Obamacare

Obamacare Nail Biter: Health Law Data Security Testing Delayed, Won't Be Authorized Until Day Before Exchanges Open

|

Whitehouse.gov

Less than two months from now, on October 1, Obamacare's health insurance exchanges are set to start enrolling beneficiaries. But the technology needed to run those exchanges still isn't ready. In fact, according to a recently released report from the Health and Human Services Inspector General, development—which was already facing tough deadlines—is running behind schedule. And there's no more room for additional delays. Final authorization for crucial protections on the volumes of sensitive personal data the law needs to be traded between federal agencies won't come until September 30—the day before enrollment is scheduled to begin.

The new IG report is a review of progress on the data hub that handles the transfer of personal information between multiple federal agencies—information needed to complete enrollment applications within the exchanges. In other words, it's sensitive stuff, and security is paramount. The IG's report, completed in May and released last week, didn't attempt to judge the data hub's functionality. Instead, it attempted to judge the security of the information being moved through the system.

But documents outlining the hub's security protocols weren't finished on time, and those the IG could see weren't finished. "Because the documents were still drafts," the report says, "we could not identify CMS's [Center for Medicare and Medicaid Service's] efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks." Security testing is behind too: Practice runs designed to detect problems that were initially set to begin last month were delayed, and didn't begin until this week. The report also notes that the official go-ahead on the hub's security features won't be given until September 30—a very, very last-minute deadline bumped back from an already cutting-it-close previous deadline of September 4.

It's been clear for a while that government officials are struggling to meet Obamacare's tech deadlines. In June, a Government Accountability Office report noted a string of missed deadlines regarding the implementation of the law, and warned that although "the missed interim deadlines may not affect implementation, additional missed deadlines closer to the start of enrollment could do so." The delays were significant enough that GAO said it couldn't determine whether the exchanges would open on time at all.

It's still too close to call. Without its last-minute security authorization, the data hub won't be online on October 1. Which could mean that the exchanges either don't open for business—or open with extremely limited functionality.

But right now, only the people on the inside really know what the state of play is on the exchanges. All the information in the IG report is essentially based on the word of the people working to implement the law. The internal auditor conducted interviews and read various documents, but did not actually use the data hub. That alone raises questions about the technology's readiness.

What's at stake here, however, isn't even whether the data hub works. It's whether the reams of personal data expected to flow through the system are sufficiently protected from misuse and inadvertent exposure. "The most likely serious security breach would be identity theft, in which a hacker steals the social security numbers and other information people provide when signing up for insurance," according to Reuters.

CMS insists the security precautions will all be ready on time, pointing to its "extensive experience building and operating information technology systems that handle sensitive data" thanks to Medicare and Medicaid. But the agency also has a convenient out if it can't get all the work done in time. The health care bureaucracy could give itself a pass even if there are still security holes in the system. As the Reuters report explains, "The requirement that CMS's chief information officer make a 'security authorization' decision does not mean the CIO has to conclude that the data hub is impregnable. He can decide that, despite identified security risks, the hub can operate." 

NEXT: Washington Officials Are Worried Medical Marijuana Could Cut Tax Revenue From Legal Recreational Marijuana

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. “Final authorization for crucial protections on the volumes of sensitive personal data the law needs to be traded between federal agencies won’t come until September 30?the day before enrollment is scheduled to begin.”

    Why don’t they just let the NSA handle the whole thing?

    Don’t they already have all that sensitive personal data?

      1. Boy these stories get my blood boiling. Why the hell are troops overseas incentivized with awards like the “Courageous Restraint” medal and given guns with no ammunition when guarding American consulates?

        I wish the movement to soften the view of our troops overseas was extending to our militarized police force here.

        1. You’re not properly understanding who the true enemy of the government is. You should probably go look in a mirror if you want to understand.

          1. I blame the media, religion, and high fructose corn syrup.

            1. HFCS is a symptom, not a cause.

          2. You’re absolutely right, Epi.

            I guess my frustration is that only a very small minority of citizens understand that. They unknowingly cheer for our own demise.

  2. So, how long until 4chan, LULZSEC, and the Confederation of Desperate Nigerian Peinces acquire every single Social Security number in existence?

    1. *Princes*

      1. Confederation of Desperate Nigerian Peinces

        I read that as Confederation of Desperate Nigerian Penises…..I’m not sure what that says about me…..but is pretty funny.

        1. 2nd that.

  3. But documents outlining the hub’s security protocols weren’t finished on time…

    Welcome to programming. Anyone who expected anything else should be fired and have to pay back every penny of salary he ever got.

    1. How can documentation be done on time when the programming wasn’t done on time? How can the programming be done on time when the documentation isn’t done on time?

