News Feature | August 22, 2013

Data Hub Security Questioned As October HIX Deadline Looms

Source: Health IT Outcomes
Katie Wike

By Katie Wike, contributing writer

Americans should expect to be able to buy health insurance through state HIXs beginning October 1st, but missed deadlines for security testing may make it a risky proposition

American Action Forum produced an infographic detailing “the movement of deadlines” relating to the Affordable Care Act’s state-based insurance exchanges. While still scheduled to begin operating October 1, the text accompanying the infographic points out the Obama Administration decided to “to push back the final security testing steps” of the system that will allow each state exchange to access data from federal agencies through a hub.

“The hub will not store data, but data needs to be able to be transmitted through it securely,” notes American Action Forum. “Testing for the hub was supposed to begin, per a March report, on May 6th and be complete on September 4th. However, these dates were pushed back on at least two occasions, with final testing not scheduled to be complete until September 30th, the day before exchange enrollment is set to open.“

Forbes predicts the exchanges will open October 1 with disastrous consequences, writing, “If the exchanges fail to open as promised on October 1, it will be a major embarrassment for the Obama administration, possibly with significant political consequences.” Forbes continues, “On the other hand, if the system is not secure and they open it anyway, what is the cost? To the administration, very little. Although it is very likely that privacy will be violated and identities stolen, it won’t be definite, it won’t happen on Day 1, it won’t happen to everybody, and it won’t be publicly known – or even traceable to the data hub – for some time. By that point, the administration will have taken credit for opening the exchanges on schedule, and the news cycle will have moved on to other issues.”

Reuters agrees, writing the “missed deadlines have pushed the government's decision on whether information technology security is up to snuff to exactly one day before” operation is to begin and, “As a result, experts say, the exchanges might open with security flaws.”

Deven McGraw, director of the health privacy project at the non-profit Center for Democracy & Technology, is quoted as saying, “They've removed their margin for error. There is huge pressure to get (the exchanges) up and running on time, but if there is a security incident they are done. It would be a complete disaster from a PR viewpoint." According to Reuters, “The most likely serious security breach would be identity theft, in which a hacker steals the social security numbers and other information people provide when signing up for insurance.”

CMS Spokesman Brian Cook said, despite the incredibly tight deadline, there will be no delays. "We are on schedule and will be ready for the marketplaces to open on October 1,” he said. Reuters also quotes a CMS statement saying that agency “has extensive experience building and operating information technology systems that handle sensitive data" as a result of its experience with Medicare and Medicaid.