recommended reading

Health Agency Watchdog Doesn’t Have Time to Vet Obamacare Cyber Designs

everything possible/

Inspectors have declined to review draft and final security plans for health insurance online marketplaces set to launch Oct. 1.

Due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during a recent audit of Obamacare’s online insurance network, a federal investigator told Nextgov. 

At a Wednesday House hearing, lawmakers and the former Social Security Administration commissioner blasted the HHS inspector general for failing to probe the system's vulnerability to hacking. The so-called hub, which opens Oct. 1, will transmit personal information to and from various agency databases when a patient visits a government website, called an “exchange,” to sign up for insurance coverage. 

“We've got to cut off our work at a certain point," HHS assistant inspector general Kay Daly said during an interview on Friday. A system security plan and risk assessment completed July 16 did not make it into the Aug. 2 audit, because their inspection ended on July 1, she said. 

"We don't have any plans to look at those at this time. We are still trying to figure out what's the best use of our resources, given all the various risks associated with this project and many others," Daly added.  

Former SSA Commissioner Michael Astrue, who observed the hub's construction until his term ended in January, chided the inspector general at the hearing for overlooking existing draft security plans.

Daly on Friday said, "We did not view it to be really essential for us to review a draft plan because it was still subject to change." Centers for Medicare and Medicaid Services, the entity responsible for protecting Obamacare records, did not withhold the material, she said.

The hub was constructed to retrieve, from separate government databases, enrollee information requested by consumers, regulators, insurers and marketplace staff. The information technology could become the target of criminals attempting to steal personal data from the multiple databases, as well as anti-Obamacare hacktivists determined to disrupt health care reforms, health IT specialists say. 

Daly said, "Due to the breadth and scope of those exchanges, coupled with our limited resources, it's imperative that we continue to coordinate with other accountability organizations, such as [the Government Accountability Office], state auditors and other IG offices, to have a shared oversight responsibility, [and] to determine where to focus our future work."

The network won’t store data, but instead link to databases maintained by HHS, Social Security, the Internal Revenue Service, the Veterans Affairs Department and others. 

Cyber contractors have finalized security plans and finished testing protections, according to CMS. The agency on Sept. 6 self-certified the hub as safe to launch, after reviewing the assessments to ensure all potential compromises have been addressed, as is practice under federal rules. 

CMS officials deferred to the IG’s office for this story.

Following Wednesday’s hearing, some privacy groups backed the approach the Obama administration and CMS have taken to control access to the hub.

"The most important decision -- not to store data in this hub, and to use the hub as a router of information -- was made right at the start," said Deven McGraw, Health Privacy Project director with the Center for Democracy and Technology. "Nevertheless, there is still a need to secure the connections between agencies that hold the sensitive data -- like the IRS and the Social Security Administration -- and the exchanges."

The real test comes when the marketplaces go live.

"Whether the security of the data hub is as secure as the White House and CMS have asserted will be proven after these exchanges go live," McGraw said. "We believe the administration, vested in the success of health reform, has a strong incentive to get security right.

(Image via everything possible/

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.