[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
THE THREAT TO AMERICANS' PERSONAL INFORMATION: A LOOK INTO THE SECURITY
AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 11, 2013
__________
Serial No. 113-33
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
86-247 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Steven A. Horsford, Nevada
Scott Perry, Pennsylvania, Vice Bennie G. Thompson, Mississippi
Chair (ex officio)
Michael T. McCaul, Texas (ex
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Emergency Preparedness, Response, and Communications........... 1
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Emergency Preparedness, Response, and Communications:
Oral Statement................................................. 3
Prepared Statement............................................. 6
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 7
Witnesses
Mr. Michael J. Astrue, Former Social Security Commissioner,
Former U.S. Department of Health and Human Services General
Counsel:
Oral Statement................................................. 9
Prepared Statement............................................. 11
Mr. Stephen T. Parente, Ph.D., Minnesota Insurance Industry Chair
of Health Finance, Director, Medical Industry Leadership
Institute, Professor, Department of Finance, Carlson School of
Management, University of Minnesota:
Oral Statement................................................. 13
Prepared Statement............................................. 15
Ms. Kay Daly, Assistant Inspector General, Audit Services, U.S.
Department of Health and Human Services:
Oral Statement................................................. 16
Prepared Statement............................................. 17
Mr. Matt Salo, Executive Director, National Association of
Medicaid Directors:
Oral Statement................................................. 21
Prepared Statement............................................. 23
For the Record
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Emergency Preparedness, Response, and Communications:
Letter......................................................... 5
THE THREAT TO AMERICANS' PERSONAL INFORMATION: A LOOK INTO THE SECURITY
AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB
----------
Wednesday, September 11, 2013
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 2:02 p.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the subcommittee] presiding.
Present: Representatives Meehan, Rogers, Marino, Perry,
Clarke, Vela, and Horsford.
Also present: Representative Jackson Lee.
Mr. Meehan. The Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order.
The subcommittee is meeting today to examine the security
and reliability of the Health Exchange Data Hub and the
existence of any threat to Americans' personal information.
Before beginning my opening statement, I think it is only
appropriate on a day like today that we take a moment and join
in a moment of silence, remembrance of the victims of September
11 as we recognize the twelfth anniversary of that terrible
tragedy.
I thank you.
I now recognize myself for an opening statement.
Today's hearing, ``A Threat to Americans' Personal
Information: A Look into the Security and Reliability of the
Health Exchange Data Hub'' is the second hearing on this issue
in less than 2 months by this committee or associated with this
committee.
The Federal Data Services Hub was established under the
rulemaking for the Patient Protection and Affordable Care Act.
Its purpose is to be the one-stop shop to connect applicants to
the Affordable Care Act exchanges.
The hub will connect to multiple Federal agencies including
the Social Security Administration to verify an applicant's
Social Security number, the IRS, to verify income and really
not just for an applicant, but for an applicant's spouse and
children and others.
The Department of Homeland Security to verify citizenship
and immigration status as well as other Federal agencies to
determine an applicant's eligibility for Federal health
insurance subsidies, the key aspect of it to be the ability to
articulate the qualification, not just for subsidies but amount
of subsidies.
Personally identifiable information for any applicant and
their families will pass through the data hub from these
various agencies. In fact, over 20 million Americans are
expected to enter the exchange over the next 5 years, and I
know we will hear testimony about what the scope of this
exchange is expected to be.
This information will include an applicant's name, address,
date of birth, Social Security number, household income, health
status including whether an applicant is pregnant or has a
disability, and will be stored in the exchange system of
records for up to 10 years, stored in the system for up to 10
years.
The Government Accountability Office in a June 2, 2013
report called the hub, ``a complex undertaking involving the
coordinated actions of multiple Federal, State, and private
stakeholders.'' The report concluded that, ``a timely and
smooth implementation by October 13, 2013 cannot yet be
determined.''
In July, this subcommittee convened a joint hearing with
the House Oversight and Government Reform Subcommittee. We
heard directly from Centers for Medicare and Medicaid Services,
Director Marilyn Tavenner, and acting commissioner of the IRS,
Daniel Werfel, among others on the implementation of the hub.
My personal take-away from that hearing is that CMS was not
ready to embark on this giant responsibility. Since our
hearing, the Health and Human Services inspector general
conducted a report on the implementation of the hub from a
security perspective.
The IG report stated that the several critical tasks
remained to be completed in a short period of time. That is why
we are here today, to examine CMS' progress in securing
America's personal information.
I am thankful to the inspector general who sent a
representative to participate in today's hearing. As we sit
just 20 days removed from the exchanges and the data hub, going
live on October 1, I have grave concerns from a cybersecurity
standpoint.
We have assembled a panel of witnesses uniquely qualified
in commenting on the scope and readiness of the mounting task
at hand. I thank them for participating, and I look forward to
hearing their testimonies.
Let me conclude my comments by saying that this is not a
hearing that goes into the policy implications behind the
Affordable Care Act. It is not our purpose here today to try to
raise that issue.
But we are a committee that is focused and focused
importantly on the security of American citizens, and one of
the highest issues we currently see is an appreciation for
personal privacy and private identifying information and what
the misuse of that information cannot just mean directly to a
person but to a person who then has to go about trying to fix
that in their lives.
In the best of times, we have seen dramatic growth in those
who have used and developed new and innovative ways to steal
that information to use it in the markets in a variety of
different capacities.