      1. They have to write the program to find out what’s in it.

        1. I think this is a perfect description of the process they are using.

      2. How can documentation be done on time when the programming wasn’t done on time? How can the programming be done on time when the documentation isn’t done on time?

      3. And how can you have any pudding when you don’t eat your meat?

  4. Amazing how the government wants all of our data yet has the security skills of a mom-and-pop store run by a 95-year old with dementia.

    1. That’s not amazing. That’s standard operating procedure.

    2. Thank God the government is there to make sure everything is done right.

      That’s why they’re the regulators. If it wasn’t for the federal government, how would the private sector know how to do anything?

    3. +1 Strom Thurmond

      1. +1 Ted Stevens, +1 Tremendous Series of Tubes

  5. It’s almost like the Franciscans are running this project.

  6. The Sebelius Plan: Our Successes are defined by our Failures….and we Fail Every Day!

    I still want to know why reason.com feels compelled to post photos of Ric Flair every time something related to Obamacare comes up?

    1. She does kind of look like Ric Flair!

      At least, maybe they go to the same hairstylist.

    2. I their defense, they generally use a flattering picture of a younger Ric Flair.

    3. +1 Wooooooooo!

  7. If anyone went to Senior Management in a corporation with such a plan – s/he would be tossed out of the room, maybe the company.

    1. Liability demands it. Not only would the corporate officers toss them, they would document the shit out of how they sanctioned the person, fired them for gross negligence, held an exorcism of that person’s office or cubicle and ran training programs on this NOT being acceptable, all while telling their lawyers to settle any claims quietly with an NDA rider attached.

      1. Would computational demonology be involved in any way?

        1. I heard that anyone who discovers computational demonology ends up working for the government.

          1. Shhhh…. You’re not supposed to tell them. (Though It’s how I got my job.)

          2. Angleton wants to see you, Brett. Like, right now.

            1. Whoops. *Lights HoG*

            2. Angleton doesn’t have any pull here. Brett’s going to the OPA.

              1. I don’t want a soul sucking demon put in me! I’ll be good!

  8. It’s interesting how the ramming through of this law and its subsequent failures, despite being “required” by the law, are not met. It’s almost as if it’s a perfect example of how this is all the rule of man, not rule of law. They pass a law, and then ignore or change its requirements as need be, without a legislative session.

    So…how is it a law in any way if it can be ignored or modified at will by the executive?

    Oh…it’s not. Got it.

    1. The president was clear, Epi. If you think the executive is overreaching in some way, then you should make that case. But you are probably just out for him politically and can’t do that.

      Oh wait, you already did? Yeah…

      1. I’m actually being slightly serious here. If things are “mandated” in the law, and then cannot be achieved, how is the law valid in any way?

        For instance, let’s say a law was passed mandating that unicorns be bred until there were at least 100 of them, or that chicks were no longer allowed to possess more than two pair of shoes. How is an impossible law a law? I just don’t get it.

        1. Yeah, I mean, I still can’t believe the whole issue of Congress saying “you can’t do that, we’ll pass a law for it instead” and the admin saying “if you do, we’ll veto, because we can do it without a law” wasn’t a bigger deal. Seems like the definition of constitutional crisis to me. And since it steps on their own power even a bunch of D congresspeeps were unhappy about it. It’s pretty fucked.

          1. Pretty fucked? We’re seeing the scum in Washington decide that following the Constitution in even the slightest way is pretty inconvenient and they’ve decided they don’t need to do it any more when it suits them. That’s extremely fucked.

            1. Fine, fine, it’s EXTREMELY TO THE MAX FUCKED. And yet no one is being sued. So maybe it’s just that we’re extremely to the max fucked.

              But you know, they keep it interesting. I expected a shit show, but not quite this shit show. We should probably be thanking them for like, keeping the spark alive and shit.

            2. I will say it again; This is not a legitimate government. It is a criminal conspiracy.

        2. Welcome to the Progressive Era, Epi. This is what comes of a legal doctrine that teaches that the Will of the People, as expressed through their elected representatives, and not liberty, is the primary value underlying our Constitution. The courts must defer to the Legislative Will no matter how preposterous that “will” may be. To paraphrase the famous quote, if the People, through their elected representatives, want to go straight to hell, it is the court’s duty to help them get there.

          So if Congress declares that pigs must fly, that is the law.

      2. Shut up, Nicole. The men are talking. And Episiarch.

    2. So…how is it a law in any way if it can be ignored or modified at will by the executive?

      It appears that the liberals are convinced that the executive branch is really the administrative branch (didn’t they mock Bush for saying that?) and Obama needs to have broad leeway to enforce the law…by ignoring its provisions unilaterally.

      But only because of those nihilistic Republicans!

