HHS IG: Obamacare data hub won't be secure until system starts Oct. 1 --- maybe

By |
Paul Bedard,Washington Secrets,Obamacare,Health and Human Services,Health Care

The Department of Health and Human Services won't certify that the so-called Obamacare "data hub" used to collect and verify personal health and financial information of health insurance applicants is secure until the system kicks in on October 1--unless further delays push it back further.

The department's assistant inspector general told a convention of auditors Tuesday morning that the office handling Obamacare, the Centers for Medicare & Medicaid Services, or CMS, is still testing to make sure the system is secure from hackers and other digital attacks.

Kay Daly said that CMS has promised the HHS inspector general that the system security certification will come on time, the day before Obamacare kicks in. But in a sign of doubt, she added, "We are looking forward to seeing how this all works out."

In her address to the American Institute of CPAs, she said that CMS is "looking at the vulnerability assessments of the hub" used by state, federal and insurance company officials to judge applicants. The information being collected includes salary, Social Security numbers, personal health information and even pregnancy status.

Daly said that the system doesn't store data, but lawmakers on Capitol Hill have worried that it is too vulnerable to a hacker attack.

Daly sounded cautious in her comments. "Isn't there always a however," she asked.

"Several critical tasks remain to be completed in relatively short time frame. First, the final independent testing of the hub is not complete, and that's going to be occurring in the near future. They still are remediating the security vulnerabilities that had been identified during certain testing of the hub and they are going to be attaining the security authorization decision for the hub, but that is not due until September 30th," she said.

"According to CMS's current timeline, the security authorization decision by the authorizing official, and this case it's going to be the CMS CIO, is expected on September 30th of 2013," Daly added.

"I think we all just heard that the scheduled enrollment date is October 1st, so CMS is working in some very tight deadlines to ensure that security measures for the hub are assessed, tested and implemented by the expect go live date. If there are any additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of the system risks and security controls needed for this decision, but CMS officials have told us that they are confident they're going to make that date and they will be operationally security and will have that security authorization by October 1st, so, you know we are looking forward to seeing how all this works out as I think everyone else is who will be relying on these exchanges."

Paul Bedard, The Washington Examiner's "Washington Secrets" columnist, can be contacted at pbedard@washingtonexaminer.com.