The deadline for Obamacare is looming and in less than two short weeks the Centers for Medicare/Medicaid Services is supposed to have its testing of the “hub” that will connect no less than seven Federal agencies to all fifty states health insurance exchanges completed. An enormously important undertaking that has garnered a lot of attention lately regarding the risks involved in connecting all of these many databases of information on private citizens by the agency that could not successfully manage its responsibility to oversee the HIPAA Security Rule. Let's see a show of hands out there for those that have complete confidence in this project… not many hands up.
In fairness to CMS, I’m not sure there would be a lot of hands up regardless of who had the project. We’re talking about connecting information data sources from across the government and all fifty states for every person in America. Not trivial by anyone’s estimation. The Wall Street Journal called it "the largest personal information database ever attempted by the federal government" and raised the alarm for potential abuses. Forbes reported that the HHS OIG itself admitted that HHS had not yet set up adequate safeguards to protect your privacy.
What is involved here? This “hub” will be used to connect information from federal databases with information from state level health insurance exchanges to determine eligibility, exchange subsidies and assess penalties if appropriate. To do this effectively they are going to need access to your financial, medical and employment information. That information will come from seven different government agencies. The Internal Revenue Service (that engenders a lot of confidence), the Social Security Administration (that might be OK, some say it won’t be around for long anyway), the Department of Homeland Security (God only knows what information they have), the Veterans Health Administration (as a Veteran I’m not sure what hasn’t been exposed already here through breach), the Department of Defense (OK this one is serious), the Office of Personnel Management (that gets everyone else), and the Peace Corps (Really…). All kidding aside this is an unprecedented amount of information and access to be brought together in one place.
What governs the protection of this hub? Obviously there is patient information involved here so the HIPAA Privacy and Security rules apply, but CMS must also comply with the Privacy Act of 1974 as well as the Federal Information Security Management Act of 2002. That means that CMS must apply safeguards for protecting the information consistent with the National Institute of Standards and Technology. That also means that the security plans and controls implemented around the hub must be tested before the system goes into production. The question is who is performing this testing? Best practice dictates that an independent objective party should perform the accreditation testing for information facilities processing sensitive information. I think it's safe to say we’re talking sensitive information here, so who, besides CMS is testing this hub? Secondarily, the risk does not just lie with the hub or CMS. We need also to consider the risk associated with the state level health insurance exchanges. Who is testing those nodes and connections? Insurers have had their share of breaches and mishaps with data, with some even sanctioned by HHS.
Don’t get me wrong I, like everyone else reading this, knows that this is inevitable, but the Administration and CMS could go a long way towards building consumer confidence if they were more transparent regarding their plans for security. Specifically, their plans for testing this hub and its spokes, the standards they intend to hold participants responsible to and how they intend to audit activity to reduce the risk of abuse. Hopefully the people advising Secretary Sebelius and Administrator Tavenner are advising them that it's in the Department’s and the consumers best interest to have a rigorous and objective testing and monitoring program around this hub.