One Hour to Report Breach: Possible?HHS Proposal Could Impact Health Insurance Exchanges
The Department of Health and Human Services proposes that state health insurance exchanges report data breaches within one hour after discovering them. CIO Curt Kwak of the Washington state health insurance exchange explains why compliance with such a rule would be challenging.
"From my perspective, I don't believe this will become final because we don't believe it's realistic," Kwak says in an interview with Information Security Media Group [transcript below].
"This level of ruling will force us to be less efficient and most likely impact the usability of the system and our ability to support the system as well," he says.
If the proposal from the Department of Health and Human Services does become official, Kwak says his state's health insurance exchange, slated to launch Oct. 1, will adjust.
"We will obviously need to augment our staff and tighten our environment even more," he says, "but that will probably constrict the operation efficiency of our environment."
The Washington state insurance exchange has been vocal with HHS and Centers for Medicare & Medicaid Services about the constraints and concerns such a rule would create, Kwak explains.
"They know it's going to impact us," he says. "We're hoping it doesn't come to that, but we'll be ready ... and we'll do whatever we can with the final ruling."
In the interview, Kwak also discusses:
- The challenge of state insurance exchanges safeguarding consumer financial data in addition to health information;
- Washington Health Benefit Exchange's approach to authenticating consumers;
- Security lessons learned so far in preparing for the Oct. 1 open enrollment launch of the Washington state exchange.
As CIO for Washington Health Benefit Exchange, Kwak oversees all technology implementation and maintenance necessary to meet the exchange's business requirements. Before joining the exchange last year, Kwak served as CIO at Providence Health & Services and oversaw IT needs at Western Washington Ministries.
Washington State HIE
MARIANNE KOLBASUK MCGEE: To start, very briefly describe what consumers will see and do on your online exchange beginning on Oct. 1?
CURT KWAK: Beginning Oct. 1, we will launch our application called Health Plan Finder, which is powered by the ... Washington Health Benefit Exchange. What the consumer will see is an application process that includes their personal information, financial information and information that will be validated through what we call the eligibility system, and then with the federal data services hub which validates income levels, their state of insurance levels, and other pertinent information necessary to fully approve specific plans for the individual shopping for them. Another feature that the consumers will see is what we call the shopping experience of the consumers. They'll be able to actually see, post and compare different plans that will best fit their needs.
MCGEE: How will you authenticate users?
KWAK: We have a number of ways. We do use a multi-authentication process here. A couple of examples would be e-mail validation, so a consumer could actually submit their e-mail address and we would send back a code that they could validate and authenticate with. We also have unique IDs and unique phrases that they can use to also additionally validate their identification.
Top Security Challenges
MCGEE: State insurance exchanges, including yours, will be sharing data with a variety of state, federal and third-party systems on the back-end. What are the biggest security challenges with that, and how are you tackling that?
KWAK: The biggest challenges that we've been having, at least through the testing currently, has been the fact that the different dependent partners use different processes and different protocols in processing their data. It's been a challenge for us to adapt to the different methods and also the timing it takes for us to align and interface with the different data sets. It's having an agile mentality and also procedures to adapt quickly and resolve issues as we go, and really validating once the data is received and sent.
Protecting Financial, Health Data
MCGEE: State insurance exchanges will also be dealing with a lot of consumer financial data, as well as health-related data. What are the special challenges in protecting both?
KWAK: When I was with the healthcare system prior to this position, we were dealing with protected health information, and it was tough enough. Now we're adding financial information on top of PHI, which of course makes it that much tougher. It absolutely poses a significant challenging concern of course. However, we believe we do have a great plan in place which we built by collaboration, collaborating very closely with CMS and hiring some of the better security plus data management minds out there to help engineer our environments. We believe we have a plan, and I think we'll be okay, but it's going to be a challenge. We'll just keep a close eye and incorporate the continuous improvement methods to make it stronger as we go.
MCGEE: Are there certain technologies that will be key with that?