So as we have dealt with increasing sophistication in those
who would try to steal them and manipulate this information, we
also recognize that we are in a unique time as well.
A time in which cyber information is not just there to be
manipulated or used or stolen by those if it is not
appropriately secure, but we face a time in which there are
very sophisticated actors, including state actors who may wish
to do us harm.
A database that it is the core of one of the central
expenditures of American resources can certainly, foreseeably
be a target. The extent to which we are ready not just for the
kinds of challenges that are facing security databases in the
normal course of business but the preparation readiness to
stand up to what may be a sophisticated attack and one that
seeks to do us damage are all relevant considerations for us at
this important point.
These are some of the issues I want to ask about the
readiness before we get ready to go, and I appreciate those of
you who are here today who are ready to testify on your
opinions and knowledge with regard to the readiness of this
database.
Now the Chairman now recognizes the Ranking Minority Member
of the subcommittee, the gentlelady from New York, Ms. Clarke,
for any statement that she may have.
Ms. Clarke. I thank you, Mr. Chairman, for holding a second
hearing on one of the most important features of the Affordable
Care Act, and I welcome our witnesses here today.
When President Obama signed the Affordable Care Act in the
East Room of the White House on March 23, 2010, the Federal
Government started planning to operate health care insurance
market places, also called exchanges, and assist States that
opted to run their own marketplaces.
All of this involves developing a complex computer web-
based service that would allow millions of Americans access to
affordable health care in the most efficient and safe way
possible.
This is a large undertaking and involves a complicated
inter-agency IT and web-based software effort commonly known as
the Federal Data Services Hub based at the Department of Health
and Human Services Center for Medicare, Medicaid Services, or
CMS.
What is important about this effort is that we must create,
collect, and use or disclose personal information of millions
of our citizens in a responsible and confidential way.
The health care marketplaces must establish and implement
cyber and personal information protection standards that are
consistent with specific principles outlined in our current
health care law.
Those principles which are comparable to the ones upon
which the HIPAA, the Health Insurance Portability and
Accountability Act, provide and they include No. 1, providing a
right of access to one's personally identifying information
commonly referred to as PII, a right to have erroneous
information corrected, and No. 3, providing accountability
through appropriate monitoring and reporting of information
breaches.
Exchanges must also establish and implement reasonable
operational, technical, administrative, and physical safeguards
to ensure the confidentiality, integrity, and availability of
PII and to prevent unauthorized or inappropriate access, use,
or disclosure of PII.
In addition, health exchanges must monitor, periodically
access, and update their security controls and must develop and
use secure electronic interfaces when sharing PII
electronically.
CMS has completed its technical design and build of Federal
Data Services Hub and has established an inter-agency security
framework as well as the protocols for connectivity.
Importantly, in a letter to Ranking Member Thompson this
morning, HHS has revealed that as of Friday, September 6, they
had taken the necessary steps to obtain security authorization
for the data hub and the CMS chief information officer has
assigned to the security authorization.
This is an important milestone and it shows that CMS will
be ready to operate the hub securely on October 1.
This will provide a common, secure connection for
marketplaces to seek information from Federal databases
necessary to verify eligibility, excuse me, for the millions of
Americans who can begin to shop for quality, affordable health
care coverage in just a few weeks.
The hub has several layers of protection to mitigate
information security risks. For example, marketplace systems
will employ a continuous monitoring model that will utilize
sensors and active event monitoring to quickly identify and
take action.
Let us remember, it is simple. The Data Services Hub will
transfer data and be used to verify applicant information data
for eligibility. The Data Services Hub is not a database. It
will not function as a database. It will not contain health
care records.
The hub will send queries and responses among given
marketplaces and data services to determine eligibility. The
Data Services Hub will not determine consumer eligibility nor
will it determine which health plans are available in the
marketplaces.
CMS and its vendors have told us and testified before this
subcommittee and Energy and Commerce subcommittees that
delivery milestones for the Data Services Hub completion are
being met on time and they expect that the Data Services Hub
will be ready as planned by October 1.
I am looking forward to the testimony of the HHS Office of
the Inspector General to learn more about their important role
in the implementation of the Federal data hub.
Also, we are going to hear testimony today from the
director of the State Medicaid Directors Association whose
members have been working on this effort from the ground up.
I am eager to learn about the massive efforts of that State
and the Federal Centers for Medicaid and Medicaid Services have
made to stand up to this complex data hub. This is the kind of
information we need to help us deliver health care to citizens
who really need it.
Mr. Chairman, I ask for unanimous consent to submit a copy
of the letter received by Ranking Member Bennie Thompson.
Mr. Meehan. Without objection, so ordered.
[The information follows:]
Letter Submitted by Ranking Member Yvette D. Clarke
Washington, DC, Sep. 10, 2013.
The Honorable Bennie Thompson,
Ranking Member, Committee on Homeland Security, U.S. House of
Representatives, Washington, DC 20515.
Dear Representative Thompson: Thank you for your inquiry related to
privacy and security protections associated with the Data Services Hub
(hub) and the status of our work to protect people and programs from
cyber-attacks in this area. At the Department of Health and Human
Services (HHS), we take very seriously our responsibility to safeguard
personal information in all of our programs, including in the
Affordable Care Act Marketplace. Collectively, the tools, methods,
policies, and procedures we have developed provide a safe and sound
security framework to safeguard consumer data, allowing eligible
Americans to confidently and securely enroll in quality affordable
health coverage starting on October 1, 2013. This framework is
consistent with the framework that exists for all other HHS programs,
such as Medicare, which Americans rely on every day.