  9. Ah, schadenfreude. I knew this would happen. Just look at this chart of how the exchanges are supposed to work. Just a system in which the public looks at different health plans from different providers would be complex enough, but note the links to the IRS, Treasury, Social Security, HHS, Homeland Security, and state Medicaid systems. Far, far simpler government IT projects (internal systems for single departments, e.g. the FBI’s Virtual Case File) have failed miserably. Obamacare requires a secure public-facing system that connects to many other (very different) systems at the federal and state level, and complies with HIPAA requirements, which means an extra level of security.

    This is a future case study of the failures of bureaucracy and the hubris of modern statists. There is just no way that this is going to be functioning in October, if ever.

    1. Homeland Security? WTF?

      1. According to the chart, they are supposed to “verify residency.”

        1. Where did I put that internal passport?

    2. There is just no way that this is going to be functioning in October, if ever.

      I always write “Schadenfreude” on my Christmas wish list!

      1. And you’ve yet to be disappointed right?

  10. In government IT, those of us not involved in a porject generally add two years to the expected completion date for director mandated projects to estimate completion time (assuming it doesn’t get canned) Three for governor mandated projects and five for federally mandated projects. For projects initiated from the bottom, we instead measure the maximum amount of time. It has to be finished before the director gets wind of it and meddles if there is any chance of it being implemented. Sadly, it is this last sort that is the only kind which produces any improvements.

    I am not surprised that the feds are not ready.

    1. This is the least cynical take on it I’ve ever read.

      1. Those are the lucky projects who make those revised estimates.

    2. I briefly considered the possibilty of employment with eh Dept. of Labor, back in 2001. I chafed at the idea a bit more when the some IT guys from there told me they had received a ‘D’ on the security audit, which was probably generous, and as a result, they were moving to migrate to Windows NT, which had come out 5 years earlier.

      1. I remember seeing government job postings on the billboard at the hospital/research center I worked in in Brooklyn back in the late 90s. The requirements for what you had to do just to apply were so fucking ludicrous that I simply assumed the job was even more ludicrous, because only a ludicrous person would jump through those hoops to get a shitty job. Luckily my young, naive intuition was exactly correct. Everything about the process and the job description screamed “this job will never reward competence, STAY AWAY”.

        1. The requirements for what you had to do just to apply were so fucking ludicrous that I simply assumed the job was even more ludicrous, because only a ludicrous person would jump through those hoops to get a shitty job.

          The KSA: Knowledge, Skills Abilities.

          I started one of those, once. After 2 pages I said “fuck this shit” it and walked away. I’m told that there are firms in DC who specialize in filling those out.

        2. Sometimes those job listings are just bullshit. They have an internal candidate they want to hire, but they’re required to advertise, so they come up with a job description that nobody will apply for.

          1. Oh, just like certain H1B postings.

      2. We have schitzo tech here – with representatives from the last forty years of computing in our infrastructure. Since they insist everything interconnect, updating one element usually runs afoul of having to update a mess of others, and you run into bureaucratic fiefdoms where theres a mess of screeching and hollering and even more counterproductive behaviour because they think we’re out to sabotage them or defraud the state, or some other maliciousness. The cherry on top is the procurement process. It’s taken two months of wranging to try to buy one 600gb disk. New printers to replace our decades old ones that cost more in maintenence per year than the sticker price of a replacement – two years and still mired.

        So yeah, No shock there.

        1. The cherry on top is the procurement process. It’s taken two months of wranging to try to buy one 600gb disk. New printers to replace our decades old ones that cost more in maintenence per year than the sticker price of a replacement – two years and still mired.

          This is exactly why I’ve steadfastly refused the urgings of the wife-unit to get a federal job.

          I’d walk in the offices with a rifle and lot of ammo after being there for a couple weeks.

        2. This is why contracting took off.

          Middle-manager: “The contractors told us we *had* to buy new disks/printers/computers because [techbuzzwords].”

          Upper manager: “Well, we pay them $200 an hour, better do what they say.”

          Middle manager [sotto voce]: “And all the guys who used to care have been suggesting it for years before they burn out.”

  11. The internal auditor conducted interviews and read various documents, but did not actually use the data hub. That alone raises questions about the technology’s readiness.

    But he did interviews! He READ DOCUMENTS! Seriously, you libertardians need to get a grip and learn to trust your Saintly Paper-Pushers.

  12. Articles like these make me feel extremely satisfied since elsewhere on the internet totally delusional Obama supporters and liberals are gleefully predicting that this law will forever guarantee a Democratic majority in government because it will be so popular.

    One step closer to that glorious day when it all comes crashing down.

