By Alex Ruoff
The data services hub that will be used as a conduit for patient information exchanged between various federal agencies and federal and state insurance exchanges may contain unidentified security risks when open enrollment in the exchanges begins in October, according to an Aug. 2 report from the Department of Health and Human Services Office of Inspector General.
The Centers for Medicare & Medicaid Services is sufficiently “addressing and testing security controls” as it develops the data services hub and is creating a comprehensive security assessment of the technology, the report said. However, any significant delays to completing the security assessment could hold up the rollout of the data hub, set to go online for federal and state insurance exchanges Oct. 1, or prompt CMS officials to approve the data hub before security vulnerabilities are fully understood.
All federal information systems, including the data hub, must have a security assessment approved by a senior government official to obtain authorization to go online, the report said. The data hub must be approved by CMS's Chief Information Officer Tony Trenkle.
“CMS is working with very tight deadlines to ensure that security measures for the hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1, 2013,” the report said. “If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the hub.”
CMS, in response to the report, said it “is confident the hub will be operationally secure and it will have an authority to operate prior to Oct. 1, 2013.”
A CMS spokeswoman told BNA in an email that the security assessment is on schedule and the agency “has extensive experience building and operating information technology systems that handle sensitive data.”
The OIG report, Observations Noted During the OIG Review of CMS's Implementation of the Health Insurance Exchange--Data Services Hub(A-18-13-30070), said the expected completion date for the security assessment of the data hub had already been delayed earlier this year from Sept. 4 to Sept. 30.
In recent weeks, HHS officials have repeatedly assured lawmakers and consumers that the data hub will be ready and secure by the Oct. 1 deadline.
Gary Cohen, director of HHS's Center for Consumer Information and Insurance Oversight, testified before the House Ways and Means Committee that the data hub would be operational by the deadline (149 HCDR, 8/2/13).
On July 17, CMS Administrator Marilyn Tavenner told two House subcommittees that the hub will not present a danger to consumers' personal information (138 HCDR, 7/18/13).
The OIG report confirmed that CMS and its contractors have performed security testing “throughout the hub's development, including vulnerability assessments of hub services.”
“CMS is logging and tracking defects and vulnerability throughout the development process and correcting and retesting hub services to ensure that vulnerabilities are remediated,” the report said.
The OIG report also noted that the data hub is a conduit for information and will not be used to store information. The hub will facilitate the access of consumer information by the exchanges and enable verification of coverage eligibility.
While the agency is ensuring that the data hub is secure, the process of testing the technology is taking longer than originally expected, the OIG report found. CMS's testing program and security assessment for the data hub are both behind the original production schedule the agency set in March, the report said.
The security control assessment, being performed by an independent testing organization, was originally supposed to be finalized by July 15, but was delayed in May, OIG said. The security control assessment is now expected to be finalized Sept. 20.
Finalization of the data hub's system security plan and security risk assessment were delayed twice, once in May and again in July, OIG said. Both were set for completion July 15.
The security control assessment, system security plan, and security risk assessment are components of the comprehensive security assessment, expected Sept. 30, that CMS needs to submit to its CIO before the data hub can go into production.
Trenkle is also coordinating with several federal agencies to test the data hub's ability to exchange data and to grant the agencies authority to connect to the data hub Sept. 30, OIG said. Those agencies are the Internal Revenue Service, Social Security Administration, Department of Homeland Security, Veterans Health Administration, Department of Defense, Office of Personnel Management, and Peace Corps.