HHS's Centers for Medicare & Medicaid Services (CMS) has a strong
track record of preventing breaches involving the loss of personally
identifiable information from cyber-attacks. This is due in large part
to the establishment of an information security program with consistent
risk management, security controls assessment, and security
authorization processes for all enterprise systems. Our system and
security protocols are grounded in statutes, guidelines and industry
standards that ensure the security, privacy, and integrity of our
systems and the data that flow through them. These protections include
a series of statutes and amendments to these laws, such as the Privacy
Act of 1974, the Computer Security Act of 1987 and the Federal
Information Security Management Act (FISMA) of 2002, as well as various
regulations and policies promulgated by HHS, the Office of Management
and Budget, the Department of Homeland Security, and the National
Institute of Standards and Technology (NIST).
In accordance with these provisions, CMS has developed the hub, a
routing tool that helps Marketplaces provide accurate and timely
eligibility determinations. It is important to point out that the hub
will not retain or store Personally Identifiable Information. Rather,
the hub is a routing system that CMS is using to verify data against
information contained in already existing, secure, and trusted Federal
and State databases. CMS will have security and privacy agreements with
all Federal agencies and States with which we are validating data.
These include the Social Security Administration, the Internal Revenue
Service, the Department of Homeland Security, the Department of
Veterans Affairs, Medicare, TRICARE, the Peace Corps, and the Office of
Personnel Management.
The hub is designed to comply with the comprehensive information
security standards developed by NIST in support of FISMA. NIST has
emerged as the gold standard for information security standards and
guidelines that all Federal agencies follow. Several layers of
protection will be in place to help protect against potential damage
from attackers and mitigate risks. For example, the hub will employ a
continuous monitoring model that will utilize sensors and active event
monitoring to quickly identify and take action against irregular
behavior and unauthorized system changes that could indicate potential
attacks. Automated methods will ensure that system administrators have
access to only the parts of the system that are necessary to perform
their jobs. These protocols, combined with continuous monitoring, will
alert system security personnel when any system administrator attempts
to perform functions or access data for which they are not authorized
or are inconsistent with their job functions.
Should security incidents occur, an Incident Response capability
built on the model developed by NIST would be activated. The Incident
Response function allows for the tracking, investigation, and reporting
of incidents so that HHS may quickly identify security incidents and
ensure that the relevant law enforcement authorities, such as the HHS
Office of Inspector General Cyber Crimes Unit, are notified for
purposes of possible criminal investigation.
Before Marketplace systems are allowed to operate and begin serving
consumers across the country, they must comply with the rigorous
standards that we apply to all Federal operational systems and CMS's
Chief Information Officer must authorize the systems to begin
operation. I am pleased to report that the hub completed its
independent Security Controls Assessment on August 23, 2013 and was
authorized to operate on September 6, 2013. The completion of this
testing confirms that the hub comports with the stringent standards
discussed above and that HHS has implemented the appropriate procedures
and safeguards necessary for the hub to operate securely on October 1.
The privacy and security of consumer data are a top priority for
HHS and our Federal, State, and private partners. We understand that
our responsibility to safeguard our systems is an on-going process, and
that we must remain vigilant throughout their operations to anticipate
and protect against evolving data security threats. Accordingly, we
have implemented privacy and security measures for the Marketplace
systems that employ measures similar to those in the private sector and
we will continually validate through a variety of methods.
In closing, we have produced an extremely strong enterprise
information security program by implementing state-of-the-art controls
and business processes based on statutory requirements, agency and
organizational commitments, best practices, and the experience and
knowledge of our subject matter team members. This has resulted in the
development, testing, and readiness of the hub to operate on October 1
to serve consumers across the country in a secure and efficient manner.
We hope this information is responsive to your inquiry. Thank you for
your interest in and leadership on this important issue.
Sincerely,
Marilyn Tavenner.
Ms. Clarke. Thank you, Mr. Chairman, and I yield back.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
September 11, 2013
Thank you Mr. Chairman for holding a second hearing on one of the
most important features of the Affordable Care Act.
When President Obama signed the Affordable Care Act in the East
Room of the White House on March 23, 2010, the Federal Government
started planning to operate health care insurance marketplaces, also
called exchanges, and assist States that opted to run their own
marketplaces.
All of this involves developing a complex computer web-based
service that would allow millions of Americans access to affordable
health care, in the most efficient and safe way possible.
This is a large undertaking, and involves a complicated inter-
agency IT and web-based software effort, commonly known as a ``Federal
Data Services Hub'' based at The Department of Health and Human
Services, Center for Medicare and Medicaid Services, or CMS.
What is important about this effort is that we must create,
collect, and use or disclose personal information of millions of our
citizens in a responsible and confidential way.
The health care marketplaces must establish and implement cyber and
personal information protection standards that are consistent with
specific principles outlined in our current health care law.
Those principles, which are comparable to the ones upon which the
HIPAA, the Health Insurance Portability and Accountability Act provide,
and they include:
Providing a right of access to one's Personally Identifying
Information, commonly referred to as PII;
A right to have erroneous information corrected;
And providing accountability through appropriate monitoring
and reporting of information breaches.
