Insurance Exchanges: Security QuestionsReport Says CMS Can't Afford More Delays
A new Inspector General report says federal officials are behind schedule in assessing and testing key data security functions tied to new online state health insurance exchanges that are slated to open for business on Oct. 1.
If the delays continue, the Centers for Medicare and Medicaid Services may have limited information by Oct. 1 on the security risks and controls of a government hub that will act as a conduit for federal data that's needed by these state insurance exchanges, says the new report from the Department of Health and Human Services' Office of the Inspector General.
CMS officials, however, insist the data services hub will be ready and operationally secure in time for the launch.
"CMS is working with very tight deadlines to ensure that security measures for the hub are assessed, tested, and implemented by the expected initial open enrollment date for health insurance exchanges of October 1, 2013," the OIG report states. "If there are additional delays in completing the security assessment and testing, CMS may have limited information on the security risks and controls before the exchanges open."
Consumer advocate Deven McGraw notes: "We do think it's important that the hub implement robust security protections for personal information. Such security measures should be in place before any personal information is exchanged with federal agencies, [which is] the role of the hub."
McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, adds, "Given the bright spotlight that has been shined on this issue, we strongly suspect CMS will do what it needs to do to ensure a secure environment for consumers using the marketplaces no later than Oct.1." McGraw is also chair of the HIT Policy Committee's Privacy and Security Tiger Team, which advises federal regulators.
One state insurance exchange official also believes the federal hub's security will be ready in time, but that it will be a nail-biter.
"It will be close," says Curt Kwak, CIO of Washington Health Benefit Exchange, Washington's state health information exchange. "We've been working with CMS every step of the way, and we are aware of the challenges that they face. I have confidence that our collaboration and transparency will go a long way in the mutual success of both parties, but the risks will never go away."
Under the Affordable Care Act, individuals and small businesses, beginning on Oct. 1, are supposed to be able to purchase private health insurance from new online state insurance exchanges. These online marketplaces will collect data from consumers on the front end via a web portal, and exchange data from other systems on the back end, including those of federal agencies.
The federal hub from CMS will support the state insurance exchanges by providing a single point where exchanges may access data from different sources, primarily federal agencies, the report notes. While the federal hub does not store data, it acts as "a conduit for exchanges to access the data from where they are originally stored," according to the report.
The functions of the hub will include "facilitating the access of data by [state insurance] exchanges; enabling verification of coverage eligibility of consumers; providing a central point for the Internal Revenue Service when it asks for taxpayer coverage information; providing data for oversight of the exchanges; providing data for paying insurers; and providing data for use in web portals for consumers," the report explains.
The OIG notes that from March to July, several hub security milestone dates were pushed back by CMS, including various risk assessment and testing deadlines.
OIG conducted a review from March to May to evaluate the adequacy of the development and testing of the hub from a security perspective.
At the time of the OIG review, CMS and its contractors were continuing to develop the hub and work with its federal and state partners in testing it to ensure its readiness for open enrollment to begin on Oct. 1, according to the report.
CMS is required to follow security standards and guidelines of the National Institute of Standards and Technology in securing the hub, the report notes
"According to NIST security standards, every federal information system must obtain a security authorization before the system goes into production. The security authorization is obtained from a senior management official ... with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations," according to the OIG report.
The security authorization package must include a system security plan, an information security risk assessment and security control assessment report, the OIG notes. "The security authorization package provides important information about risks of the information system, security controls necessary to mitigate those risks, and results of security control testing to ensure that the risks have been properly mitigated. Therefore, these documents must be completed before the security authorization decision can be made by the authorizing official. The authorizing official may grant the security authorization with the knowledge that there are still risks that have not been fully addressed at the time of the authorization."
According to CMS's current timeline, the security authorization decision by its CIO is expected on Sept. 30, 2013, the report notes. "If there are additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on Oct. 1, 2013."
In comments from CMS included with the report, the agency stated that it is confident that the hub will be operationally secure before Oct. 1.
"CMS is conducting internal security testing reviews and fixing system weaknesses as part of the development process," CMS administrator Marilyn Tavenner says in a July 31 letter to OIG in response to the draft report. "This approach has proven to significantly reduce security weaknesses discovered by an independent audit. CMS has prioritized review of the audit reports and is confident the hub will be operationally secure and have an authority to operate prior to Oct. 1, 2013."
At an Aug. 1 House Energy and Commerce Committee hearing about the Affordable Care Act, Tavenner testified, "CMS has been conducting systems tests since October 2012 and will complete end-to-end testing before open enrollment begins."
Meanwhile, Washington state's Kwak says it's vital that security of the federal hub is assured when the state insurance exchanges go online Oct. 1. "First and foremost ... these steps are essential in protecting the private data of these consumers," he says. "The other major factor would be that these tests and mitigation of the risks would reduce the probably of faulty or incorrect transactions when the consumers conduct their enrollment process.:
While Kwak says he believes the federal hub security milestones will be met by the Oct. 1 launch date for the exchanges, he admits the risk of potential breaches "would be increased," if the deadlines are missed. Nonetheless, "we do have contingency plans in place to mitigate these risks," he adds.