Medical industry experts criticized the Obama administration’s secret implementation of Obamacare’s “data hub” in a congressional oversight hearing Wednesday afternoon investigating the security of the law’s infrastructure.
The Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee held the latest in a series of hearings on the security of the cyber infrastructure the Obama administration is building to undergird the law.
The “data hub,” which the Department of Health and Human Services (HHS) is building, will route information from multiple federal agencies to the state-based health insurance exchanges. Stephen Parente, a health information technology expert at the University of Minnesota, called the data hub “the largest personal data integration government project in the history of the Republic.”
“No one has said how the data hub will actually operate to ensure no privacy breaches as well as safeguard against identity fraud,” Parente said.
Subcommittee chairman Patrick Meehan (R., Pa.) warned against “very sophisticated actors, including state actors,” that might seek to penetrate the law’s infrastructure to steal the personal information of American citizens buying health insurance.
“The fact that only a handful of individuals know truly how this will operate may preserve some security … but it could also be viewed as a failure,” Parente said.
When the HHS Inspector General Office (IG) officials audited the data hub’s progress, they did not have access to some HHS security documents, noted Michael Astrue, a former HHS general counsel and Social Security commissioner.
“With HHS’s expanded role in health care, Americans need an inspector general who is a watchdog, not a lapdog,” Astrue said.
An HHS IG official told the committee that the documents were not available during the audit, although she could not confirm if the IG has received them since the audit was completed. The audit report was published at the beginning of August.
The IG audit has generated considerable concern among members of Congress, as the report said HHS would complete security testing on Sept. 30, the day before the exchanges are scheduled to open. Some congressmen have called on the administration to delay part of the law due to security uncertainties.
However, the administration announced on Tuesday that the data hub’s testing has been completed. The IG official at the hearing could not confirm this report.
“I’m outraged,” said Astrue about the IG office’s lack of knowledge. He said that he never trusted contractors—who have done the security testing for HHS thus far—to have the final word on the security of government programs. This role should fall to inspectors general, he argued.
“This is a new IG that is failing in his duty to the American people,” Astrue said.
The federal government has defended the data hub in the past by saying that no information will be stored on the hub itself. Astrue noted that this defense is problematic legally.
The Center for Medicare and Medicaid Services (CMS) “needs to store data to create forensic trails necessary to track security breaches; failure to establish forensic trails would create a serious issue under the Federal Information Security Management Act of 2002,” Astrue said.
Meehan also highlighted the risk posed by “navigators” that the government is hiring to help people sign up for insurance. The navigators will be collecting personal information, creating a potential risk for identity theft and fraud, Meehan said.
“If that’s not an invitation to widespread fraud against the most vulnerable people in our country, I don’t know what is,” Astrue said in response.
Other government programs and private industries have had rollout problems and security breaches, said Matt Salo, the executive director of the National Association of Medicaid Directors.
“It is unrealistic to expect that these things can be prevented entirely,” Salo said.
He predicted that the exchanges would not open smoothly.
“As we approach the open enrollment date of Oct. 1, 2013, there is one lesson that clearly stands out: We must be prepared for a turbulent takeoff,” Salo said.