NEW YORK — The federal government is months behind in testing data security for the main pillar of Obamacare: allowing Americans to buy health insurance on state exchanges due to open by Oct. 1.
The missed deadlines have pushed the government’s decision on whether information technology security is up to snuff to exactly one day before that crucial date, the Department of Health and Human Services’ inspector general said in a report.
As a result, experts say, the exchanges might open with security flaws or, possibly but less likely, be delayed.
“They’ve removed their margin for error,” said Deven McGraw, director of the health privacy project at the non-profit Center for Democracy & Technology. “There is huge pressure to get (the exchanges) up and running on time, but if there is a security incident they are done. It would be a complete disaster from a PR viewpoint.”
The most likely serious security breach would be identity theft, in which a hacker steals the Social Security numbers and other information people provide when signing up for insurance.
The inspector general’s report, released without fanfare last Friday, found that the Centers for Medicare & Medicaid Services or CMS — the agency within HHS that is running Obamacare — had set a May 13 deadline for its contractor to deliver a plan to test the security of the crucial information technology component.
A test was to have been performed between June 3 and 7. But the delivery deadline slipped and the test — assessing firewalls and other security elements — is now set for this week and next.
“CMS,” concludes the inspector general’s report, “is working with very tight deadlines.”
The delays mean that the ruling by CMS’s chief information officer certifying the Obamacare IT system as secure will be pushed back from Sept. 4 to Sept. 30, a day before enrollment under the Patient Protection and Affordable Care Act, the law that established Obamacare, is supposed to start.
“Several critical tasks remain to be completed in a short period of time,” the report concluded.
Any additional delays could mean CMS would not have the information it needs to authorize use of the system by Oct. 1, the inspector general found.
CMS spokesman Brian Cook said the agency is confident the Obamacare exchanges will open on time. “We are on schedule and will be ready for the marketplaces to open on Oct. 1,” he said.
When people try to enroll in health insurance starting on Oct. 1 for insurance plans taking effect in 2014, their identity, income and other information they furnish with their application will be funneled through a federal “data hub.”
The hub is like a traffic circle for data. It does not itself store information, but instead has digital spokes connecting to the Internal Revenue Service and other agencies that will allow it to verify information people provide. Opponents of Obamacare have repeatedly raised concerns that sensitive personal information could be stolen.
Before the hub or any other federal information system can open, a 2002 law requires that it obtain a “security authorization package,” which is essentially the roadmap for keeping out hackers and preventing security breaches.
The first component of the package provides an overview of the system’s security requirements and describes the controls the contractor has installed. It covers access controls and authentication, for instance, so that hackers cannot ping the hub and access IRS data.
A second component is a risk assessment that identifies vulnerabilities and determines the probability of a data breach.
The final component is an assessment by an independent testing organization that proper security controls have been implemented correctly, are operating as intended, and are meeting security requirements.
“CMS has extensive experience building and operating information technology systems that handle sensitive data” as a result of its experience with Medicare and Medicaid, the agency said in a statement.
Despite the tight IT deadlines Obamacare faces, the 2002 federal law on information security might provide an important loophole. The requirement that CMS’s chief information officer make a “security authorization” decision does not mean the CIO has to conclude that the data hub is impregnable. He can decide that, despite identified security risks, the hub can operate.
Health privacy expert McGraw said “the worst case scenario” of not meeting the IT security deadline is that the government will not be able to bring the data hub online on Oct. 1. In that case, people will be able to apply for insurance starting on that date but will not be told if they have been accepted or whether they are eligible for government subsidies to pay their premiums.