Security testing for the data hub that will connect state health insurance exchanges created under the Affordable Care Act with federal agencies is behind schedule, according to a new report published by the U.S. Department of Health & Human Services Office of Inspector General. In our ongoing coverage of the new health care law, we have previously discussed insurance exchanges in some detail.
"CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of Oct. 1, 2013," the report's authors said. "If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub."
Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, told Reuters that CMS has removed its margin for error.
"There is huge pressure to get [the health insurance exchanges] up and running on time, but if there is a security incident, they are done," McGraw said. "It would be a complete disaster from a PR viewpoint."
CMS officials, in follow-up comments to the OIG, expressed confidence that the hub will be secure.
According to reports: "A security control assessment (SCA) initially was supposed to have taken place between June 3 and 7, according to the report, but in May was pushed back to July 15. The assessment still has not taken place, and is scheduled to be performed between August 5 and 16. The Centers for Medicare & Medicaid Services stated that the testing was moved to in order to first complete performance stress testing for the hub."
In addition, legislation introduced last month by Rep. Pat Meehan (R-Pa.) calls for a one-year delay in the launch of the hub. Meehan, in a statement about the legislation (H.R. 2837), said the abuse and theft potential for information stored in the hub is "unprecedented."
"In a letter sent to U.S. Department of Health & Human Services Secretary Kathleen Sebelius in June, 16 Republican lawmakers raised concerns about the hub, saying that 'it remains unclear whether it will be operable and able to protect sensitive health and taxpayer information.'"
Along with Meehan's legislation, Utah's Sen. Orrin Hatch, ranking Republican on the Senate Finance Committee, has asked the Government Accountability Office to review security and privacy features of the data hub for the new health insurance exchanges, The Hill's Healthwatch reported.
Hatch asked for information on the "security and privacy of the data being exchanged" through the hub, which will connect state health insurance exchanges with federal agencies to determine if an exchange applicant is eligible for subsidies. Hatch also asked the GAO to explain how federal agencies are planning to manage risk and to determine the effectiveness of plans to correct any problems.