Uh-oh: Obamacare security testing is months behind, report says

August 6, 2013

Sharon Begley is one of the best reporters in the business, so it's no surprise she was the among the first to notice (alongside Politico's Jason Millman) a report that could spell trouble for Obamacare.

Last Friday, the Inspector General's Office at Health and Human Services released a report titled "Observations noted during the OIG review of CMS' implementation of the health insurance exchange-data services hub."

The most important observation: The federal government is months behind where it hoped to be in testing security features of a crucial health law component.

Much of this report focuses on the federal data hub, a single point where new marketplaces can access lots of information on who qualifies for what programs. This includes income data from the Internal Revenue Service and citizenship records from Homeland Security, alongside additional data from Health and Human Services and the Office of Personnel Management.

When dealing with such a massive amount of data, security is, unsurprisingly, a big concern. Or, as the Inspector General's report puts it, "Effective security controls are necessary to protect the confidentiality, integrity, and availability of a system and its information."

Back in March, Medicare was planning to perform a Security Control Assessment in mid-May. That testing essentially confirms that security controls in the federal data hub can function in the secure way they're meant to.

Flash forward to Aug. 6, and that testing still isn't done. A chronology of the delays is outlined in the report (SCA here stands for Security Control Assessment):

According to CMS’s March 2013 schedule, the SCA test plan was scheduled to be provided to CMS for its review on May 13, 2013, and the SCA was scheduled to be performed between June 3 and 7, 2013. However, in the May 2013 schedule, the SCA test plan due date was moved to July 15, 2013, and the SCA is now scheduled to be performed between August 5 and 16, 2013. CMS stated that the SCA was moved so that performance stress testing of the Hub could be finished before the SCA and any vulnerabilities identified during the stress testing could be remediated.

And here's what the delays look like in table form:

So, do the delays doom Obamacare and its security features? Not necessarily. The Inspector General's office thinks that "If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub."

Put less technically: The federal government is running out of wiggle room. Fifty-six days before the marketplaces launch, delays paired with a massive workload have created an incredibly tight schedule. Health and Human Services Secretary Kathleen Sebelius talked to my colleague Sandhya Somashekhar about this in a recent interview.

"It is very tight," Sebelius said. "Ideally what you would do if you were building a data hub that needs this kind of information, you’d put a piece together and test that. You test it, if you will, sequentially. We have to build and test simultaneously…it’s a big operational issue but all systems are a go for the first of October."

At the same time, Sebelius has repeatedly committed to launching the health law's big programs on Oct. 1. And the more optimistic way to read this report is as the agency following through on that commitment, by prioritizing the testing that needs to happen right away, and pushing off the work that can wait until later.

The challenge then, is that later isn't very far away. It's not hard to guess that the administration would have, in an ideal world, stuck to its March schedule. But that didn't happen and the schedule was readjusted. While that readjustment worked back in May, it will become increasingly hard to do as we get closer to Oct. 1.

Update: Medicare spokesman Brian Cook emails, "We are on schedule and will be ready for the Marketplaces to open on October 1. This study was conducted in May, and we have made significant progress in the three months since then. CMS has extensive experience building and operating information technology systems that handle sensitive data.  This experience comes from many years administering the Medicare, Medicaid, and CHIP programs."

Comments
Show Comments
Most Read Business
Next Story
Sandhya Somashekhar · August 6, 2013