recommended reading

Health Agency Watchdog Doesn’t Have Time to Vet Obamacare Cyber Designs

everything possible/

Inspectors have declined to review draft and final security plans for health insurance online marketplaces set to launch Oct. 1.

Due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during a recent audit of Obamacare’s online insurance network, a federal investigator told Nextgov. 

At a Wednesday House hearing, lawmakers and the former Social Security Administration commissioner blasted the HHS inspector general for failing to probe the system's vulnerability to hacking. The so-called hub, which opens Oct. 1, will transmit personal information to and from various agency databases when a patient visits a government website, called an “exchange,” to sign up for insurance coverage. 

“We've got to cut off our work at a certain point," HHS assistant inspector general Kay Daly said during an interview on Friday. A system security plan and risk assessment completed July 16 did not make it into the Aug. 2 audit, because their inspection ended on July 1, she said. 

"We don't have any plans to look at those at this time. We are still trying to figure out what's the best use of our resources, given all the various risks associated with this project and many others," Daly added.  

Former SSA Commissioner Michael Astrue, who observed the hub's construction until his term ended in January, chided the inspector general at the hearing for overlooking existing draft security plans.

Daly on Friday said, "We did not view it to be really essential for us to review a draft plan because it was still subject to change." Centers for Medicare and Medicaid Services, the entity responsible for protecting Obamacare records, did not withhold the material, she said.

The hub was constructed to retrieve, from separate government databases, enrollee information requested by consumers, regulators, insurers and marketplace staff. The information technology could become the target of criminals attempting to steal personal data from the multiple databases, as well as anti-Obamacare hacktivists determined to disrupt health care reforms, health IT specialists say. 

Daly said, "Due to the breadth and scope of those exchanges, coupled with our limited resources, it's imperative that we continue to coordinate with other accountability organizations, such as [the Government Accountability Office], state auditors and other IG offices, to have a shared oversight responsibility, [and] to determine where to focus our future work."

The network won’t store data, but instead link to databases maintained by HHS, Social Security, the Internal Revenue Service, the Veterans Affairs Department and others. 

Cyber contractors have finalized security plans and finished testing protections, according to CMS. The agency on Sept. 6 self-certified the hub as safe to launch, after reviewing the assessments to ensure all potential compromises have been addressed, as is practice under federal rules. 

CMS officials deferred to the IG’s office for this story.

Following Wednesday’s hearing, some privacy groups backed the approach the Obama administration and CMS have taken to control access to the hub.

"The most important decision -- not to store data in this hub, and to use the hub as a router of information -- was made right at the start," said Deven McGraw, Health Privacy Project director with the Center for Democracy and Technology. "Nevertheless, there is still a need to secure the connections between agencies that hold the sensitive data -- like the IRS and the Social Security Administration -- and the exchanges."

The real test comes when the marketplaces go live.

"Whether the security of the data hub is as secure as the White House and CMS have asserted will be proven after these exchanges go live," McGraw said. "We believe the administration, vested in the success of health reform, has a strong incentive to get security right.

(Image via everything possible/

Threatwatch Alert

Network intrusion

FBI Warns Doctors, Dentists Their FTP Servers Are Targets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.