GAO: Better HealthCare.gov Oversight Needed

Watchdog Agency Will Soon Release Privacy, Security Study
GAO: Better HealthCare.gov Oversight Needed

A Government Accountability Office report released on July 30 says the oversight and governance practices of the Centers for Medicare and Medicaid Services were ineffective in the development of the Obamacare website, HealthCare.gov, and its systems.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Meanwhile, the GAO is continuing work on a separate examination of HealthCare.gov's privacy and security measures.

A GAO spokesman tells Information Security Media Group that the forthcoming report, which is slated to be released after Labor Day, addresses a request made by Rep. Lamar Smith, chair of the House Science, Space and Technology Committee, for a security review of (see Expanded HealthCare.gov Scrutiny Sought).

Hefty Price Tag

As of March, CMS has spent $848 million on the development of HealthCare.gov, the author of the newly released report, William Woods, GAO director of acquisition and sourcing management, testified at a July 31 Congressional hearing. That figure doesn't include costs related to ongoing work by CMS and its contractors to improve the site before the next open enrollment launch in the fall of 2014, he said.

HealthCare.gov facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare. The website and its systems were plagued by serious technical issues for many weeks after HealthCare.gov launched for open enrollment last Oct. 1. Since then, HealthCare.gov has been the subject of multiple Congressional hearings, including some that focused on data security and privacy issues. In particular, some Congressional scrutiny has focused on the lack of end-to-end security testing conducted before the HealthCare.gov launch.

No Breaches So Far

Woods told the Congressional panel that he is not aware of any security breaches that have occurred on HealthCare.gov. In addition, Andrew Slavitt, CMS principal deputy administrator, also testified that to date, "there have been no successful malicious attacks [on the HealthCare.gov site or systems] and no one's personal information has been compromised."

Slavitt was named to the position in June by Department of Health and Human Services' Secretary Sylvia Mathews Burwell. He was previously group executive and vice president for Optum, a unit of insurer United Healthcare, which provided technology services to HealthCare.gov (see GOP Report Blasts HealthCare.gov Flaws.)

Contract Management

The new GAO report, "Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management," focused on three areas: acquisition planning; oversight and cost schedules; and contractor performance issues, Woods testified.

He told the House Energy and Commerce Committee' Subcommittee on Oversight and Investigations that the report is one of several that GAO is preparing about HealthCare.gov. "We got lots of requests from both the Senate and the House, from both sides of the aisles" for GAO to examine what went wrong with the launch of HealthCare.gov, he said.

In addition to the pending report on privacy and security issues, GAO is also preparing an examination of information technology management and use of best practices in the development of HealthCare.gov, Woods testified.

In its July 30 report, GAO says: "CMS undertook the development of HealthCare.gov and its related systems without effective planning or oversight practices, despite facing a number of challenges that increased both the level of risk and the need for effective oversight. ... Unless CMS improves contract management and adheres to a structured governance process, significant risks remain that upcoming open enrollment periods could encounter challenges."

Under pressure to meet the Oct. 1, 2013, deadline to launch open enrollment of HealthCare.gov, "CMS did not adhere to the governance model designed for the federally facilitated marketplace and data hub task orders, resulting in an ineffectual governance process in which scheduled design and readiness reviews were either diminished in importance, delayed or skipped entirely," GAO says.

GAO says the inadequate governance, combined with the use of an Agile software development approach the agency had not tried before, added even more uncertainty and potential risk.

"The result was that problems were not discovered until late, and only after costs had grown significantly," the GAO report says.

GAO Recommendations

The GAO recommends in its report that CMS "take immediate actions to assess increasing contract costs and ensure that acquisition strategies are completed and oversight tools are used as required, among other actions."

The recommendations, which CMS mainly supported, are focused on how CMS can improve ongoing development, management and governance of HealthCare.gov, especially contractor performance monitoring.

The CMS response to GAO's recommendations states: "CMS is building on the lessons learned during the launch of the federally facilitated marketplace and the first open enrollment period to ensure effective management of the marketplace that is focused on clear lines of authority, prioritization of requirements and deliverables and metric-driven quality reviews for its HealthCare.gov contracts and contracts across the agency."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.