Most of the committee member's questions were fielded by Kay Daly, the assistant inspector general for audit services in the Office of Inspector General at HHS.
Daly's office released just last month a report on the implementation of the data services hub [PDF] from a security perspective. It noted that a "security authorization decision by the authorizing official, the CMS Chief Information Officer, is expected on Sept. 30. CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by Oct. 1. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the hub."
Daly said during her testimony that CMS had just reported that the security authorization was completed on Sept. 6. Daly's office had not yet been able to do a thorough assessment of the new information, she said.
Meehan confirmed with Daly the steps in the security authorization process, including beta testing to identify the program flaws, making repairs, and then retesting. "Two or three weeks ago they couldn't certify to us that they had begun the beta testing," Meehan said, "do you believe that they made up all that work in such a short time?"