Cybersecurity

HHS goes to the wire testing health insurance exchange IT

doctor and laptop

Delays in security testing of a key system in the implementation of the 2010 health care law means that a final security authorization isn't due from the CIO of the Centers for Medicare and Medicare Services (CMS) until Sept. 30 -- one day before the health care exchanges are scheduled to go online.

At issue is the security of the Data Services Hub, the system that supports the exchange of information between state-based health care exchanges and federal agencies. The data of health insurance applicants and policyholders isn't stored on the Hub, but it passes through the system for agencies to verify eligibility for coverage, send information to insurers, and as a tool for the Internal Revenue Service to collect coverage information.

According to the inspector general of the Department of Health and Human Services, CMS has a short window to test the Hub and certify it with an authority to operate. In an Aug. 2 memorandum report, the IG notes, "If there are additional delays in completing the security authorization package, the CMS CIO  may not have a full assessment of  system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."

Updates to the Hub security testing schedule made in May pushed back the security control assessment period from June to August, and established Sept. 30 as the new deadline for security authorization. The Interconnection Security Agreements required to connect federal computer systems are also under review, and are scheduled to be finalized by Sept. 3. Separate agreements are needed to connect the state computer systems to the federal Hub.

The report doesn't assess the quality of the security testing being done by CMS and contractors. The IG notes that the defects and vulnerabilities in the system are being detected by testing and corrected, but the details of the security plan hadn't been drawn up when the IG conducted its review. They are concerned about the short clock for the final independent testing of the Hub's security controls before an authority to operate is granted. If testing goes longer than expected, "the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub," the report concludes.

 "CMS has prioritized review of the audit reports and is confident the Hub will be operationally secure and will have an authority to operate prior to Oct. 1, 2013," CMS Administrator Marilyn Tavenner wrote in her comments on the IG report.

The HealthCare.gov site that serves as a point of entry to the exchanges has already gone online. People interested in receiving health coverage under the law can establish password-protected Health Insurance Marketplace Accounts in advance of the open enrollment date.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.