KWAK: [Here's] a quick overview of our technology. We have developed and built this application called Health Plan Finder from the ground up with the help from our system integrator and we have incorporated the industry best practices and industry-leading technology components from leaders like Oracle, Cisco and IBM. We believe we have the right solution to try to do what we're trying to do. We're confident at least through the user-acceptance testing and development and integrated testing that we have gone through.
We have thrown a number of scenarios and scripts at it and so far it's shown a very positive result.
Impact of Insurance Deadline
MCGEE: The Obama administration recently extended the deadline by one year until 2015 for employers with more than 50 workers to offer insurance to their employees. What's the impact of this deadline extension on your exchange from a technology standpoint? For instance, do you expect there will be more or less traffic on the exchange in 2014 than originally expected, and what would be the impact on data security or privacy plans?
KWAK: From my personal perspective, I wasn't surprised by the extension. I figured something like this would have happened by now, just looking at the other states and efforts that we've been part of. This deadline extension really has no bearing on the continued build of our exchange, the platform Washington Health Plan Finder, because our primary target was low-income individual populations to begin with anyways. Our initial target was the small businesses - 1 to 15 employees - what we call a shop. It really doesn't have a bearing on our current efforts, and, because of that, it should not have any effect on how our technology was built build and security concerns.
One Hour to Report a Breach
MCGEE: The U.S. Department of Health and Human Services is proposing that state health insurance exchanges report data breaches to HHS within one hour after discovering a breach. If that proposal becomes final, how do you expect to implement that breach reporting rule? Are there any plans that need to be changed?
KWAK: From my perspective, I don't believe this will become final because we don't believe it's realistic. This level of ruling will force us to be less efficient and most likely impact the usability of the system and, of course, our ability to support the system as well. Now if it does become the rule, then we will obviously need to augment our staff and tighten our environment even more, but again that will probably constrict the operation efficiency of our environment. Washington being one of the leading states building the state-based exchange, we've been very clear and transparent with HHS and CMS and are being absolutely clear with our constraints and concerns around rules like this. They know it's going to impact us, and if we're impacted it's going to impact all of the states trying to do the same thing. We're hoping it doesn't come to that, but we'll be ready. We'll be ready, and we'll do whatever we can with the final ruling.
Privacy, Security Lessons Learned
MCGEE: As you prepare for the Oct. 1 open enrollment date, what are the key lessons that you've learned about security and privacy needs of your exchange so far? Any lessons that you think will be helpful to other states?
KWAK: We have a dictionary of lessons learned and we're continuing to add to that dictionary. One big lesson was: Don't assume anything. You're being challenged to make up things as you go. New rules are coming out almost every day and, even on the federal side, they're changing things around on a regular basis. But you've just got to go with what you have and be absolutely clear and positive what you have is what you're going to do at that moment. Don't look ahead and don't try to assume things without any validation. That's one.
From a security perspective, I think one of the lessons learned is don't go with just the baseline security of functions, because ... no level of security seems high enough due to the magnitude and complexity of what we're trying to do. Try to deploy the best-of-breed of technology and methods as you can and time will allow, and just give it your best. We're all working hard but you also need to give it your best because we're working towards something global and larger, much larger than what we are ourselves.
MCGEE: Are there any final thoughts about data security and privacy issues as you're finishing up preparing for the open enrollment date?
KWAK: There are many concerns and challenges obviously, but we're rigorously working with CMS and their back-end partners like IRS, INS [Department of Homeland Security] and the Social Security Administration, and we also have been very collaborative with other states building their own state-based exchanges: Connecticut, Kentucky, New York, etc. I believe we're definitely on the right path. We're taking very rigid steps to bolster our environment of course, more so than how we did things at the healthcare system I came from, because this feels so much bigger and global. There are lots of eyes stuck on what we're doing. There's a lot of scrutiny, a lot of public view, and we're doing everything we can to ensure all the gaps are filled. It's tough because there's so much that we're trying to do in a very short period. But we're doing our best ... and I guess that's all I can hope for.