Inspectors have declined to review draft and final security plans for health insurance online marketplaces set to launch Oct. 1.
Due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during a recent audit of Obamacare’s online insurance network, a federal investigator told Nextgov.
At a Wednesday House hearing, lawmakers and the former Social Security Administration commissioner blasted the HHS inspector general for failing to probe the system's vulnerability to hacking. The so-called hub, which opens Oct. 1, will transmit personal information to and from various agency databases when a patient visits a government website, called an “exchange,” to sign up for insurance coverage.
“We've got to cut off our work at a certain point," HHS assistant inspector general Kay Daly said during an interview on Friday. A system security plan and risk assessment completed July 16 did not make it into the Aug. 2 audit, because their inspection ended on July 1, she said.
"We don't have any plans to look at those at this time. We are still trying to figure out what's the best use of our resources, given all the various risks associated with this project and many others," Daly added.
Former SSA Commissioner Michael Astrue, who observed the hub's construction until his term ended in January, chided the inspector general at the hearing for overlooking existing draft security plans.
Daly on Friday said, "We did not view it to be really essential for us to review a draft plan because it was still subject to change." Centers for Medicare and Medicaid Services, the entity responsible for protecting Obamacare records, did not withhold the material, she said.
The hub was constructed to retrieve, from separate government databases, enrollee information requested by consumers, regulators, insurers and marketplace staff. The information technology could become the target of criminals attempting to steal personal data from the multiple databases, as well as anti-Obamacare hacktivists determined to disrupt health care reforms, health IT specialists say.
Daly said, "Due to the breadth and scope of those exchanges, coupled with our limited resources, it's imperative that we continue to coordinate with other accountability organizations, such as [the Government Accountability Office], state auditors and other IG offices, to have a shared oversight responsibility, [and] to determine where to focus our future work."
The network won’t store data, but instead link to databases maintained by HHS, Social Security, the Internal Revenue Service, the Veterans Affairs Department and others.
Cyber contractors have finalized security plans and finished testing protections, according to CMS. The agency on Sept. 6 self-certified the hub as safe to launch, after reviewing the assessments to ensure all potential compromises have been addressed, as is practice under federal rules.
CMS officials deferred to the IG’s office for this story.
Following Wednesday’s hearing, some privacy groups backed the approach the Obama administration and CMS have taken to control access to the hub.
"The most important decision -- not to store data in this hub, and to use the hub as a router of information -- was made right at the start," said Deven McGraw, Health Privacy Project director with the Center for Democracy and Technology. "Nevertheless, there is still a need to secure the connections between agencies that hold the sensitive data -- like the IRS and the Social Security Administration -- and the exchanges."
The real test comes when the marketplaces go live.
"Whether the security of the data hub is as secure as the White House and CMS have asserted will be proven after these exchanges go live," McGraw said. "We believe the administration, vested in the success of health reform, has a strong incentive to get security right.