HHS goes to the wire testing health insurance exchange IT

doctor and laptop

Delays in security testing of a key system in the implementation of the 2010 health care law means that a final security authorization isn't due from the CIO of the Centers for Medicare and Medicare Services (CMS) until Sept. 30 -- one day before the health care exchanges are scheduled to go online.

At issue is the security of the Data Services Hub, the system that supports the exchange of information between state-based health care exchanges and federal agencies. The data of health insurance applicants and policyholders isn't stored on the Hub, but it passes through the system for agencies to verify eligibility for coverage, send information to insurers, and as a tool for the Internal Revenue Service to collect coverage information.

According to the inspector general of the Department of Health and Human Services, CMS has a short window to test the Hub and certify it with an authority to operate. In an Aug. 2 memorandum report, the IG notes, "If there are additional delays in completing the security authorization package, the CMS CIO  may not have a full assessment of  system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."

Updates to the Hub security testing schedule made in May pushed back the security control assessment period from June to August, and established Sept. 30 as the new deadline for security authorization. The Interconnection Security Agreements required to connect federal computer systems are also under review, and are scheduled to be finalized by Sept. 3. Separate agreements are needed to connect the state computer systems to the federal Hub.

The report doesn't assess the quality of the security testing being done by CMS and contractors. The IG notes that the defects and vulnerabilities in the system are being detected by testing and corrected, but the details of the security plan hadn't been drawn up when the IG conducted its review. They are concerned about the short clock for the final independent testing of the Hub's security controls before an authority to operate is granted. If testing goes longer than expected, "the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub," the report concludes.

 "CMS has prioritized review of the audit reports and is confident the Hub will be operationally secure and will have an authority to operate prior to Oct. 1, 2013," CMS Administrator Marilyn Tavenner wrote in her comments on the IG report.

The site that serves as a point of entry to the exchanges has already gone online. People interested in receiving health coverage under the law can establish password-protected Health Insurance Marketplace Accounts in advance of the open enrollment date.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Sep 12, 2013

Let the nightmare begin.

Thu, Aug 8, 2013

The timing of the final security authorization makes those already skeptical of this program very suspisious that it was done somewhat purposefully. Keeping the bad news hidden until it is too late to stop this monstrousity is par for the course for those people pushing this encroachment on personal freedom and government abuse of power. It does not surprise me that they have no serious intention of providing adequate safeguards for citizens in their ever increasing appitite for control of other people's lives and money. Even if it is declared secure, many will be wondering if the assessment was adjusted in order to keep the program moving forward. With basically no time provided for secondary review of the final assessment before the system goes on line, it makes it easy to cover up any glaring deficiencies in both the security and the assessment.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group