Transcript for audio podcast:
Federal News Radio: CMS's Implementation of the Data Services Hub
From the Office of Inspector General of Department of Health and Human Services
Come October 1st, many Americans will go online to buy health insurance through new federal and state exchanges. They will type their names, their income, and other personal information into online applications that are routed through a federal data hub. The government's ability to keep that data secure will make or break Obamacare. Now, a report from the Department of Health and Human Services Inspector General reveals the agency is far behind in testing the security of the system. Assistant Inspector General for Audit Services Kay Daly joins us now with more. Good Morning, Kay.
Good Morning, Emily. I want to thank you for having me on your program today so I can share with the listeners some of the key takeaways from our recently issued report on the security of the data hub that is being developed by the Centers for Medicare and Medicaid Services that we commonly refer to as CMS.
Absolutely, and Kay, we are happy to have you here. First of all, just describe to me exactly what this hub is so that we can get a better idea about what it does in terms of the whole idea of people buying health care through these exchanges.
Well, the hub is basically for exchanges and serves as a one-stop-shop where individuals will get information about their health insurance options, be assessed for eligibility, and enroll in the health plan of their choice. Some of the exchanges will be operated by states, some will be federally operated, and others will be operated in a partnership arrangement between the state and federal government. Now Emily, it is important to note that the hub does not store data. It just acts as a conduit for the exchanges to access the data from where they are stored. The hub is intended to support the exchanges by providing a single point where the exchanges can access data from several sources, including federal agencies and their state partners.
Alright, so the hub is overseen by CMS. What are the other federal agencies involved in this process? Won't they be receiving data funneled through the hub?
Well yes, Emily, there will be various interchanges with federal partners. Some of the key ones include the Internal Revenue Service, the Social Security Administration, the Department of Homeland Security, the Department of Veteran's Affairs, the Department of Defense, the Office of Personnel Management, and the Peace Core. CMS has executed some key security related documents with its federal partners, and is in the process of finalizing service level agreements with these partners. They are in various levels of completion. These agreements establish the agreed upon services and availability, including response times and the days and hours of availability of both the hub and those federal partner selected systems.
Certainly this underscores the importance of the hub to basically how the entire system works. In your report, you list this calendar, or schedule, of certain dates for security requirements. What it shows to me is that CMS has pushed back these dates, sometimes two months, and it could be running up against that October 1st deadline for the final things in that security checklist. Give me a picture of what is happening in terms of the ability for CMS to meet deadlines in terms of why it is falling short of those.
Well, Emily, there are a number of factors involved with this. In some cases, the security control assessments that were being done were moved so that the performance stress-testing of the hub, that is how well it can respond and provide the services, could be finished and that the vulnerabilities that were identified during that performance-stress test could be remediated. CMS wanted to do the remediation before the security control assessment began. Now, if CMS took a different approach and began it earlier in the process, they may have to do additional security control assessments after that remediation was complete, so that was one of the factors in determining that some of the dates needed to be revised with the iterative approach they were taking. In another case, with the security authorization package, that package needed to include the system security plan, the information security risk assessment, and the security control assessment report, so all of those documents do need to be completed before that security authorization package can be pulled together with the full assessment of the system risk and security controls. And a final point I'd like to make, it is important to note that these are internally established milestones that were being developed as the process was ongoing, and those are typically revised throughout a project.
Does the fact that they haven't made their own deadlines signify that this project has become more complicated than even anticipated? Why were they not able to do it? What sort of unforeseen circumstances did they run into?
Well, Emily, our work really focused just on the security testing of the hub and the approach they were taking with it. I want to emphasize that CMS was using the National Institute of Standards approaches for doing this testing. In fulfilling our oversight mission, we focused on the security control of that. GAO has also done a report that focused more on the functionality. Now, our work on the security controls showed that CMS is addressing and testing those controls during the development process. They are looking at the security testing in the development piece, looking at the vulnerability assessments, they have been logging and tracking defects as they go, and they have been correcting and retesting those hub services to ensure that those vulnerabilities are remediated. We do recognize that several critical tasks remain to be completed in a very short period of time, such as the final independent testing of the hub security controls. Also, they need to be remediating those security vulnerabilities identified during that testing, and obtaining security authorization decision for the hub before opening the exchanges. CMS's current schedule is to complete all of those tasks before October 1st in time for that expected initial enrollment period.
We're speaking with Kay Daly, and she's the Assistant Inspector General for Audit Services at the Department of Health and Human Services. So the final date due, according to their schedule, for the security authorization decision is September 30th. This is supposed to go online the day after, October 1st. So a lot of pressure; and what happens if they don't make the deadline?
Well Emily, if there are additional delays in completing the security authorization package, the CMS Chief Information Officer, he is the one to be providing the security authorization, may not have a full assessment of the system risks and security controls needed for that security authorization decision by the initial enrollment period. But CMS officials have told us, and they have testified before Congress, that they are confident the hub will be operationally secure and it will have that security authorization before October 1st of 2013.
But what if they don't? I think people who might want to buy health insurance could be worried about the security of their data.
Well, Emily, there are a number of risks that are involved in a project of this nature, and CMS is taking a measured approach to try to address those. I think we are just going to have to wait and see, because no one can predict the future at this point, as you know.
Absolutely. Is the Office of Inspector General making any recommendations for what they could do between now and September 30th to make sure that this happens on time?
Our report does not include recommendations. Basically, we were trying to provide a status report of the security system approach CMS was taking just to inform all stakeholders about what operations are ongoing related to that. So we don't have recommendations in the report, but we do point out some of the processes in place to provide that security and some of the tight schedule deadlines that need to be met.
What has been the reaction so far amongst those stakeholders?
I think the stakeholders so far have been very interested in our report. We have been taking a number of steps to ensure, such as this program here today (Oh, yeah, you got our attention), we are informing you and your listeners. That is an important part of the mission here at the Inspector General's Office- in that we are to provide an unbiased look at the operations of this department and CMS, and certainly the rollout of the data hub is a key aspect of one of the key initiatives CMS has underway now.
Kay Daly is the Assistant Inspector General for Audit Services at the Department of Health and Human Services, and thank you so much for joining us.
Thank you, Emily. I'm so pleased you had me here today.
Let's start by choosing a topic
Unimplemented OIG recommendations summarized.
FY 2014 Work Plan
OIG projects planned for 2014.
Significant OIG activities in 6-month increments.