Exchanges must also establish and implement reasonable operational,
technical, administrative, and physical safeguards to ensure the
confidentiality, integrity, and availability of PII, and to prevent
unauthorized or inappropriate access, use, or disclosure of PII.
In addition, Health Exchanges must monitor, periodically access,
and update their security controls, and must develop and use secure
electronic interfaces when sharing PII electronically.
CMS has completed its technical design, and build of Federal Data
Services Hub and has established an interagency security framework as
well as the protocols for connectivity.
Importantly, in a letter to Ranking Member Thompson this morning,
HHS has revealed that as of Friday, September 6, they had taken the
necessary steps to obtain security authorization for the data hub, and
the CMS Chief Information Officer has signed the security
authorization. This is an important milestone, and it shows that CMS
will be ready to operate the hub securely on October 1.
This will provide a common, secure connection for Marketplaces to
seek information from Federal databases necessary to verify eligibly
for the millions of Americans can begin to shop for quality, affordable
health coverage in just a few weeks.
The hub has several layers of protection to mitigate information
security risk. For example, Marketplace systems will employ a
continuous monitoring model that will utilize sensors and active event
monitoring to quickly identify and take action.
Let us remember, it's simple . . . the Data Services Hub will
transfer data and be used to verify applicant information data for
eligibility. The Data Services Hub is NOT a database, it will not
function as a database, and it will not contain health care records.
The hub will send queries and responses among given marketplaces
and data sources to determine eligibility. The Data Services Hub will
not determine consumer eligibility, nor will it determine which health
plans are available in the marketplaces.
CMS and its vendors have told us, and testified before this
subcommittee and Energy and Commerce subcommittees, that delivery
milestones for the Data Services Hub completion are being met on time,
and they expect the Data Services Hub will be ready as planned by
October 1.
I am looking forward to the testimony of the HHS Office of
Inspector General to learn more about their important role in the
implementation of the Federal Data Hub.
Also, we are going to hear testimony today from the director of the
State Medicaid Directors Association, whose members have been working
on this effort from the ground up.
I am eager to learn about the massive efforts that States, and the
Federal Centers for Medicare and Medicaid Services, have made to stand
up this complex data hub.
This is the kind of information we need to help us deliver health
care to citizens who really need it.
Mr. Chairman, I yield back.
Mr. Meehan. Okay. I thank the gentlelady.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
September 11, 2013
Thank you, Mr. Chairman, for holding a second hearing on one of the
most important features of the Affordable Care Act. I also want to
thank the witnesses for appearing here today.
On March 23, 2010, President Obama signed the Affordable Care Act
into law. I should note that today, the Majority will bring their 41st
vote to undermine and repeal the Affordable Care Act to the Floor of
the House. The ACA requires the development of a computer-based service
that will allow millions of Americans the ability to purchase
affordable health care policies for their families, in the most
efficient and safest way possible. This undertaking requires the
development of a ``Federal Data Services Hub.''
My colleagues on the other side of the aisle have used the
development of this hub to promote uncertainty and fear about the
ability of these computer systems to keep the personal and health
information of millions of Americans safe and secure. I appreciate
their concern. It seems that last year, a poll conducted by the
National Foundation for Credit Counseling found that 64% of Americans
fear identity theft. Given the widespread fear of identity theft, the
American public should have the facts on whether there is any danger in
personal and health information leaking out or being hacked from this
system.
This kind of assurance is extremely important if we want millions
of people who do not have health care to feel that they can trust this
system and use it to get the care they need and the policies they can
afford. We all know that sowing fear in a new system is one way to
discourage participation and drive down enrollment figures. I am sure
no one would want that outcome. So here are the facts that people need
to know to have confidence in this system:
(1) The use of computers to obtain, verify, and transmit
information in Government programs is nothing new;
(2) The information contained on your driver's license and Social
Security card and any other piece of Government-issued
identification you have is housed somewhere on a Government
database;
(3) The Federal Government and the States already use and exchange
personal data to determine eligibility for various programs;
(4) Leaks involving personal data by State and local governments
are a rare occurrence. Information leaks involving personal
data held by private companies, such as banks, credit card
issuers, and retail stores, are common; and,
(5) As of Friday, September 6, 2013, HHS/CMS had taken the
necessary steps to obtain a security authorization for this
system.
Thus, while I appreciate the Majority's concern about the
Government's ability to safeguard this information, it appears to be
misplaced.
Thank you, Mr. Chairman, and I yield back.
Mr. Meehan. I am going to take a moment to introduce the
distinguished panel that we have before us, and we are
appreciating having such a distinguished panel on this topic.
First, let me introduce Mr. Michael Astrue who formally
served as the commissioner of Social Security from 2007 until
January 2013 as well as the general counsel for the Department
of Health and Human Services from 1989 until 1992.
As commissioner of Social Security, he focused his efforts
on reducing the disability backlog and improving services to
the public particularly through electronic services.
He spearheaded highly-successful new systems for fast-
tracking disability claims, created National hearing centers to
reduce backlogs, and expanded and overhauled the agency's suite
of electronic services to make them simpler, faster, and more
user-friendly.
Dr. Stephen Parente is the Minnesota Insurance Industry
Professor of Health Finance and Insurance in the Carlson School
of Management at the University of Minnesota. He specializes in
health economics, health insurance, medical technology
evaluation in health information technology.
