What Happens to Data, Systems If Obamacare Is Repealed?Experts Call for Caution in Protecting Sensitive Information
If President-elect Donald Trump fulfills a campaign promise of repealing Obamacare - which could result in the dismantling of HealthCare.gov and state health insurance exchanges - great caution will be needed to protect the data of millions of consumers contained in those systems.
Meanwhile, a new federal watchdog report reviewing the security of the state of New York's health insurance exchange shows some security shortcomings in the existing Obamacare system. The review by the U.S. Department of Health and Human Services' Office of Inspector General is the latest of several Obamacare-related data security reports issued in recent years by watchdog agencies.
Even if Obamacare, officially known as the Affordable Care Act, is repealed, "I don't believe the current approach of security and privacy management will change," says Curt Kwak, former CIO at the Washington state health insurance exchange and now CIO of Proliance Surgeons in Seattle. "It will be a long change management process with the same level of scrutiny and focus that we have always placed on consumer data, including PHI. I would suspect it would be like changing any critical large system, which is to focus on data initially, safeguard and archive, before any work on the system begins."
Also, some data handled by the state-based exchanges is obtained through federal systems, including the Internal Revenue Service and Centers for Medicare and Medicaid Services, as well as state agencies, he notes. "These systems are as locked down as you are going to get, governed by the government. ... So as long as there is leadership and full accountabilities established to all parties, I think it will be OK."
Mac McMillan, CEO of security consultancy CynergisTek, says that if Obamacare is repealed, the most important security measure "will be the proper disposition of the data, sanitization of systems and the eventual destruction of the information itself. But before that, there is a more important question regarding the disposition of this information as part of the individuals' health history or record."
The Next Steps
The concern in the repeal of Obamacare resulting in the discontinuation of Healthcare.gov and related systems at many states "are the same faced by the dismantlement or shutting down of any program or business handling sensitive or in this case patient information," McMillan says. "Care will need to be taken to first preserve the information, then protect the data, and eventually distribute/restore it as part of that person's record once they have alternative coverage."
Any potential dismantling of systems associated with health insurance exchanges under Obamacare - if it's, indeed, repealed - would require the same level of caution to protect data that any healthcare entity or business associate would need to exercise if any of their business operations were to cease, McMillan says.
"If an entity goes out of business they should return the information to the covered entity who owns it and properly sanitize all systems before disposing of them," McMillan says. "If an organization retires/migrates a system, they are still obligated under the [HIPAA] rule to retain the information and/or follow the disposition instructions of the covered entity who owns the data."
If health insurance exchange systems will no longer need to store PHI, "the data needs to be wiped in a manner that complies with HIPAA requirements for media reuse and disposal," notes Keith Fricke, partner and principle consultant at tw-Security.
But even before systems are potentially dismantled, data needs to be protected during in-between stages of discontinued operations, he notes. "Take the systems offline and restrict physical and electronic access until the data are properly disposed of," he suggests.
The processes and procedures that would be needed to protect Obamacare-related data if the law is repealed are similar to what covered entities and business associates deal with when faced with operations or business shutdowns.
"The processes for proper destruction/sanitization still apply," McMillan says. "If the entity is retaining the retired system as an archive, then steps should be taken to encrypt the data if not done so already, to limit access and to remove from the production environment so it is not accessible without review/permission."
Even when covered entities or BAs go out of business, Fricke notes, "organizations are still obligated to protect the patient data while in their custody; therefore, all required administrative, physical and technical controls are still in play. Also, contract language for any parties involved should have language addressing termination of relationship and agreed-upon actions to be taken to dispose of data."
Any type of major change introduces risk, says Dan Berger, CEO of the consultancy Redspin. "Many breaches have occurred as a result of servers being left online that were thought to have been disconnected," he points out.
Rigorous planning in advance of the dismantling process - and exceptional execution - are required to ensure that data is protected, Berger notes. "In addition, there has to be an offline data retention plan in place and ultimately an airtight data disposal process," he says.
Of course, a security risk assessment is essential before any major change in infrastructure or systems, Berger adds. "End-of-life is no exception and carries additional considerations for data retention obligations and secure disposal," he says.
New York State Exchange
As for the OIG's review of the New York health insurance exchange, the watchdog agency found that the New York marketplace had implemented many security controls, including policies and procedures, to protect PII on its website and database. "However, it did not always comply with federal requirements. Specifically, the New York marketplace had not adequately secured its website," OIG wrote.
OIG also notes: "Although we did not identify evidence that the vulnerabilities in the New York marketplace's website had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations."
OIG says the vulnerabilities could have potentially resulted in the compromise of data confidentiality and integrity as well as jeopardized the availability of the marketplace. In addition, without proper safeguards, the vulnerabilities would leave the systems and network at risk for crimes involving fraud as well as malicious attacks.
One of the key takeaways from OIG's reviews of the Obamacare health insurance exchanges is the paramount importance of website and web application security, Berger says. "In the commercial sector, web application security is a specialized discipline that attracts among the best security engineers in the business. Prudent web app security involves manual testing as vulnerabilities are often the result of business logic flaws, something automated scanners won't always detect."
OIG's review earlier this year of the security of Minnesota's state-operated health insurance exchange under the Affordable Care Act also revealed various security weaknesses that potentially put sensitive consumer data at risk (see OIG Flags Security Flaws in Two State Health Info Systems).
Also, a GAO report issued in September said undercover testing for the 2016 coverage year found that the eligibility determination and enrollment processes of online healthcare marketplaces in California, Virginia and West Virginia were vulnerable to fraud (see GAO: Obamacare Enrollment Fraud Vulnerabilities Persist).