Lawrence Miller, chief of health care reform. Photo by Morgan True
The state took Vermont Health Connect offline because it was unable to meet a federal checklist of security requirements, officials said Thursday.
Over the summer the federal government provided a timeline for reducing security risks, which expired 10 days ago, according to the commissioner of the Vermont Department of Information and Innovation.
State officials interviewed for this story would not say what federal security requirements had not been met.
In testimony to lawmakers on Thursday, Lawrence Miller, chief of Health Care Reform, said the state had an agreement with the Centers for Medicare and Medicaid Services on "mitigating risks."
Miller and Harry Chen, the secretary of the Agency of Human Services, decided to take down the website last weekend because the state was unable to meet a Sept. 8 federal deadline for security controls; the determination was not the result of a security breach or a specific threat.
“Rather than asking for more time, we decided to disconnect from the federal hub," Miller said.
The website was taken offline Monday evening and could could be unavailable for several weeks.
The public was not given advance notice for security reasons.
Miller said it was “certainly possibly” that CMS would have required that the state take the site down.
“I was never going to let us get into a position where that became a question,” he said.
Miller said he could not provide the public with more detail about the security checklist, nor did he provide a timeline from federal officials for resolving the security issues.
He instead referred to the following statement from Aaron Albright, a CMS spokesman. “Safeguarding the privacy and security of Americans’ personal information is a high priority for the (Obama) administration," Albright wrote. "We appreciate Vermont's decision and are continuing to work closely with the state to support its effort to strengthen the security and operations of its website as quickly as possible.”
Both Vermont and the federal government need to secure the connection between the state exchange and the federal data hub, Miller said.
“They have work to do, we have work to do,” he said.
Miller said remediation of the site’s usability did not create new security risks or vulnerabilities.
Sen. Kevin Mullin, R-Rutland, asked Miller where the “security folks” have been for the past year.
When pressed by reporters on the subject, Miller said, “We had CGI security folks, we have our own state security folks … it needs to be a high priority; it needed to be a higher priority than it was.
“I appreciate the perspective that Optum brings to this,” Miller said of the new firm hired to replace CGI. “We’re approaching it much more aggressively, I think would be the way to say it.”
CMS has had people on the ground in Vermont at various times throughout the project, Miller said. Federal security contractors are coming to Vermont this week.
CMS regularly reviews the security plans of state-based marketplaces and requires mitigation plans for any “security findings,” Albright said in an email.
As a result of “security findings” Vermont agreed to take steps to complete security improvements “necessary for a well-functioning and secure website” during the upcoming open enrollment period in November, Albirght said.
The Vermont Department of Innovation and Information is responsible for the security of Vermont Health Connect.
Richard Boes, Vermont’s chief information officer, said CMS sent a letter to Mark Larson on June 10 asking that Vermont “reduce security risks” within 90 days.
That window expired Sept. 8, a week before Miller said the state pulled down the site. Boes did not make the letter immediately available to the press because he said he needed to get permission from higher ups.
Monthly “security audits” began in January, Boes said, and at that time his department identified a laundry list of security concerns. That list has since shrunk, but there are still remaining items that need to be addressed. He declined to say what outstanding security issues remain.
CGI was expected to address those risks, but was not able to do so in an agreed upon timeframe, he said.
Boes and Miller say recent cyber attacks on consumer websites, such Home Depot and Target, have created a higher risk environment for Vermont Health Connect.
CGI has been paid $67 million out of an $84 million contract with the state of Vermont. The Vermont Attorney General's office is determining whether the state can recoup additional money, Miller said.
Boes maintains there is a difference between security risks and vulnerabilities.
An example of a risk would be not having sufficient checks and balances to approve internal access to the system. Vulnerabilities are specific deficiencies that could be exploited to gain unauthorized access to the system.
“What we’re talking about is security controls, all the security controls we want are not in place, which presents a risk, but that doesn’t translate directly to a vulnerability,” Boes said.
“I am not aware of any specific vulnerabilities at the current time, but that doesn’t mean there aren’t any,” he said.
Don't miss a thing. Sign up here to get VTDigger's weekly email on Vermont hospitals, health care trends, insurance and state health care policy.
