HHS
Inspector General reports that the data hub intended to support health
insurance exchanges will not be “secure” until the day before the exchanges are
due to open.
While
the report does not state that data security will not be in place, it notes
that time is running out. HHS has said
that the data hub will be secure and the exchanges will be up and running as most
recently scheduled. Federally-run health
insurance exchanges are due to open October 1, the opening day of open
enrollment.
An earlier timeline had called for the data hub to be designated as “secure” by
September 4. In the meantime, as of
Monday, August 5, prospective enrollees may go ahead and create new accounts
and begin collecting the required information for enrollment and coverage. Open enrollment is scheduled for October 1,
2013 through March 2014, with coverage beginning January 1, 2014.
Health insurance exchanges are State-based
competitive marketplaces where individuals and small businesses will be able to
purchase private health insurance. The hub will help facilitate the access of
data by exchanges; enable verification of coverage eligibility; provide a
central point for the Internal Revenue Service when it asks for coverage
information; provide data for oversight of the exchanges; provide data for
paying insurers; and provide data for use in Web portals for consumers.
As
explained by CQ HealthBeat: “The hub is the
mechanism by which the new health law marketplaces will receive data
establishing whether an insurance applicant is a U.S. citizen, what his or her
income is, whether the applicant is eligible for subsidies to buy coverage, and
the size of those subsidies. It will include links to the Internal Revenue
Service, the Department of Homeland Security, HHS, the Social Security
Administration and state agencies.”
As such, the role of the Hub is only as a
pass-through of information that resides elsewhere, in other data bases. It is not intended to actually store
information.
“It is important to note that the Hub does not
store data,” the OIG reports. “Rather it acts as a conduit for exchanges to
access the data from where they are originally stored. We evaluated the
adequacy of the development and testing of the Hub from a security perspective.
We did not review the functionality of the Hub.”
The reports summary notes that the OIG assessed the information technology
security controls that CMS is implementing for the Hub, adequacy of the testing
activities being performed during its development, and the coordination between
CMS and Federal and State agencies during the development of the Hub. As a conclusion, it notes that “CMS is working
with very tight deadlines to ensure that security measures for the Hub are
assessed, tested, and implemented by the expected initial open enrollment date
for health insurance exchanges of October 1, 2013. If there are additional
delays in completing the security assessment and testing, CMS may have limited
information on the security risks and controls before the exchanges open.”
As reported by CQ: The OIG document said
“several critical tasks remain to be completed in a short period of time, such
as the final independent testing of the Hub’s security controls, remediating
security vulnerabilities identified during testing, and obtaining the security
authorization decision for the Hub before opening the exchanges.”
No comments:
Post a Comment