LAS VEGAS — If you sign up for Obamacare through Nevada’s state-based health insurance exchange, is — or is not — your private financial information at risk?
To hear Jon Hager tell it, there’s no risk at all.
Hager is executive director of the state exchange — officially, the “Silver State Health Insurance Exchange.” Last Friday, on the KSNV television program Ralston Reports, he was asked by host Jon Ralston about data security.
“One of the problems that’s existed with the federal site, that some people have found,” said Ralston, “is security concerns, with personal information getting out.
“Can you assure people watching this, assure Nevadans, that that is a secure site?”
“Absolutely,” answered Hager. “Our data is secure. There was an article recently that said that Nevadans’ data is not secure. That was completely false; it was based on a report from the federally facilitated exchange, which we have nothing to do with.
“So, our data is secure, we go through great lengths, go to great lengths, to make sure it’s secure, we’ve got identity proofing, we’ve got levels of encryption, we’ve got firewalls, uh, we’ve got everything that you would need to keep our data secure.”
Presumably, Hager was responding to a Nevada Journal story published Oct. 30. That story reported, “It’s official: Any personal data you give to the State of Nevada’s Obamacare website may be at risk from potential hackers and other security problems.”
The story detailed security problems of HealthCare.gov — the federally facilitated marketplace run for 36 states by the Centers for Medicare and Medicaid Services (usually referred to as CMS).
Because CMS was responsible for what has been widely recognized as “the disastrous startup of the HealthCare.gov website,” the fact that CMS also runs the CMS Federal Data Hub — to which the Nevada Health Link web portal sends consumer information to for verification — raises the data-security question for Nevadans.
That CMS data hub — notes the chairman of the House Intelligence Committee, Rep. Mike Rogers, R-Michigan — establishes “new access points to the sensitive personal information of the American public.”
State-based exchanges such as the Silver State Health Insurance Exchange — parallel to HealthCare.gov — are connected by the hub to the Social Security Administration, the IRS, the Department of Homeland Security, the Department of Defense/TRICARE, the Veterans Health Administration, the Office of Personnel Management and the Peace Corps.
According to an HHS spokesman, that list could expand further in the future.
“Every shred of data one would need to steal your identity or access your confidential credit information,” wrote Rogers in USA Today, “would be available at the fingertips of a skilled hacker, producing a staggering security threat.”
He noted that CMS “has insisted that no data will be stored in the hub, yet any computer science student would tell you the hub will be a magnet for hackers, creating inherent vulnerability and risk by connecting these seven interfaces… These potential vulnerabilities are a dream of faceless international hackers and hostile foreign intelligence services.”
Rogers also observed that the inspector general of the Health and Human Services department had “flagged several critical tasks that remained to be completed [from the IG’s] most recent report in August, creating real concerns that the Hub had not been properly tested before it went live on Oct. 1.
“Shockingly, the Hub was slated to be last tested only two weeks before it was supposed to be fully operational.”
Recently, more expert criticism has come to light. A Washington Post story today revealed that a private analysis presented to top Obama administration officials in late March and early April by McKinsey & Co. predicted many of the problems users have had with HealthCare.gov since its rollout.
That analysis cited the hub as a vulnerability. And while administration officials assert that the hub has been working well since the launch, it is actually too early to give that system a clean bill of health.
That’s because end-to-end security testing cannot be done until virtually all front-end functional problems on HealthCare.gov and the state-based exchange websites have been fixed. And that process, CMS officials have said, will continue at least through the first quarter of 2014.
Notably, immediately following an Oct. 26 press release by HHS Secretary Kathleen Sebelius celebrating the data hub as “a model of efficiency and security,” the hub crashed early on the morning of the 27th. Then, two days later, it crashed again. Each crash meant that neither HealthCare.gov nor state-based exchanges, such as Nevada’s, could access the data needed to verify individuals’ applications for Obamacare.
Since then, HHS and CMS have become close-mouthed about the hub’s operation — continuing the pattern of secrecy that’s characterized the agency’s management of the Obamacare rollout for most of the last two years.
Kev Coleman, who heads research and data at HealthPocket Inc., a technology and research firm that ranks health plans, observed that it is “unusual for a website with millions of users across the nation to go down due to a single point of failure.
“Typically, server hosting is distributed across multiple locations to avoid such a scenario. This allows regional traffic to be rerouted to a new data center if the region’s data center is inoperable.”
