The Data Services Hub, which will support exchange of information between state health insurance exchanges and federal agencies still does not have final security authorization, with the exchanges set to go online in just a few weeks.
Delays in security testing of a key system in the implementation of the 2010 health care law means that a final security authorization isn't due from the CIO of the Centers for Medicare and Medicare Services (CMS) until Sept. 30 -- one day before the health care exchanges are scheduled to go online.
At issue is the security of the Data Services Hub, the system that supports the exchange of information between state-based health care exchanges and federal agencies. The data of health insurance applicants and policyholders isn't stored on the Hub, but it passes through the system for agencies to verify eligibility for coverage, send information to insurers, and as a tool for the Internal Revenue Service to collect coverage information.
According to the inspector general of the Department of Health and Human Services, CMS has a short window to test the Hub and certify it with an authority to operate. In an Aug. 2 memorandum report, the IG notes, "If there are additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013."
Updates to the Hub security testing schedule made in May pushed back the security control assessment period from June to August, and established Sept. 30 as the new deadline for security authorization. The Interconnection Security Agreements required to connect federal computer systems are also under review, and are scheduled to be finalized by Sept. 3. Separate agreements are needed to connect the state computer systems to the federal Hub.
The report doesn't assess the quality of the security testing being done by CMS and contractors. The IG notes that the defects and vulnerabilities in the system are being detected by testing and corrected, but the details of the security plan hadn't been drawn up when the IG conducted its review. They are concerned about the short clock for the final independent testing of the Hub's security controls before an authority to operate is granted. If testing goes longer than expected, "the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub," the report concludes.
"CMS has prioritized review of the audit reports and is confident the Hub will be operationally secure and will have an authority to operate prior to Oct. 1, 2013," CMS Administrator Marilyn Tavenner wrote in her comments on the IG report.
The HealthCare.gov site that serves as a point of entry to the exchanges has already gone online. People interested in receiving health coverage under the law can establish password-protected Health Insurance Marketplace Accounts in advance of the open enrollment date.