Federal Data Hub Passes Security TestingOfficials Say It's Ready to Support State Insurance Exchanges
A federal data hub that will serve as a critical conduit for data needed by state insurance exchanges under healthcare reform has completed security testing and is certified to operate when the exchanges begin open enrollment on Oct. 1, federal officials say.
The disclosure about the hub's apparent readiness counters speculation from some, including a government watchdog, that the federal systems' security testing might not be completed in time for the launch.
The Obama administration has a lot riding on ensuring security of the hub, says Christopher Rasmussen, a policy analyst at the Center for Democracy & Technology, a consumer advocacy group. "Although we cannot be sure that there are still not underlying problems, CMS and the administration has a strong incentive to get this right, especially in light of the political environment."
Last month, an Inspector General report noted concerns that the Centers for Medicare and Medicaid had been falling behind on schedules to assess and test key data security functions tied to the hub. As a result, it said, "CMS may have limited information on the security risks and controls before the exchanges open" on Oct. 1 (see Insurance Exchanges: Security Questions).
The federal hub from CMS will support the state insurance exchanges by providing a single point where exchanges can access data from different sources, primarily federal agencies, according to the OIG report. While the federal hub does not store data, it acts as "a conduit for exchanges to access the data from where they are originally stored," the report noted.
In his opening remarks at a Sept. 11 hearing of the U.S. House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, Chairman Patrick Meehan, R-Pa., said, "With just 20 days remaining before the hub goes live, I have grave concerns from a cybersecurity standpoint ... There are increasingly sophisticated ways to steal and manipulate information ... and very sophisticated actors, including state actors looking to do harm."
But Kay Daly, an assistant inspector general at the U.S. Department of Health and Human Services, testified that OIG has been informed by CMS that it recently completed its security authorization for the hub.
In written testimony for the hearing, Daly said, "At the time of our review [for preparing the August OIG report], CMS was addressing and testing security controls for the hub during the development process. Several critical tasks remained to be completed, such as the final independent testing of the security controls, remediating security vulnerabilities identified during testing and obtaining the security authorization decision for the hub before opening the exchanges. CMS's schedule at that time was to complete all of these tasks by Oct. 1, 2013, in time for the expected initial open enrollment date for health insurance exchanges."
Daly added, however: "Since issuing our report, CMS has reported to us that it has made additional progress on these key milestones, including obtaining its security authorization for the hub on Sept. 6. ... "We have not independently verified CMS's progress since completing our audit."
CTO Confirms Readiness
But Todd Park, U.S. chief technology officer, said in a statement issued on Sept. 11, "After over two years of work, [the hub] is built and ready for operation, and we have completed security testing and certification to operate. This is an important step in being ready for open enrollment on October 1.
"The hub is critical to the operation of both the federally facilitated marketplace and state-based marketplaces, enabling them to provide accurate and timely eligibility determinations."
The state health insurance exchanges, called for under federal healthcare reform, are online marketplaces where consumers and small businesses can shop for and enroll in health plans. States were each allowed to choose whether they wanted to operate their own exchanges or have the federal government operate one for them.
A separate statement about the hub issued Sept. 11 on a CMS website says, "Every federal information technology system must comply with rigorous standards before the system is allowed to operate. The hub completed its independent security controls assessment on Aug. 23, 2013, and received an authorization to operate on Sept. 6, 2013. The completion of this testing confirms that the hub complies with federal standards and that HHS and CMS have implemented the appropriate procedures and safeguards necessary for the hub to operate securely on October 1."
The CMS statement notes that the responsibility to safeguard information "is an ongoing process, and HHS and CMS will remain vigilant throughout operations to anticipate and protect against evolving data security concerns. The marketplace monitoring program will continually be reviewed for effectiveness of the systems' security controls, through methods that include independent penetration testing, automated vulnerability scans, system configuration monitoring, and active web application scanning."
Additional information provided by CMS to Information Security Media Group gave more insight into the testing:
- Testing with issuers for the federally facilitated marketplace eligibility and enrollment functions began in early June 2013. CMS worked with issuers to define test scenarios and the emphasis is on the abilities to perform Qualified Health Plan enrollments;
- In the spring, HHS accepted QHP submissions from more than 120 issuers, "demonstrating our ability to build and implement the IT needed to support the marketplace";
- CMS is also planning additional testing, along with states, federal agencies and issuers, to ensure robust performance of the systems. "CMS is confident that the hub will be available to support marketplace operations on Oct. 1," the agency told Information Security Media Group.
A leader at one state insurance exchange is pleased by the recent CMS progress and the overall focus on security.
"I am very confident that CMS and our dependent partners have taken [the] same stringent steps to ensure the protection and security of all consumers' data managed in their systems," says Curt Kwak, CIO of the Washington state insurance exchange.
"Safeguarding the information of our customers is a top priority here at the Washington Health Benefit Exchange," he says. Washington state's exchange "meets strict privacy and security standards that are outlined by both the federal government and out state-level requirements. We have taken numerous data protection measures to help protect sensitive consumer information at every step of the process."
Looking ahead, "[the] biggest security and privacy challenges are the management of those unforeseen issues that arise and how quickly we can mitigate those as they come," Kwak notes.
Rasmussen of the Center for Democracy & Technology says that in addition to ensuring the security of the federal data hub, it's important that so-called "navigators" who will assist consumers using insurance exchanges, and others with access to sensitive data, are properly trained to protect the information."I always think consumers should exercise caution when they share sensitive information - in this case name, Social Security number, address, and income - and I don't think that the exchanges are any different," he says. "Many of the customers signing up for health insurance through the exchanges will be economically vulnerable, and I think it is critically important that those who assist them are trained in privacy and security compliance."