After concerns about delays, the federal data services hub, an integral part of health insurance exchanges, is ready to be deployed, federal officials say. But members of the House Subcommittee on Cyber Security are skeptical.
The assertion by federal officials that the data services hub necessary to support health insurance exchanges has successfully completed security testing and is operationally ready was challenged at a House subcommittee meeting Wednesday.
Rep. Patrick Meehan (R-PA), who chairs the Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies for the House Homeland Security Committee, disparaged the administration's claims.
"Just last month we were told that [it] wouldn't be ready until the end of Sept. 30. Now lo and behold [security testing] was completed on Sept. 6 and it's ready to go?" He added incredulously, "this is an agency [Department of Health & Human Services] that for three months failed to meet a single deadline."
See Also: Vendors Vow HIX Will Be Ready on Time
The data services hub will provide one connection to the federal data sources needed to verify consumer application information on the health insurance exchanges.
Meehan's opposition to the data hub is well documented. Citing the potential for the abuse and theft of personal information, in July he introduced HR 2837, which calls for a one year delay in the hub's launch.
Most of the committee member's questions were fielded by Kay Daly, the assistant inspector general for audit services in the Office of Inspector General at HHS.
Daly's office released just last month a report on the implementation of the data services hub [PDF] from a security perspective. It noted that a "security authorization decision by the authorizing official, the CMS Chief Information Officer, is expected on Sept. 30. CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by Oct. 1. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the hub."
Daly said during her testimony that CMS had just reported that the security authorization was completed on Sept. 6. Daly's office had not yet been able to do a thorough assessment of the new information, she said.
Meehan confirmed with Daly the steps in the security authorization process, including beta testing to identify the program flaws, making repairs, and then retesting. "Two or three weeks ago they couldn't certify to us that they had begun the beta testing," Meehan said, "do you believe that they made up all that work in such a short time?"
Daly explained that her office would have to review the related work documents before she could make any assessment.
Several committee members asked about the availability of documentation that could inform Congress and the general public of the efficacy of the system and the results of testing.
Daly replied that her department focused on the security of the hub and not how well the hub functioned. "That was beyond our scope. We understood that GAO would could that aspect."
Several committee members, and one witness, took exception to the data hub testing process being performed by an independent contractor—although contracting for this type of work is not uncommon.
"Speaking for myself, I never relied on a contractor to give complete assurance" on the efficacy of a process," stated Michael J. Astrue, who served as Social Security Commissioner under the Bush and Obama administrations. He left the office in February 2013.
"The OIG is set up to make independent assessments. I am outraged that you would rely on a contractor [for] complete assurance."
Astrue added that transparency is important. "You need to know if this system is secure, whether it's violating privacy, and whether it's doing its job. You don't know that right know. If the OIG defines its job so those things aren't relevant areas then you need to [ask] GAO to fill the gap where OIG isn't fulfilling its responsibility."
Although no officials from CMS were called to testify, the agency did release a data services hub fact sheet on Wednesday ahead of the subcommittee hearing. It says, in part, "The hub and its associated systems have several layers of protection in place to mitigate information security risk. CMS has developed an extremely strong enterprise information security program to protect consumer information in a secure and efficient manner during open enrollment and beyond."
The system will use "a continuous monitoring model that will utilize sensors and active event monitoring to quickly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident."
Meehan closed the subcommittee hearing without calling for any action, but expressed his concern that the hearing had raised more questions about the readiness of the data services hub.
Margaret Dick Tocknell is a reporter/editor with HealthLeaders Media.