He is acknowledged as a National expert on using
administrative databases particularly Medicare and health
insurer data for health policy research and has served as a
consultant to several of the largest health care organizations
in the country.
Ms. Kay Daly is the assistant inspector general for audit
services at the United States Department of Health and Human
Services.
Ms. Daly's responsibilities include overseeing the chief
financial officer financial statement audits at HHS, reporting
on compliance with improper payment acts, providing oversight
of over 300 grant programs as ministered by HHS, and overseeing
audits related to the implementation of health care reform.
Prior to joining HHS OIG, Ms. Daly worked at the Government
Accountability Office for 23 years.
Finally, we are joined by Mr. Matt Salo. He is the
executive director of the National Association of Medicaid
Directors since February 2011.
This is a newly-formed association. It represents all 56 of
the Nation's State and territorial Medicaid directors and
provides them with a strong unified voice in National
discussions as well as a locus for technical assistance and
best practices.
Mr. Salo formally spent 12 years at the National Governors
Association where he worked on the Governor's Health Care and
Human Services agendas and spent 5 years prior to that as a
health policy analyst working for the State Medicaid directors.
There will be full written statements of the witnesses
which will appear in the record.
Now I have got to sort of make a judgment, and I see that
we have a little less than 8 minutes to go on the existing vote
responsibilities that we have. Having teed this very, very
impressive panel up, I am sort of hesitant to see a rain delay.
So what I think I am going to recommend to our panel is
that we will vote as quickly as we can, and I will make the
representation that I will hustle back as quickly as I can,
gavel in as soon as I get here, and I know my colleagues will
do their best as well after last vote.
I think it is probably better to allow the panelists to
testify in order than to start the process, break, and start
again.
So with your forgiveness, so to speak, we thank you for
understanding the nature of the world in which we work and we
look forward upon our return to your testimony in engaging in,
in, in our dialogue.
So, at the moment, the Chairman, the committee stands in
recess.
Thank you.
[Recess.]
Mr. Meehan. The Committee and the Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will return to order.
I thank you once again for your indulgence. I know my
colleagues are working their way back as quickly as possible,
but we thank--we appreciate your indulgence, and now we would
like to create the opportunity for you to begin your testimony.
As I have had said before, the full written statements of
the witnesses will appear in the record. So I now look forward
to the verbal testimony of each of our witnesses on the issue
that we are here to meet with today.
So the Chairman now recognizes Mr. Astrue for his
testimony. Thank you.
Mr. Astrue, yes, you may want to touch--thank you.
STATEMENT OF MICHAEL J. ASTRUE, FORMER SOCIAL SECURITY
COMMISSIONER, FORMER U.S. DEPARTMENT OF HEALTH AND HUMAN
SERVICES GENERAL COUNSEL
Mr. Astrue. Out of practice, sorry.
Chairman Meehan, Ranking Member Clarke, and Members of the
subcommittee, no day is more fitting than 9/11 for us to
cherish and safeguard our liberties as Americans. Thank you for
inviting me here today.
I testify only as a former official. A quarter-century ago,
I briefly was the White House's Privacy Act officer. I then
served as general counsel of the U.S. Department of Health &
Human Services and as commissioner of Social Security for
Presidents Bush and Obama. As commissioner, I also served as a
trustee of the Medicare Trust Fund.
Some history helps us understand why we needed to have this
hearing. Infighting and paralysis marked the first year of the
effort to construct the Federal health exchanges, including
what is called the ``data hub.''
Administrator Berwick claimed that he could not find the
money to build the system, and he criticized Congress for not
specifically appropriating money for it. He also criticized
Secretary Sebelius for refusing to release money from the ACA
discretionary fund.
Berwick pressed other agencies to pay for the exchanges,
even though such payments would have violated appropriations
restrictions. When development started in earnest after
Berwick's departure, CMS struggled to meet its deadlines.
CMS' failures and delays have been common knowledge within
the administration, yet HHS was never candid with the States
about these problems as they were choosing either to build
their own exchanges or to use the CMS exchanges.
From 2007-2013, I led the overhaul and expansion of the
Social Security's suite of electronic services. I personally
reviewed every major system before beta testing, and extensive
beta testing often revealed the need for delays to make
changes. We involved not only random focus groups, but also
advocates for various people, such as victims of domestic
violence.
We need to be vigilant about the privacy of the data stored
in these types of systems, which I believe are not being
adequately protected by CMS.
The defense offered by the HHS inspector general, the
Center for Democracy & Technology, and others, that the CMS
systems are just a ``routing tool,'' not a repository, is
either untrue or problematic.
CMS needs to store data to create forensic trails necessary
to track security breaches. Failure to establish forensic
trails would create a serious issue under the Federal
Information Security Management Act of 2002 and would create a
serious operational vulnerability.
We also need to know whether unauthorized changes of
insurance could leave Americans unexpectedly uninsured. We need
to know how CMS will define and respond to breaches.
I know how important that is because I suffered through the
Office of Personal Mangement's inept response when my personal
Federal financial records were breached 2 years ago. We need to
know why many of the people who will deal with the public are
just being hired now and being hired without background checks.
A rigorous authentication process may result in as many as
2 to 5 million people who will need to interact with CMS
contractors when they fail to access the system. Is CMS ready
for that workload or are they going to sacrifice service or
authentication?
