Cybersecurity

HHS goes to the wire testing health insurance exchange IT

doctor and laptop

Delays in security testing of a key system in the implementation of the 2010 health care law means that a final security authorization isn't due from the CIO of the Centers for Medicare and Medicare Services (CMS) until Sept. 30 -- one day before the health care exchanges are scheduled to go online.

At issue is the security of the Data Services Hub, the system that supports the exchange of information between state-based health care exchanges and federal agencies. The data of health insurance applicants and policyholders isn't stored on the Hub, but it passes through the system for agencies to verify eligibility for coverage, send information to insurers, and as a tool for the Internal Revenue Service to collect coverage information.

According to the inspector general of the Department of Health and Human Services, CMS has a short window to test the Hub and certify it with an authority to operate. In an Aug. 2 memorandum report, the IG notes, "If there are additional delays in completing the security authorization package, the CMS CIO  may not have a full assessment of  system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."

Updates to the Hub security testing schedule made in May pushed back the security control assessment period from June to August, and established Sept. 30 as the new deadline for security authorization. The Interconnection Security Agreements required to connect federal computer systems are also under review, and are scheduled to be finalized by Sept. 3. Separate agreements are needed to connect the state computer systems to the federal Hub.

The report doesn't assess the quality of the security testing being done by CMS and contractors. The IG notes that the defects and vulnerabilities in the system are being detected by testing and corrected, but the details of the security plan hadn't been drawn up when the IG conducted its review. They are concerned about the short clock for the final independent testing of the Hub's security controls before an authority to operate is granted. If testing goes longer than expected, "the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub," the report concludes.

 "CMS has prioritized review of the audit reports and is confident the Hub will be operationally secure and will have an authority to operate prior to Oct. 1, 2013," CMS Administrator Marilyn Tavenner wrote in her comments on the IG report.

The HealthCare.gov site that serves as a point of entry to the exchanges has already gone online. People interested in receiving health coverage under the law can establish password-protected Health Insurance Marketplace Accounts in advance of the open enrollment date.

About the Author

Adam Mazmanian is a staff writer covering Congress, the FCC and other key agencies. Connect with him on Twitter: @thisismaz.

Featured

Reader comments

Thu, Sep 12, 2013

Let the nightmare begin.

Thu, Aug 8, 2013

The timing of the final security authorization makes those already skeptical of this program very suspisious that it was done somewhat purposefully. Keeping the bad news hidden until it is too late to stop this monstrousity is par for the course for those people pushing this encroachment on personal freedom and government abuse of power. It does not surprise me that they have no serious intention of providing adequate safeguards for citizens in their ever increasing appitite for control of other people's lives and money. Even if it is declared secure, many will be wondering if the assessment was adjusted in order to keep the program moving forward. With basically no time provided for secondary review of the final assessment before the system goes on line, it makes it easy to cover up any glaring deficiencies in both the security and the assessment.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above