Mr. Chairman.
Chairman Issa. I thank you both.
And we'll go to the ranking member.
And I appreciate your staff's assistance. Because although
it's an issue that you know is never going away before this
committee, it wasn't the main subject for today.
Mr. Cummings?
Mr. Cummings. I want to go back to the 7.3 million people
who paid their premiums and, I guess, around 700,000 who did
not. There are all kinds of reasons, I guess, why people may
not pay their premiums, and a lot of people in our society are
still struggling with all kinds of things.
You talked about a reconciliation process. Can you talk
about that for a moment?
Ms. Tavenner. The way that it works is individuals--the 90-
day grace period is set up to give individuals an opportunity
to pay. At the same time, they start to receive tax credits.
These tax credits are reconciled the next year on their income
tax returns. If people have underpaid on their APTC, then they
are likely to get a tax credit back. If they have overpaid,
meaning if they've received a higher APTC than intended based
on their income, they may owe the Federal Government back. And
that's part of the partnership we have with IRS.
I don't think that the 700,000 is--in fact, I was very
pleased to know that we have payment levels of 90 percent. This
is a brand-new program. This has never been done before. I
think by the end of 2014 and as we start to look back on 2014
we'll understand the circumstances. I expect, in some cases,
they may have moved. They may have gotten married. They may
have gotten insured. They may have lost their income and gone
on Medicaid or into the uninsured ranks. We will only know that
as we do a lookback. And we're careful not to look back too
early.
Mr. Cummings. And these are not necessarily people trying
to game the system.
Ms. Tavenner. No, sir.
Mr. Cummings. I mean, I see folks every day that they're
still being informed as to what the Affordable Care Act is all
about----
Ms. Tavenner. Right.
Mr. Cummings [continuing]. And trying to make it--one
singer says, ``Working 9 to 5 just to say alive.''
Ms. Tavenner. That's right.
Mr. Cummings. But in my district sometimes they're working
two jobs just to stay alive. And so they're struggling trying
to manage all this information, trying to do the best they can
to take care of their families, and many of them going through
some very difficult circumstances.
Ms. Tavenner. That's right.
Mr. Cummings. All right. Thank you very much.
Ms. Tavenner. Thank you.
Chairman Issa. The gentleman from Virginia, normally the
first to arrive. We've just finished round three and the close.
Would the gentleman have some questions?
Mr. Connolly. I thank the chairman.
Chairman Issa. The gentleman is recognized.
Mr. Connolly. I was on the House Foreign Affairs Committee
with the Secretary of State. Forgive me for being late.
Chairman Issa. Well, I'm sure the questions there were
provocative, so----
Mr. Connolly. Yes.
Welcome, to the panel.
Mr. Wilshusen, would it be unreasonable of us to suggest
that no company, no government, no individual should feel
entirely secure and safe in the digital age?
Mr. Wilshusen. I would say if you're referring to use of
online transactions on the Internet and the like, that there
are certainly risks associated with that, just given the
weakness in the nature of the Internet as well as the
competency and prevalence of hackers who might wish to exploit
those weaknesses.
Mr. Connolly. The issue of securing public and private
information systems, I assume, is not something unique to the
Affordable Care Act implementation.
Mr. Wilshusen. No. It's an issue for any computer system
operated by any agency, any organization. There is always a
need to protect that information. And, certainly, as we
mentioned earlier, you know, within the Federal Government, GAO
has been identifying Federal information security as a
governmentwide high-risk area since 1997.
Mr. Connolly. Right. Since 1997.
Mr. Wilshusen. Yes, sir.
Mr. Connolly. Two administrations ago.
Mr. Wilshusen. Probably.
Mr. Connolly. Right.
Ms. Tavenner, hello, and welcome to our committee----
Ms. Tavenner. Thank you, sir.
Mr. Connolly [continuing]. I think. It may not have been
entirely a felicitous beginning of this hearing, but I welcome
you. And thank you for your work.
But let me ask you a question. One of the things we hear
about the rollout of the Website in retrospect is that the
coordination of IT management is disparate, not always focused,
and perhaps was seen as a technical issue while, you know, CMS
and the Department of Health and Human Services were focused
on, sort of, the bigger picture and the reforms getting in
place and the pieces finally fitting into the mosaic, and maybe
this got short shrift. And it turned out to be the achilles
heel. And the whole enterprise was at risk because of this
failure, which was a technology issue.