Greater transparency about these issues would have improved
the quality of the exchanges and would have increased public
confidence in the system, which is sorely lacking today.
Both SSA and the IRS formally appealed to OMB that the
exchanges would violate the Privacy Act, violations which
potentially carry criminal penalties.
OMB eventually denied that appeal, but in my view HHS will
be violating the Privacy Act on a massive scale by allowing
people to make insurance decisions for other adults without
their written consent. This feature of the system may also
allow domestic abusers to track down their victims.
An August 2, 2013 inspector general report revealed that
the CMS schedule had slipped so badly that mandatory security
findings were scheduled for the day before implementation.
Despite HHS' letter this morning, yesterday's testimony
before the House Energy and Commerce Committee indicate that
many States will be unready for October 1, and that CMS may be
unready given that the contractors were still citing October 1
as their date of readiness.
The main reason we have so little information about the
status of the exchanges is the failure of the office of the HHS
inspector general. Relying only on interviews and documents,
its August 2, 2013 report on the exchanges contained less than
5 pages of analysis; its total work product for this subject
for the year.
Moreover, the inspector general did not inspect the beta
version and meekly noted that CMS withheld security documents.
He ignored the vulnerabilities in the system that transmits,
largely through the so-called cloud, sensitive personal
information to CMS contractors and private insurers.
He ignored the privacy issues, the security issues, and the
issues associated with poorly screened and trained contractors.
He did not assess usability, performance measures, governance,
or contingency plans. With HHS' greatly expanded role in health
care, Americans need an inspector general who is a watchdog,
not a lapdog.
Congress is bitterly divided about the Affordable Care Act,
but the topics for my presentation should be common ground.
Whether or not you support an individual mandate, you can
embrace the principle that no one should be forced to sacrifice
privacy in order to comply with that mandate.
To the best of my knowledge, work on systems that would
comply with the Privacy Act ended in early 2013. A system
respecting the Privacy Act would probably take an additional 6
to 18 months to develop.
President Obama has delayed other parts of the Affordable
Care Act. Vulnerable Americans without lobbyists deserve the
same respect and deference given to the business community.
You should support a moratorium on the exchanges until HHS
secrecy ends, and until we know whether uninsured Americans
will be forced to pay, along with their premiums, the high
price of their privacy, and the safety of their personal data.
Thank you.
[The prepared statement of Mr. Astrue follows:]
Prepared Statement of Michael J. Astrue
September 11, 2013
Chairman Meehan, Ranking Member Clarke, and Members of the
subcommittee, no day is more fitting than 9/11 for us to cherish and
safeguard our liberties as Americans.
I testify today only as a former official. A quarter-century ago, I
briefly was the White House's Privacy Act officer. I then served as
general counsel of the U.S. Department of Health & Human Services and
as commissioner of Social Security for Presidents Bush and Obama. As
commissioner, I also served as a trustee of the Medicare Trust Fund.
Some history helps us understand why we needed to have this
hearing. Infighting and paralysis marked the first year of the effort
to construct the Federal health exchanges, including what is called the
``data hub.'' Administrator Berwick claimed that he could not find the
money to build the system, and he criticized Congress for not
specifically appropriating money for it. He also criticized Secretary
Sebelius for refusing to release money from the ACA discretionary fund.
Berwick pressed other agencies to pay for the exchange, even though
such payments would violate appropriations restrictions. When
development started in earnest after Berwick's departure, CMS struggled
to meet its deadline. CMS's failures and delays have been common
knowledge within the administration, yet HHS was never candid with
States as they were choosing either to build their own exchanges or to
use the CMS exchanges.
From 2007-2013, I led the overhaul and expansion of Social
Security's suite of electronic services. I personally reviewed every
major system before beta testing, and extensive beta testing often
revealed the need for delays to make changes. We involved not only
random focus groups, but also advocates for various people, such as
victims of domestic violence.
We need to be very concerned about protecting the privacy of the
data stored in these types of systems, which I believe are not
adequately protected. The defense offered by the Center for Democracy &
Technology and others--that the CMS systems are just a ``routing
tool,'' not a repository--is either untrue or problematic. CMS needs to
store data to create forensic trails necessary to track security
breaches; failure to establish forensic trails would create a serious
issue under the Federal Information Security Management Act of 2002.
We need to know whether unauthorized changes of insurance could
leave Americans unexpectedly uninsured. We need to know how CMS will
define and respond to breaches--I know how important that is because I
suffered through OPM's inept response when my Federal financial records
were breached 2 years ago. We need to know why many of the people who
will deal with the public are just being hired now, and being hired
without background checks. A rigorous authentication process may result
in as many as 2 million people who will need to interact with CMS
contractors when they fail to access the system--is CMS ready for that
workload or are they going to sacrifice service or authentication?
Greater transparency about these issues would improve the quality of
the exchanges--and increase public confidence in the system.
Both SSA and the IRS formally appealed to OMB that the exchanges
would violate the Privacy Act, violations which potentially carry
criminal penalties. OMB eventually denied that appeal, but in my view
HHS will be violating the Privacy Act on a massive scale by allowing
people to make insurance decisions for other adult family members
without their written consent. This feature of the system may well
allow domestic abusers to track down their victims.
