GOP Report Blasts HealthCare.gov FlawsHHS Announces New Obamacare Management Positions
A scathing new Senate Republican report outlines a number of key issues, including a lack of security best practices, that allegedly contributed to the troubled launch last fall of the Affordable Care Act's HealthCare.gov site and systems.
Meanwhile, the Department of Health and Human Services announced June 20 the creation of new management positions designed to bolster technological operations and accountability of HealthCare.gov.
The new report, Red Flags: How Politics and Poor Management Led to the Meltdown of HealthCare.gov, issued last week by the minority staffs of the Senate Finance Committee and the Senate Judiciary Committee, highlights a number of factors, ranging from uncoordinated leadership, politics, communication breakdowns, delayed regulations and technical defects - as well as a lack of security best practices - that contributed to the botched rollout last Oct. 1 of HealthCare.gov.
The report is based on witness testimony at a number of Congressional hearings into HealthCare.gov's troubled launch, as well as input from consulting firms, including McKinsey & Company and TurningPoint Global Solutions, which were commissioned to provide analysis or technical services to the federal government related to HealthCare.gov. Also cited in the report are findings from MITRE, which the government hired to provide security testing services for HealthCare.gov, the website that facilitates the online health insurance exchanges for more than 30 states under the Affordable Care Act, more commonly known as Obamacare.
In a statement provided to Information Security Media Group, the Center for Medicare and Medicaid Services, the unit of the Department of Health and Human Services that's responsible for HealthCare.gov, says it is addressing technical and other issues to ensure that the next open enrollment season for Obamacare goes more smoothly.
Additionally, HHS' new secretary, Sylvia Mathews Burwell, on June 20 announced a series of management changes "designed to strengthen the implementation of the Affordable Care Act," according to an HHS statement. The changes include naming Andy Slavitt to the newly created CMS post of principal deputy administrator, for which he will be responsible for "cross cutting policy and operational coordination for the agency's Medicare, Medicaid, CHIP and Marketplace initiatives; combating healthcare fraud; reforming healthcare delivery; and improving health outcomes." Slavitt was previously group executive and vice president for Optum, a unit of insurer United Healthcare, which provided technology services to HealthCare.gov. Slavitt last fall was named the top executive to lead the systems integration work and tech surge to fix HealthCare.gov.
In addition to Slavitt's position, Burwell announced that CMS is also actively recruiting to fill two other newly created HealthCare.gov positions - a CEO and CTO for the insurance marketplace.
"This new management structure comes in response to lessons learned from the rollout of HealthCare.gov and recommendations put forth to the Secretary," according to the HHS statement.
Among the issues cited in the new GOP report are details about the security testing that was performed on HealthCare.gov. The report says, "Both in late August and again one week before HealthCare.gov went live, MITRE reported serious concerns to CMS about the website's vulnerability to attack. These reports were so serious that CMS' top IT security official, CISO Teresa Fryer, recommended against signing the Authority to Operate, which CMS needed in order to launch."
In a draft memo written on Sept. 24, 2013, Fryer outlined numerous security concerns, the Senate report notes. "Other CMS officials also discussed security concerns both before and after the launch of the website," the report states.
Among HealthCare.gov security concerns cited in the Republican report:
- Approximately 40 percent of security controls were not tested before launch;
- Testing of the website focused primarily on functionality, and not on security;
- Due to the limitations of the security testing, it was unknown whether the website would sufficiently protect personal identifiable information;
- Eligibility and enrollment, financial management and plan management modules could not be tested in the same environment. This meant that consistent tests on key applications could not be performed.
Additionally, the report alleges that complete end-to-end testing of the exchange did not occur prior to launch because, for example, the testing environments and modules were not completed in time for the security assessment. And some aspects of the website could not be tested because they had not yet been built.
When it came time to decide whether HealthCare.gov should be certified as secure, "political pressure again trumped technological reality," the report alleges. "Normally, the job of approving a major IT project as secure would go to the Chief Information Officer of CMS, in this case Tony Trenkle," the report notes.
CMS CISO Fryer testified during a Congressional hearing that she had recommended to several HHS leaders, including Trenkle, that the site should not be issued an ATO, according to the report.
"As a result of the controversy, CMS administrator Marilyn Tavenner herself signed the ATO, in a highly unusual move. In doing so, she certified the security of the website, and permitted the launch to proceed on October 1," the report states.
Trenkle resigned from CMS about a month after the troubled HealthCare.gov launch (see CIO At CMS Stepping Down).
When it came to HealthCare.gov's security procedures and testing, "the bar was not just low, it was nonexistent," the report contends.
In a statement provided to ISMG, CMS responds: "CMS leadership issued an authorization to operate [the exchange] on Sept. 27, 2013. Deliberations on agency operations, including the ATO, involve varying opinions from professional, career and subject matter experts within the agency. CMS leadership carefully considers the facts from a range of staff, who bring different perspectives and expertise to the process. Concerns about potential security risks that were raised as part of ongoing discussions ahead of September 27 did not come to pass."
CMS also noted in its statement: "It's well known that we faced challenges during the launch of Healthcare.gov. As it has been widely reported, we didn't anticipate the levels of difficulty that we ultimately faced. We immediately worked to fix the issues and developed new management processes, and exceeded many independent predictions with more than 8 million consumers signing up for private insurance coverage. Taking all the lessons learned, we are looking forward to [the next open enrollment launch on] Nov. 15 by making additional improvements to technology and management structures ..."
The majority (Democrat) staff offices of the Senate judiciary and finance committees did not respond to ISMG's request for comment on the GOP report.
The security of HealthCare.gov is undergoing review by Congressional watch dog agency, the Government Accountability Office (see Expanded HealthCare.gov Scrutiny Sought).
GAO expects to issue the report around mid-September, a spokeswoman for the office says.
CMS noted in a statement that "there have been no successful security attacks on HealthCare.gov and no person or group has maliciously accessed personally identifiable information. An independent security control assessor tested each piece of the HealthCare.gov system that went live Oct. 1 prior to that date with no open high findings. All high, moderate and low security risk findings listed on the security controls assessment, for the portions of the website that launched Oct. 1, were either fixed, or have strategies and plans in place to fix the findings that meet industry standards."