Cybersecurity

HHS goes to the wire testing health insurance exchange IT

doctor and laptop

Delays in security testing of a key system in the implementation of the 2010 health care law means that a final security authorization isn't due from the CIO of the Centers for Medicare and Medicare Services (CMS) until Sept. 30 -- one day before the health care exchanges are scheduled to go online.

At issue is the security of the Data Services Hub, the system that supports the exchange of information between state-based health care exchanges and federal agencies. The data of health insurance applicants and policyholders isn't stored on the Hub, but it passes through the system for agencies to verify eligibility for coverage, send information to insurers, and as a tool for the Internal Revenue Service to collect coverage information.

According to the inspector general of the Department of Health and Human Services, CMS has a short window to test the Hub and certify it with an authority to operate. In an Aug. 2 memorandum report, the IG notes, "If there are additional delays in completing the security authorization package, the CMS CIO  may not have a full assessment of  system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."

Updates to the Hub security testing schedule made in May pushed back the security control assessment period from June to August, and established Sept. 30 as the new deadline for security authorization. The Interconnection Security Agreements required to connect federal computer systems are also under review, and are scheduled to be finalized by Sept. 3. Separate agreements are needed to connect the state computer systems to the federal Hub.

The report doesn't assess the quality of the security testing being done by CMS and contractors. The IG notes that the defects and vulnerabilities in the system are being detected by testing and corrected, but the details of the security plan hadn't been drawn up when the IG conducted its review. They are concerned about the short clock for the final independent testing of the Hub's security controls before an authority to operate is granted. If testing goes longer than expected, "the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub," the report concludes.

 "CMS has prioritized review of the audit reports and is confident the Hub will be operationally secure and will have an authority to operate prior to Oct. 1, 2013," CMS Administrator Marilyn Tavenner wrote in her comments on the IG report.

The HealthCare.gov site that serves as a point of entry to the exchanges has already gone online. People interested in receiving health coverage under the law can establish password-protected Health Insurance Marketplace Accounts in advance of the open enrollment date.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.