An August 2, 2013 inspector general report revealed that the CMS
schedule has slipped so badly that mandatory security findings are
scheduled for the day before implementation. With no room for adequate
beta testing and revisions, HHS's claim that it will be ready to make
security findings on its September 30 deadline is a fiction designed to
preserve the larger fiction that the exchanges will be ready for
uninsured Americans.
Before I conclude, I urge President Obama and Congress to
scrutinize the performance of HHS Inspector General Levinson. Relying
only on interviews and documents, his August 2, 2013 report on the
exchanges contained less than 5 pages of analysis. His staff did not
even try to use the beta version of the system.
HHS cannot have it both ways. If the exchanges can function on
October 1, by July of this year there must have been a beta version.
However, the inspector general did not inspect the beta version, and
meekly noted that CMS withheld security documents. He ignored the
vulnerabilities of a system that transmits, largely through the so-
called ``cloud,'' sensitive personal information to CMS contractors and
private insurers. He ignored the privacy issues, the security issues,
and the issues associated with poorly screened and trained contractors.
He did not assess usability, performance measures, governance, or
contingency plans. With HHS's expanded role in health care, Americans
need an inspector general who is a watchdog, not a lapdog.
Congress is bitterly divided about the Affordable Care Act, but
there should be common ground. Whether or not you support an individual
mandate, you can embrace the principle that no one should be forced to
sacrifice privacy in order to comply with that mandate. To the best of
my knowledge, work on systems that would comply with the Privacy Act
stopped in early 2013 after OMB brushed aside the Privacy Act appeals
of SSA and the IRS. A system respecting the Privacy Act would probably
take an additional 6-18 months to develop.
President Obama has delayed other parts of the Affordable Care Act.
Vulnerable Americans without lobbyists deserve the same respect and
deference given to the business community. You should support a
moratorium on the exchanges until HHS secrecy ends, and until we know
whether uninsured Americans, will be forced to pay--along with their
premiums--the high price of their privacy.
Thank you.
Mr. Meehan. Thank you, Mr. Astrue.
The Chairman now recognizes Dr. Parente for his testimony.
STATEMENT OF STEPHEN T. PARENTE, PH.D., MINNESOTA INSURANCE
INDUSTRY CHAIR OF HEALTH FINANCE, DIRECTOR, MEDICAL INDUSTRY
LEADERSHIP INSTITUTE, PROFESSOR, DEPARTMENT OF FINANCE, CARLSON
SCHOOL OF MANAGEMENT, UNIVERSITY OF MINNESOTA
Mr. Parente. Thank you, Chairman Meehan, Ranking Member
Clarke, and Members of the committee, for this opportunity to
speak to you today.
My name is Steve Parente. I hold the Minnesota Insurance
Industry Chair of Health Finance at the University of
Minnesota. There, I serve as the professor in the Finance
Department at the Carlson School and director of the Medical
Industry Leadership Institute growing MBA program.
As I just stated, my expertise are health insurance, health
information technology, and a medical technology evaluation. I
have an appointment at Johns Hopkins University as a faculty
member.
In the summer of 2011, I and my colleague from the
Manhattan Institute, Paul Howard, wrote about implementation of
the Affordable Care Act and security concerns regarding the
Health Insurance Exchange Hub that is scheduled to be fully-
operational in less than 20 days.
This essay received little attention at that time. On
December 7, 2012, USA Today printed an op-ed written by Dr.
Howard and myself that described the same issues as we did a
year before. The 2012 op-ed received far greater attention
Nationally and particularly from the administration.
The principal concern I sought to examine was the
Government's capability to rapidly and securely combine
information at a personal level from multiple Federal agencies
in order to make eligibility determinations for Americans to
purchase health insurance on a State or Federal insurance
exchange.
I have stated and continue to posit that the combination of
such data would be the largest personal data integration
Government project in the history of this Republic with up to
300 million American citizens' records needing to be combined
from several Federal agencies.
The Federal agencies involved in this integration are the
Department of Health and Human Services to facilitate the data
and operating parameters of the Federally-facilitated exchange
and the State-based exchanges as well as insure that the
applicants are not already eligible for Medicare benefits; the
Social Security Administration to verify Social Security
numbers, death indicator status, disability status under Title
II of the Social Security Act, prisoner data or incarceration
status, annual and monthly Social Security benefit information,
and a confirmation to claim of citizenship is consistent with
Social Security records; the Department of Treasury to verify
income as well as transfer subsidies as necessary to purchase
health insurance; the Office of Personnel Management, Peace
Corps, and Department of Defense and Veterans Administration to
make sure that applicants don't have access to health care
coverage from other alternative sources; and finally, the
Department of Homeland Security to verify whether the
individual is indeed legally present in the United States.
My expressed concern is that it is not clear how the data
hub will operate. Ideally, the hub should function as a switch
that routes information but does not retain the personal
identifying information it is routing.
Major credit card purchases today operate this way where a
retailer at the point of purchase uses your credit card to link
a variety of data sources about you to make sure you are not a
credit risk and then clears you to purchase for a large screen
TV for the holidays.
This approach minimizes privacy risks and provides good
data security, and the Federal data hub should operate this
way, coupled to either a State or Federal insurance exchange as
well as to the Social Security Administration, Treasury
Department, Homeland Security, and Department of Justice, et
cetera.
Operating this would create a fire-and-forget data system
that would instantaneously link to an abstract piece of
information and then delete it to prevent it from becoming a
privacy concern.
