IT Experts Answer Obamacare QuestionsCongressional Hearing Dives Into Security Concerns
Members of the House Oversight Committee questioned top Obama administration IT leaders on Nov. 13 about the technical woes of the HealthCare.gov website, inquiring as to whether consumer data is at risk because of the absence of end-to-end security testing before the Oct. 1 site launch.
During questioning, Henry Chao, deputy CIO at the Centers for Medicare and Medicaid, which is responsible for the Affordable Care Act's website, acknowledged Healthcare.gov wasn't fully tested before it launched because "parts of the system are still being built." For instance, first premium payments to insurers by consumers aren't due until January, so that aspect is among components that weren't ready for testing before the October launch, he said.
While full end-to-end security testing was not completed before Oct. 1, components of the system were tested before going live, and testing and assessment of the system is continuous, Chao said. "Other components still being built will be tested," he added. "Security testing is ongoing."
David Powner, director of IT management issues at the Government Accountability Office, a watchdog agency for federal projects, testified: "Bottom line, security testing wasn't done on a complete system. In order to ensure data is secure, you want to test on as much of a complete system as possible. ... The question is, what's being done now with testing and is it adequate?"
During other recent Congressional hearings about the Healthcare.gov technical problems, technology contractors that helped develop the website testified that end-to-end testing of the integrated components did not begin until mid-September (see: Obamacare Website Security Questioned).
End-to-end testing of the website should have been completed about six months before going live, testified Richard Spires, former CIO at the Department of Homeland Security, during the Nov. 13 hearing.
Chao also said that a Nov. 11 news report by CBS based on leaked testimony by Chao during a recent closed-door meeting with the Oversight Committee was released "out of context." The CBS report said a Sept. 3 government memo written by another official at CMS warned of "the threat and risk potential" of HealthCare.gov. But Chao testified that the Sept. 3 memo was not referring to the entire HealthCare.gov system, but rather two modules of the system - one related to dental plans and the other qualified health plans - that aren't active yet and will not contain consumer data.
"The document leaked to CBS didn't relate to active parts of HealthCare.gov or consumer information," Chao said.
Chao also testified that the HealthCare.gov system, as well as "every system" at CMS, has security testing in compliance with the Federal Information Security Management Act, or FISMA, and that "testing is iterative and ongoing."
"Cybersecurity is part of everything we do," testified former Microsoft executive Steven VanRoekel, who is U.S. CIO and administrator of the office of electronic government. That includes "abiding by NIST [National Institute of Standards and Technology] standards, which were co-developed by banking and other sectors," he added.
Ethical Hacker Testing
Frank Baitman, deputy assistant secretary for IT at the Department of Health and Human Services, also testified that during the partial government shutdown in October, "CMS asked us to engage an ethical hacker" to also look for vulnerabilities of the HealthCare.gov site. The tester found "7 to 10 items ... that were not serious, Baitman said, including a physical security issue. CMS has remediated the majority of the issues identified, "but I don't believe it is 100 percent," he added.
Todd Parker, who was co-founder of electronic health record vendor athenahealth before taking on the post of U.S. chief technology officer in 2009, testified that "CMS has a great track record in protecting the privacy of consumers."
"This is a major website that's a target for hackers, and touches IRS and Social Security systems," said Rep. Blake Farenthold, R-Tenn., who noted that he's a former web developer. He asked Chao if the public would be informed if there is a data security or privacy incident on the HealthCare.gov system. "There are several laws and rules that apply to breaches," and notification, Chao answered.
Enrollment So Far
At a Nov. 13 CMS press briefing, HHS Secretary Kathleen Sebelius reiterated that HealthCare.gov technical problems are continuing to be ironed out and that the "vast majority" of consumers who want to enroll for health plans on the site should be able to do so by Nov. 30.
Also, CMS on Nov. 13 released enrollment numbers through mid-November. So far, 27,000 consumers have enrolled in private health insurance plans via the 30-plus state insurance exchanges that are federally facilitated (supported by HealthCare.gov), and more than 79,000 have enrolled in plans via the state-run exchanges. More than 975,000 consumers have applied on the sites and received eligibility determinations but have not enrolled in a plan. In any case, the total 106,000 enrollments during the first month of the program falls short of the Obama administration's reported goal of 500,000.
CMS has launched an e-mail outreach program to contact consumers who visited HealthCare.gov but were unable to complete the enrollment process due to technical difficulties. About 275,000 consumers will be contacted by CMS in that first wave of outreach, a CMS spokeswoman says.