In looking back on it, what lessons did you learn as a
manager? And is there some validity to that critique, from your
point of view?
Ms. Tavenner. Yes, sir, I think there is some validity to
that critique. And some of the lessons learned and changes that
we've made early on in year 1 but definitely for year 2 is we
needed a systems integrator. We needed someone to help with the
coordination. We needed a clear point of accountability. We
needed better communication. And you're right; there was
probably more time spent on the nontechnical components, and we
didn't realize the technology was as difficult as it was.
So those were lessons learned. I think we've put changes in
place. We are very, very happy with the number who signed up.
We have--year 2 is going to be an equally hard year. It won't
be perfection; it will be greatly improved. And we're looking
forward to finding some more uninsured and helping folks get
coverage.
Mr. Connolly. Thank you. Thank you for that candid
response.
Final question, Mr. Wilshusen: Are you familiar with the
bill that the chairman and I have coauthored called FITAR, the
Federal Information Technology Acquisition and Reform Act? A
mouthful.
Mr. Wilshusen. A little bit, sir, but not completely.
Mr. Connolly. Well, that bill tries to get at how the
Federal Government manages IT procurement and acquisition. And
it addresses, inter alia, how the Federal Government is
managed. And I think it's based on the conclusion that it's not
well-managed and it's very inefficient and there are too many
people with the titles ``CIO.'' And what could go wrong with
that? The estimate is $20 billion of the $82 billion that we
spend on IT acquisition every year is at least inefficiently
used, sometimes downright, unfortunately, wasted.
Is it GAO's position that we do need some IT updates and
reforms to, kind of, update on Clinger-Cohen, which was almost
20 years ago? And in technology 20 years is light years.
Mr. Wilshusen. Well, sir, that's actually outside my
particular area. I focus on information security and privacy
issues. We have others that----
Mr. Connolly. But aren't----
Mr. Wilshusen. But I can get that answer to you.
Mr. Connolly. That would be fine. But isn't information
security related to how well we're managing our IT assets?
Mr. Wilshusen. Oh, certainly. And, certainly, there is need
for improvements in how IT is secured within the Federal
Government, and that's an implementation issue. And we're also
on record that FISMA, which is the Federal Information Security
Management Act that governs information security across the
government, could also be updated and modified.
Mr. Connolly. Well, again, I believe this committee and,
again, the chairman, ranking member, and I have been involved
in that, as well. But the House has certainly tried to address
that, and we've found bipartisan common ground on these issues.
I urge you to look at the bill and see how it applies to your
particular area.
Mr. Wilshusen. I will.
Mr. Connolly. I thank you.
And, Mr. Chairman, thank you for allowing a shameless plug
for our legislation one more time.
Chairman Issa. Well, in closing, it's not shameless, but
it's a good plug.
You know, I'll close--because, Ms. Tavenner, we'll probably
try to do everything without having you back, and I think we're
on the right track. This is a committee that does legislation
on a very bipartisan basis, in most cases, and it doesn't get
reported. And then we have oversight, and perhaps it's not as
bipartisan, and it often does get reported.
I do think today's hearing was worthwhile. I believe that,
hopefully, Mr. Cummings and I both expect that there will be a
little bit more certainty as to the security that will come out
of the Website.
CMS is critical to the American people. Your role has been
expanded, perhaps, more with the Affordable Care Act than any
item before.
And Mr. Cummings often talks about the Federal work force
and certainly about the good work that's being done. I want to
close by saying that just because we give you a hard time over
item after item, just because a number of Members asked about,
``What about these billions of dollars that were given to
States for their failed Websites?'', doesn't mean we think it's
easy. Just the opposite. We know it's hard. We want government
to oversee itself to the greatest extent possible. And it's the
reason that we do appreciate and support the GAO, we do
appreciate and support the inspectors general, and that we try
to be, if you will, their supporters in order to get the kinds
of certainty and, when necessary, reforms that are necessary.
So I want to thank you for being here today. I think this
was an informative hearing.
And, with that--Mr. Cummings gives me a ``yes''--we stand
adjourned.
[Whereupon, at 1:30 p.m., the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC] [TIFF OMITTED]
[all]