New concerns about data security on the health care reform exchanges are being raised by Republican lawmakers, who cite an internal agency memorandum that warned of inadequate testing on the eve of the exchanges’ Oct. 1 rollout.
The security control assessment required by the Federal Information Security Management Act “was only partially completed” because the system was not ready in time, according to a Sept. 27 memo to Marilyn Tavenner, director of the Centers for Medicare and Medicaid Services. “From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk” for the Federally Facilitated Marketplace.
This memo’s Oct. 30 publication by the Associated Press, the same week that federal officials were grilled on Capitol Hill over the FFM’s startup glitches and a wave of health policy cancellations, set off a new round of congressional inquiries. “As each day goes by, more concerns are raised with healthcare.gov’s security, as well as the administration’s competency to fix the lingering problems,” said Rep. Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee.
In an Oct. 31 letter to Kathleen Sebelius, secretary of the U.S. Department of Health and Human Services, Upton and other committee Republicans requested a number of documents regarding HHS’ security assessment and testing process for the FFM, to shed light on “whether the failure to conduct a complete [SCA] increases the risk to the FFM.”
Republican senators also queried Sebelius on the website’s privacy and security. “Serious questions remain as to the privacy and security of the very detailed personal information being transmitted through the [FFM] and what testing, if any, occurred or is occurring to ensure that information is secure,” according to the Oct. 29 letter from Sen. Orrin Hatch, R-Utah, ranking minority member of the Senate Finance Committee, and the committee’s other 10 Republicans.
The Sept. 27 memo to Tavenner from CMS staff had recommended that she issue a temporary “Authority-to-Operate” and implement a two-phase mitigation plan. The plan, to which Tavenner agreed, entails a series of tests and scans by a dedicated security team, followed by a transfer of the FFM systems to CMS’ Virtual Data Center in the first quarter of 2014. “The six-month period will allow the Marketplace to normalize its development activities while enabling the security team to closely monitor activities and perform a complete SCA.”
Federal information systems like the FFM must comply with FISMA’s elaborate security procedures, including a system security plan, information security risk assessment and SCA report.
Data privacy and security issues affecting health plans are addressed in the Employer’s Guide to HIPAA Privacy Requirements.