  13. It is all George Bush’s fault, or Rand Paul and the wacko-birds, or anybody except Pelosi and Our Glorious Leader.

  14. I really can’t wait for Oct. 1 and hope they don’t just delay the exchanges (which they’d do if they had any brains). It’s going to be hilarious to watch the contortions the administration will go through to explain why things are so messed up.

    1. Republican obstructionism. Repeated so often that the true believes won’t remember if it’s true or not.

      1. Republican obstructionism. Repeated so often that the true believes won’t remember if it’s true or not.

        That’s probably what will happen. 5 week break, 9 legislative days until FY14, no budget…almost a guarantee that we will hear plenty of cries about republican obstructions.

  15. The Obamacare legacy. The most massive rash of Identity Theft the planet has ever seen.

  16. Now, if I was going to be an agent provocateur, I would say … hack the database and disclose volumes of personal medical information just to demonstrate the dangers to the public.

    1. Obamacare is its own cautionary tale. Its mere existence should serve as warning enough to others.

  17. OT, but some folks really should be burning in hell.

    The Conference of Western Attorneys General have sent a letter to President Barack Obama “strongly” objecting to the “misuse” of the 2011 Budget Control Act to sequester revenues owed to states under the Minerals Leasing Act.

    The Western Attorneys General note that states are “statutorily guaranteed” 48% of all rentals, royalties and other receipts collected by the federal government for mineral activity on federal lands within state boundaries. The letter was sent to President Obama, as well as Interior Secretary Sally Jewell, Agriculture Secretary Thomas Vilsack and Office of Management & Budget Director Sylvia Mathews Burwell.

    The CWAG objection follows a May request by the Western Governors’ Association asking cabinet members to justify the position that the revenues were legally subject to sequestration. In a response to WGA dated July 26, DOI and OMB took the position that mineral royalties owed states are a “federal expenditure” and may be retained under the sequester.

  18. I honestly wouldn’t be surprised if any or all of these turn out to be true:

    default sysadmin login/password on the database servers
    entry forms are subject to sql injection
    user passwords restricted to 8 or fewer chars and alpha only
    no backups
    no redundancy

    1. Oh ya, forgot one.
      No encryption of sensitive personal identifying info, meaning any low level reporting analyst given SELECT permissions can waltz off with names, ssn, addresses, tax info etc.

      1. 5 bucks says they have duplicate data in the system, multiple people with the same SSN. In fact, I’ll bet it’s riddled with data errors.

        1. How many is riddled? Less than 0.01% (which is 30,000 errors in the US population base) would amaze me.

          1. 1 in 10,000? I wouldn’t give them that much credit either. Data ports are notoriously treacherous. When our company ported about 132,000 part numbers, probably every Bill of Material was screwed up and somewhere between 5 and 10% of the part numbers had problems. It was a disaster that the VP of IT should have been fired over (he came from Perot Systems). I don’t give the feds any more credit than I do him.

            1. I agree completely. But you had systemic error. 1 in 10000 is just what I would expect from random error aggregation of major systems where great care was taken to avoid systemic error and cross-check. That would be epically good.

    2. Having suffered thru an ERP integration and upgrade forced thru in 4 months from planning to turn on, I can confidently say there was no way this was achievable form the start.

      Too many parties involved, no time for double-checking data, not enough time for pre-live testing, it’s doooooooooomed.

      1. Given the deals we’re working on for getting ACO compliant systems in CMS care providers, Its a great time to be in Healthcare IT contracting.

        We’re super-paranoid about passing/showing/storing HIPAA identifier data, I doubt the FedGov will be.

    3. user passwords restricted to 8 or fewer chars and alpha only

      On a government project? No way.

      Passwords will have to be exactly sixteen characters, including four lc letters, four uc characters, four numerical characters, three non-alphanumeric characters, and two spaces.* Passwords will have to be changed every two weeks on the busiest day of the fortnight. You won’t be able to use any of your previous passwords.

      Therefore everyone will write their password on a sticky-note and hang it on their monitor.

      * Yes, I know that’s seventeen characters. Deal with it.

      Every now and then I get out my 1960s social security card, which still says, “For Social Security and Tax Purposes – Not For Identification.”

  19. What’s really worrying is what could happen to people if private medical information wound up in the wrong hands.
    For example, blackmail.

    You get someone’s medical records, you can find out all sorts of things about their personal life. I.e. They are HIV positive. They had an abortion. They saw a psychiatrist for any number of reasons. Imagine how you could fuck with an opponent’s political campaign by leaking medical records to the media.

    1. Politicians won’t use the exchanges. They are meant for schlubs like us.

    2. And unauthorized access might just as easily allow for unauthorized changes. Without audit trails and reliable access control, you’d never know.

    3. The DNC uses the IRS to persecute enemies. How could they refrain from using Obamacare for the same thing?

Please to post comments

Comments are closed.