Astrue added that transparency is important. "You need to know if this system is secure, whether it's violating privacy, and whether it's doing its job. You don't know that right know. If the OIG defines its job so those things aren't relevant areas then you need to [ask] GAO to fill the gap where OIG isn't fulfilling its responsibility."
Although no officials from CMS were called to testify, the agency did release a data services hub fact sheet on Wednesday ahead of the subcommittee hearing. It says, in part, "The hub and its associated systems have several layers of protection in place to mitigate information security risk. CMS has developed an extremely strong enterprise information security program to protect consumer information in a secure and efficient manner during open enrollment and beyond."
The system will use "a continuous monitoring model that will utilize sensors and active event monitoring to quickly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident."
Meehan closed the subcommittee hearing without calling for any action, but expressed his concern that the hearing had raised more questions about the readiness of the data services hub.