recommended reading

Health Agency Watchdog Doesn’t Have Time to Vet Obamacare Cyber Designs

everything possible/Shutterstock.com

Inspectors have declined to review draft and final security plans for health insurance online marketplaces set to launch Oct. 1.

Due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during a recent audit of Obamacare’s online insurance network, a federal investigator told Nextgov. 

At a Wednesday House hearing, lawmakers and the former Social Security Administration commissioner blasted the HHS inspector general for failing to probe the system's vulnerability to hacking. The so-called hub, which opens Oct. 1, will transmit personal information to and from various agency databases when a patient visits a government website, called an “exchange,” to sign up for insurance coverage. 

“We've got to cut off our work at a certain point," HHS assistant inspector general Kay Daly said during an interview on Friday. A system security plan and risk assessment completed July 16 did not make it into the Aug. 2 audit, because their inspection ended on July 1, she said. 

"We don't have any plans to look at those at this time. We are still trying to figure out what's the best use of our resources, given all the various risks associated with this project and many others," Daly added.  

Former SSA Commissioner Michael Astrue, who observed the hub's construction until his term ended in January, chided the inspector general at the hearing for overlooking existing draft security plans.

Daly on Friday said, "We did not view it to be really essential for us to review a draft plan because it was still subject to change." Centers for Medicare and Medicaid Services, the entity responsible for protecting Obamacare records, did not withhold the material, she said.

The hub was constructed to retrieve, from separate government databases, enrollee information requested by consumers, regulators, insurers and marketplace staff. The information technology could become the target of criminals attempting to steal personal data from the multiple databases, as well as anti-Obamacare hacktivists determined to disrupt health care reforms, health IT specialists say. 

Daly said, "Due to the breadth and scope of those exchanges, coupled with our limited resources, it's imperative that we continue to coordinate with other accountability organizations, such as [the Government Accountability Office], state auditors and other IG offices, to have a shared oversight responsibility, [and] to determine where to focus our future work."

The network won’t store data, but instead link to databases maintained by HHS, Social Security, the Internal Revenue Service, the Veterans Affairs Department and others. 

Cyber contractors have finalized security plans and finished testing protections, according to CMS. The agency on Sept. 6 self-certified the hub as safe to launch, after reviewing the assessments to ensure all potential compromises have been addressed, as is practice under federal rules. 

CMS officials deferred to the IG’s office for this story.

Following Wednesday’s hearing, some privacy groups backed the approach the Obama administration and CMS have taken to control access to the hub.

"The most important decision -- not to store data in this hub, and to use the hub as a router of information -- was made right at the start," said Deven McGraw, Health Privacy Project director with the Center for Democracy and Technology. "Nevertheless, there is still a need to secure the connections between agencies that hold the sensitive data -- like the IRS and the Social Security Administration -- and the exchanges."

The real test comes when the marketplaces go live.

"Whether the security of the data hub is as secure as the White House and CMS have asserted will be proven after these exchanges go live," McGraw said. "We believe the administration, vested in the success of health reform, has a strong incentive to get security right.

(Image via everything possible/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.