Obamacare Nail Biter: Health Law Data Security Testing Delayed, Won't Be Authorized Until Day Before Exchanges Open

Less than two months from now, on October 1, Obamacare's health insurance exchanges are set to start enrolling beneficiaries. But the technology needed to run those exchanges still isn't ready. In fact, according to a recently released report from the Health and Human Services Inspector General, development—which was already facing tough deadlines—is running behind schedule. And there's no more room for additional delays. Final authorization for crucial protections on the volumes of sensitive personal data the law needs to be traded between federal agencies won't come until September 30—the day before enrollment is scheduled to begin.

The new IG report is a review of progress on the data hub that handles the transfer of personal information between multiple federal agencies—information needed to complete enrollment applications within the exchanges. In other words, it's sensitive stuff, and security is paramount. The IG's report, completed in May and released last week, didn't attempt to judge the data hub's functionality. Instead, it attempted to judge the security of the information being moved through the system.

But documents outlining the hub's security protocols weren't finished on time, and those the IG could see weren't finished. "Because the documents were still drafts," the report says, "we could not identify CMS's [Center for Medicare and Medicaid Service's] efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks." Security testing is behind too: Practice runs designed to detect problems that were initially set to begin last month were delayed, and didn't begin until this week. The report also notes that the official go-ahead on the hub's security features won't be given until September 30—a very, very last-minute deadline bumped back from an already cutting-it-close previous deadline of September 4.

It's been clear for a while that government officials are struggling to meet Obamacare's tech deadlines. In June, a Government Accountability Office report noted a string of missed deadlines regarding the implementation of the law, and warned that although "the missed interim deadlines may not affect implementation, additional missed deadlines closer to the start of enrollment could do so." The delays were significant enough that GAO said it couldn't determine whether the exchanges would open on time at all.

It's still too close to call. Without its last-minute security authorization, the data hub won't be online on October 1. Which could mean that the exchanges either don't open for business—or open with extremely limited functionality.

But right now, only the people on the inside really know what the state of play is on the exchanges. All the information in the IG report is essentially based on the word of the people working to implement the law. The internal auditor conducted interviews and read various documents, but did not actually use the data hub. That alone raises questions about the technology's readiness.

What's at stake here, however, isn't even whether the data hub works. It's whether the reams of personal data expected to flow through the system are sufficiently protected from misuse and inadvertent exposure. "The most likely serious security breach would be identity theft, in which a hacker steals the social security numbers and other information people provide when signing up for insurance," according to Reuters.

CMS insists the security precautions will all be ready on time, pointing to its "extensive experience building and operating information technology systems that handle sensitive data" thanks to Medicare and Medicaid. But the agency also has a convenient out if it can't get all the work done in time. The health care bureaucracy could give itself a pass even if there are still security holes in the system. As the Reuters report explains, "The requirement that CMS's chief information officer make a 'security authorization' decision does not mean the CIO has to conclude that the data hub is impregnable. He can decide that, despite identified security risks, the hub can operate."