Obamacare Website Security Questioned
House Committee Members Quiz Vendors on Tech ProblemsA congressional committee grilled representatives from four technology vendors providing services for the Obamacare website, questioning, for example, whether the site is putting consumer privacy at risk.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The House Energy and Commerce Committee held the Oct. 24 hearing to question the contractors about the technical issues causing consumers to have problems accessing the website, HealthCare.gov or using it to enroll in health plans. The federal website serves more than 30 states that aren't running their health insurance exchanges on their own.
Several Republican congressman questioned whether the website and the systems that support it had been adequately tested for security and whether they pose a threat to consumer privacy.
Executives from CGI Federal Inc.; Quality Software Services Inc., a unit of Optum; Serco Inc.; and Equifax Workforce Solutions testified that the individual system components or services that they each provided were tested in the months and weeks leading up to Oct. 1 rollout. But the Centers for Medicare and Medicaid Services conducted end-to-end testing of the integrated system - or all the components working together - only days before the Oct. 1 rollout, they said.
Cheryl Campbell, senior vice president of CGI Federal, and Andrew Slavitt, group executive vice president of Optum/QSSI, both testified that end-to-end testing of integrated systems of this sort ideally should be performed months before the go-live date so that there is more time to iron out problems before launch.
Wrinkles Being Ironed Out
Campbell testified that the first set of issues for user access problems involved the enterprise identity management, or EIDM, function provided by Optum/QSSI. The EIDM allows users to create secure accounts and serves as the "front door" to the federal exchange that a user must pass through before entering the federally facilitated marketplace, or FFM, she explained. "Unfortunately, the EIDM created a bottleneck that prevented the vast majority of users from accessing the FFM," she said.
Slavitt of Optum/QSSI testified: "It appears that one of the reasons for the high concurrent volume at the registration system was a late decision [by federal officials] requiring consumers to register for an account before they could browse for insurance products. This may have driven higher simultaneous usage of the registration system that wouldn't have occurred if consumers could 'window shop' anonymously."
Slavitt said in his written testimony that all EIDM issues had been resolved. "By Oct. 8, even at high levels of registration, the EIDM tool was processing," he said.
Since the launch of the site, modifications have been made to enable visitors to do some limited browsing of health plans without registering.
Campbell testified that problems with the federally facilitated marketplace are being addressed and that the system performance is improving daily. She told the committee she was confident that consumers would be able to efficiently enroll by Dec. 15, the deadline for health plan coverage that begins Jan 1.
Nevertheless, Rep. Joe Barton, R-Texas, said he was concerned that even if consumers could sign up, there is a disclaimer buried in source code on the site that reads: "You have no reasonable expectation of privacy regarding any communication or data transmitting or stored on this information system."
"Isn't this a direct contradiction to HIPAA?" he asked.
But Rep. Frank Pallone, D-N.J., pointed out that consumers are not asked to provide any health information during the application process, so HIPAA does not apply. Information that consumers provide to use the system "includes address and date of birth ... not health information," he said.
Pallone accused Barton and other Republicans of "trying to scare people so that they don't apply" for health insurance in yet another effort to undermine the Affordable Care Act.
Some committee members also questioned whether vendors have access to consumer data stored in databases that are part of the federal system. The vendors testified that they don't store information nor have access to the databases, with the exception of Serco, which processes paper applications. Those paper applications are scanned, and then destroyed after they are digitized. Information from the digitized applications are then entered into the online system. That data is archived for no more 30 days, John Lau, Serco program director, testified.
Sebelius to Testify
Department of Health and Human Services Secretary Kathleen Sebelius is expected to testify before the committee next week.
Earlier this week, HHS named Jeffrey Zients, former acting director of the Office of Management and Budget, to lead the project to repair the Obamacare website. HHS called in experts from a number of top technology vendors and insurance companies to help in the effort to fix glitches (see: Critiquing Insurance Exchange Fixes).
In a media briefing on Oct. 25, Zients said the glitches would be fixed on the federal insurance exchange site in about a month. "We are confident by the end of November that HealthCare.gov will be smooth for the vast majority of users," he said.
At the Oct. 24 hearing, Rep. Lee Terry, R-Neb., expressed concern that vendors fixing glitches in the system, such as by adding new code, could introduce security vulnerabilities. "Every cybersecurity expert knows that when you introduce new code you may accidentally introduce risks," he said.