Cummings Seeks Protocols to Safeguard Sensitive HealthCare.gov Documents
Washington, D.C. (Jan. 15, 2014)—Ahead of tomorrow’s hearing on the security of the HealthCare.gov website, Rep. Elijah E. Cummings, Ranking Member of the House Committee on Oversight and Government Reform, sent a letter today to Chairman Darrell Issa requesting that the Committee adopt a bipartisan protocol to safeguard sensitive information in documents subpoenaed by the Committee, establish procedures for the storage and handling of these sensitive documents, and inform Committee Members of the identities of outside individuals who have been provided access to this sensitive information.
The full letter is below, and can be found here:
January 15, 2014
The Honorable Darrell E. Issa
Committee on Oversight and Government Reform
U.S. House of Representatives
Washington, D.C. 20515
Dear Mr. Chairman:
On Thursday, the Committee is scheduled to hold its latest hearing on the security of the Healthcare.gov website. I am writing to raise concerns and propose Committee action on three requests so that Committee Members will be able to conduct this hearing in a responsible and bipartisan manner that does not jeopardize the security of the website or the personal information of American citizens.
Lack of Committee Protocol to Safeguard Sensitive Documents
On several occasions since November, I have written to you to request that we meet to discuss the adoption of a bipartisan protocol to safeguard sensitive documents obtained during this investigation and to develop a responsible approach to making information public that the Committee determines is important to its investigation.
My concerns are based on explicit and repeated warnings by the MITRE Corporation, which conducted security testing on the Healthcare.gov website. MITRE officials warned in four different letters to the Committee—on November 5, November 22, December 4, and December 13—that the documents it produced to the Committee include software code and other technical information that is highly sensitive and could give hackers a roadmap to compromise the security of the website and the personal information of consumers.
When MITRE produced these documents to the Committee in unredacted form on December 13, 2013, the company’s President and Chief Executive Officer warned:
In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov and potentially to the security of other CMS data networks that share attributes of this architecture. The resulting potential for risk to the privacy of Americans’ personal information is the reason that MITRE remains concerned about disclosure of the previously redacted information.
Despite multiple requests and MITRE’s repeated warnings, you have not responded to any of my inquiries. As a result, Committee Members participating in Thursday’s hearing have no protocol in place to help them determine which documents may be used in open session and which documents should be protected to prevent against attacks by domestic hackers, foreign entities, and other seeking to harm our national interests. This lack of clear guidance creates an unnecessary risk of accidental or inadvertent disclosures that otherwise could be avoided.
I also remain concerned with the unilateral release by your office of partial transcripts and select document excerpts to promote partisan narratives that often turn out to be inaccurate, particularly when these releases are not part of any official report, correspondence, or other Committee action. Not only is this a disservice to the American people and the goals we share, but it undermines the credibility and integrity of the Committee.
One option for the Committee would be to consider adopting the document protocol approved by the Committee when Rep. Dan Burton was Chairman and Rep. Henry Waxman was Ranking Member. In 1998, after significant deliberation among the majority and minority, the Committee proceeded as I am proposing now and adopted a protocol for handling sensitive documents obtained during its investigation of the Clinton Administration’s campaign finance activities. Although I am open to additional suggestions, I see no reason you should have objections to the process adopted by former Chairman Burton.
Lack of Policy on Securing Sensitive Information in Committee’s Possession
Another concern is the security of documents in the custody of the Committee. Currently, the Committee has no procedure governing the storage and handling of these sensitive documents. As a result, there have been two separate occasions last week when sensitive documents were left unattended in unlocked rooms accessible by the public. Although I understand that your office believes these documents are not sensitive, one was produced to the Committee in encrypted, password-protected format, and both were marked as sensitive documents that require special handling.
To address this issue, the Committee could consider applying to these sensitive documents the same protections that are currently utilized by the House of Representatives to safeguard its own information. The Committee on House Administration has issued a Security Policy for the Protection of Sensitive Information that sets forth policies to “protect the confidentiality of sensitive information from disclosure to unauthorized individuals or groups.” These policies address the physical protection of sensitive information, the electronic protection of sensitive information, personnel precautions, and the disposal of sensitive information.
Lack of Information about Outside Individuals Given Access to Sensitive Information
A third concern relates to providing access to sensitive information to individuals outside the Committee. In December, you stated that you intended to “consult carefully with non-conflicted experts to ensure no information is released that could further jeopardize the website’s security.” Several days later, you wrote a letter to the Department of Health and Human Services indicating that you had already begun this process, stating that you would “continue” consulting with outside security experts.
Based on your statements, it is unclear who these outside experts are, who they work for, and who they may be affiliated with, raising concerns about what they may do with the information. If they do not work for the government or any of its contractors, it is unclear what contractual or other restrictions they are under not to disclose this sensitive information further. There have been multiple reports about organizations and individuals who are deliberately targeting the Healthcare.gov website for malicious purposes. The risk that this information could get into the wrong hands increases dramatically as more individuals gain access to it, particularly when these individuals are under no obligation to safeguard it.
To address these concerns, I request that you provide Committee Members with the identities of individuals who are not employed by the Committee who have been granted access to this sensitive information, as well as copies of any confidentiality agreements these individuals entered into in order to protect the sensitive information in these documents.
I believe our Committee acts with greatest authority and credibility when it proceeds in a bipartisan manner. For this reason, I hope you will join me in developing bipartisan protocols to help Committee Members conduct Thursday’s hearing and the broader investigation in a responsible manner. Thank you for your consideration of this request.
Elijah E. Cummings