What the hub outages thus reveal is that, at least as of the end of October, CMS had — in yet another major lapse of management intelligence — never arranged for server-hosting redundancy.
Some six weeks earlier, according to Reuters, HHS and CMS had announced that the hub was “ready to go.” At the time, Stephen Parente, a finance professor at the University of Minnesota who specializes in health insurance and health information technology, was testifying before Congress that the hub is “the largest personal data integration government project in the history of the republic,” and as such, “greater transparency is needed, as well as a frank acknowledgement that the [health care law’s] posted deadlines should take second place to reasonable data concerns.”
Just before that, in August, the HHS inspector general had released a report questioning whether the testing of hub security could be completed before the Oct. 1 deadline.
“CMS is addressing and testing security controls of the Hub during the development process,” stated the IG summary. “However, several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges.”
The IG report also included a chart indicating that CMS had originally planned to allocate 51 days for final security testing for the hub and HealthCare.gov. Then, with the necessary preliminaries taking longer than planned, CMS had changed its planned schedule to only allocate 10 days to do that 51-day review.
“What makes them think that they can accomplish a 51-day review in just 10 days?” asked Manhattan Institute Senior Fellow Avik Roy. “They don’t. The Obama administration is so determined to get Obamacare up and running on time that they are likely to ignore the legal requirements to adequately review these privacy safeguards.”
In early November, one of America’s most highly qualified experts on software systems and risk management, Dr. Robert N. Charette, addressed the security risks accompanying the HHS and CMS management of the data hub and HealthCare.gov.
Interviewed by IEEE Spectrum, the magazine of the nonprofit Institute of Electrical and Electronics Engineers, Charette was asked, “So, what’s your take on how things went so terribly wrong?”
Notably, Charette sees HealthCare.gov and the federal data hub as essentially one system, ObamaCare IT:
HealthCare.gov is a huge system of systems and it’s extremely difficult to manage these things even in the best of times. That’s mostly because you have so many different interfaces with so many different assumptions controlling how the individual systems operate. And they’re rarely built with enough flexibility to be used by lots of other systems.
If you take a look at the IRS systems, the Department of Homeland Security systems, or any of the other ones we’re talking about, they were never created to be connected to something like HealthCare.gov. So you have massive risk at each interface in terms of just trying to get the assumptions — stuff like how data is formatted, how data should be captured and passed back and forth — to align. Imagine being given Lincoln Logs, an erector set, and Legos and saying, "I’m gonna make something where everything fits properly." That’s not likely to happen. It takes a tremendous amount of time just to understand how things operate, so that when you begin to design things, you can actually have information pass through all these interfaces seamlessly. Any problem at any one of these junctures will cause a person’s application to stop.
IEEE Spectrum Assistant Editor Willie D. Jones, the interviewer, noted that the previous week, HHS Secretary Sebelius had assured Congress that her department has brought in experts who have “a handle on the problems” HealthCare.gov is facing.
“How confident should we be in Sebelius’ assurances?” Jones asked.
“Not very,” replied Charette. “They’re talking about dozens and dozens of items on their punch list — both in terms of functionality and performance issues. They’ve got just over 30 days to get through the list. Let’s just say that there are 30 items on it. What do you think is the actual probability of getting through testing them, making sure that the system works end to end and that there are no security holes all in a single month? How do you expect to get that done, knowing that every time you make a fix, there’s a high probability that you’re going to introduce an error somewhere else?
Jones: Let’s spin this forward a bit. How do you think this next month [November] will actually go?
Charette: They said that they needed five weeks at the minimum to test it, and they’re still making all these changes. Where will that five-week window fit? If they had stopped right then and tested it for five weeks, they wouldn’t have been able to finish on time. And five weeks was probably the absolute minimum they needed, assuming everything worked. They’re patching the system as they go along and as Sebelius admitted, they’re doing very local unit tests (which, by the way, is what got them into this mess in the first place, with each contractor saying, "Well, my stuff works"). If they discover something major, they may have to run the whole system test again.
Jones: So they’ll most likely gain functionality, but security is not a given.
Charette: Yes, unfortunately. It would be very surprising if there isn’t some type of breach, either at the federal or state level, by this time next year. If you can breach some of these high security defense department or intelligence systems, what’s the probability that the Obamacare website is not going to be breached? That likelihood approaches zero if it isn’t zero.