State Obamacare exchanges illegally allowed to skip security assessment
The Department of Health and Human Service’s Center for Medicare & Medicaid Services allowed state Obamacare exchanges to launch at the beginning of October without having an independent security assessment completed, as required by OMB guidelines and federal law.
A recently discovered document published by the Center for Medicare & Medicaid Services (CMS), raises serious questions about the security and privacy of the state health insurance exchanges and further highlights the extent to which the Obama Administration skirted federal standards in order to launch the exchanges by October 1.
The document, which contains a list of “Frequently Asked Questions” related to the privacy and security assessment process for the exchanges, was discovered via a status report [pdf] published by the Nebraska Department of Insurance.
The status report included a link to a CMS-hosted webinar, which occurred on September 13. While only a portion of the webinar presentation was viewable as of this writing, it provides some insight into the directives CMS was providing to key stakeholders related to the security and privacy of the exchanges only weeks before launch.
Here is the viewable portion of the presentation in it’s entirety:
The document makes clear that all exchanges were required to obtain an independent assessment of their systems to ensure they met the “Minimum Acceptable Risk Standards” as earlier defined by CMS.
Documents defining these security standards, and related plans and procedures, are available on the CMS website and appear to be extremely robust. However, the final question viewable within the September 13 document raises serious questions about the security of the exchanges as CMS did not require completion of the independent assessment prior to launch. Here is the key passage:
WHAT IF THE INDEPENDENT ASSESSOR HAS NOT COMPLETED THE SECURITY ASSESSMENT BY OCTOBER 1, 2013?
If a security assessment has not been completed, it must be planned for completion by March 31, 2014. For October 1, 2013 a risk assessment or self-assessment performed by the state Marketplace or Medicaid/CHIP agency will be acceptable as long as it has a corresponding Plan of Action and Milestones (POA & M) and Corrective Action Plan (CAP).
March 31, 2014 is the current enrollment deadline for participation in an exchange next year, and thus anyone interested in obtaining a health plan via the exchange will be required to submit the required information, including confidential income and identity data, prior to this date.
By the time the assessments are complete, everyone enrolling for next year will already have submitted confidential information, potentially exposing it to hackers or other malefactors.
The federal health exchange HealthCare.gov launched on October 1 without completing an independent security assessment. (Related: John McAfee on Obamacare: ‘This is a hacker’s wet dream’ [VIDEO])
It is unclear how many state exchanges also have launched without completing this assessment. State exchange representatives from Minnesota, Nevada, and Oregon did not answer the phone and have not returned voice mail requests for comment.
California’s media contact did not know the answer and promised to find out.
Hawaii’s media contact did not even have a voice mail set up.
Several of the state exchanges have experienced front-end problems even worse than Healthcare.gov. Cover Oregon’s site has failed to enroll a single Oregonian, after the Badger State spent millions of dollars promoting it. (Related: Feds drop $3.2 million on Obamacare ads in Oregon featuring guitar-strumming hipsters)
The Federal Information Security Management Act (FISMA), along with HHS, requires every federal agency to implement a robust plan to secure systems prior to and subsequent to launch. This process is overseen by the White House Office of Management and Budget.
Follow Charles on Twitter