Security testing for the data hub that will connect state health insurance exchanges created under the Affordable Care Act with federal agencies is behind schedule, according to a new report published by the U.S. Department of Health & Human Services Office of Inspector General.
A security control assessment (SCA) initially was supposed to have taken place between June 3 and 7, according to the report, but in May was pushed back to July 15. The assessment still has not taken place, and is scheduled to be performed between August 5 and 16. The Centers for Medicare & Medicaid Services stated that the testing was moved to in order to first complete performance stress testing for the hub.
"CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of Oct. 1, 2013," the report's authors said. "If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub."
Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, told Reuters that CMS has removed its margin for error.
"There is huge pressure to get [the health insurance exchanges] up and running on time, but if there is a security incident, they are done," McGraw said. "It would be a complete disaster from a PR viewpoint."
CMS officials, in follow-up comments to the OIG, expressed confidence that the hub will be secure.
Legislation introduced last month by Rep. Pat Meehan (R-Pa.) calls for a one-year delay in the launch of the hub. Meehan, in a statement about the legislation (H.R. 2837), said the abuse and theft potential for information stored in the hub is "unprecedented."
And in a letter sent to U.S. Department of Health & Human Services Secretary Kathleen Sebelius in June, 16 Republican lawmakers raised concerns about the hub, saying that "it remains unclear whether it will be operable and able to protect sensitive health and taxpayer information." One of the lawmakers who signed the letter--Rep. Diane Black of Tennessee--brought up similar concerns in an opinion piece published in U.S. News & World Report.