Major financial services firms have been providing these
services for nearly 2 decades, and if there ever has been a
privacy breach, it is not from a pure data switch.
Now having said that about how one can provide reliable
data protection, no one has said how this hub will actually
operate to ensure that every precaution possible has been taken
to avert privacy breaches as well as safeguard against identity
fraud.
Greater transparency is needed as well as frank
acknowledgment that the ACA's posted deadlines should take
second place to reasonable data privacy and security concerns.
This isn't a political point, it isn't meant to impinge on
anyone's motives inside of HHS or the administration.
The fact that only a handful of individuals know truly how
this will operate may preserve some security but it is
operating as--not operating as planned, it could also be viewed
as a failure with the execution for full transparency and
provision of law that could--that had 3 years to implement but
did not get the job done.
HHS's job is to implement this law and as much as some
citizens may dislike an assortment of the law's underlying
provisions, HHS' staff are doing exactly what they need to get
it done under the constraints they can't control.
They are doing so in a politically-charged environment and
crashing headlong into constraints of scarce human capital,
complex regulatory environments, and of a massive IT project
with literally no technical precedent.
I believe Congress has a legitimate oversight
responsibility to ensure that whatever your feelings about the
ACA, the final product is trusted, functional, and secure for
all Americans. Congress should take that responsibility
seriously and the administration should help them execute that
responsibility.
In closing, I hope my efforts to bring transparency to
operational parameters of the hub only strengthen its
operation. Failure to build a secure hub could bring
significant damage to the privacy and security of Federal data
systems and cause irreparable harm to Americans whose personal
information would be lost to fraud and identity theft. This
must not be allowed to occur.
Thank you for this opportunity to be heard today. I welcome
your questions.
[The prepared statement of Mr. Parente follows:]
Prepared Statement of Stephen T. Parente
September 11, 2013
Thank you, Chairman Meehan, Ranking Member Clarke, and Members of
the committee, for this opportunity to speak to you today.
My name is Steve Parente. I hold the Minnesota Insurance Industry
Chair in Health Finance at the University of Minnesota. There, I serve
as professor in the Finance Department at the Carlson School of
Management and director of the Medical Industry Leadership Institute, a
growing MBA program. My areas of expertise are health insurance, health
information technology, and medical technology evaluation. I also have
an appointment at the Johns Hopkins University in Baltimore, Maryland.
In summer 2011, I and my colleague from the Manhattan Institute
Paul Howard wrote about implementation of the Affordable Care Act (ACA)
and security concerns regarding the Health Insurance Exchange Hub that
is scheduled to be fully operational in less than 20 days. This essay
received little attention at the time. On December 7, 2012 USA Today
printed an op-ed on written by Dr. Howard and myself that described the
same issues as we did a year before. The 2012 op-ed received far
greater attention Nationally and in particular from the administration.
The principal concern I sought to examine was the Government's
capability to rapidly and securely combine information at a personal
level from five Federal agencies in order for someone to purchase
health insurance on a State or Federal exchange. I have stated and
continue to posit that the combination of such data would constitute
the largest personal data integration Government project in the history
of the Republic, with up to 300 million American citizen records
needing to be combined from five Federal agencies.
The five agencies involved in this integration are: The Department
of Health and Human Services, to facilitate the data and operating
parameters of the exchanges; the Social Security Administration, to
verify if the person to be insured is indeed living; the Department of
Treasury, to verify income level, as well as transfer subsidies as
necessary to purchase health insurance; the Department of Justice, to
verify that the insured is not incarcerated; and finally, the
Department of Homeland Security, to verify the citizenship of the
individual.
My expressed concern is that it's not clear exactly how the data
hub will operate. Ideally, the hub should function as a switch that
routes information but does not retain the person-identifying
information it is routing. Major credit card purchases today operate
this way: Where a retail vendor, at the point of purchase, uses your
credit card to link a variety of data about you to make sure you are
not a credit risk and then clears you for purchase of your 70" LCD TV
for the holidays. This approach minimizes privacy risks and provides
good data security.
The Federal data hub should operate this way, coupled to either a
State or Federal insurance exchange as well as to the Social Security
Administration, Treasury Department, Homeland Security, and Department
of Justice, et al. Operating this would create a fire-and-forget data
system that would instantaneously link to an abstract piece of
information and then delete it to prevent it from becoming a privacy
concern. Major financial services firms have been providing these
services for nearly 2 decades, and if there ever has been a privacy
breach, it is not from a pure data switch.
Having said how you could provide reliable data privacy protection,
no one has said how the data hub will actually operate to ensure no
privacy breaches as well as safeguard against identity fraud. Greater
transparency is needed, as well as a frank acknowledgement that the
ACA's posted deadlines should take second place to reasonable data
concerns. This isn't a political point, and isn't meant to impinge upon
anyone's motives inside HHS. The fact that only a handful of
individuals know truly how this will operate may preserve some
security. Alternatively, if the hub does not operate as planned, it may
also be viewed as a failure to plan and execute with full transparency
a provision of the law the agencies had over 3 years to implement.
HHS' job is to implement the law. As much as some citizens dislike
an assortment of the law's underlying provisions HHS staff are doing
exactly what they are supposed to do and facing constraints they can't
always control. They are doing so in a politically-charged
environment--and crashing headlong into the constraints of scarce human
capital, complex regulatory requirements, and a massive IT project with
literally no technical precedent.
I believe Congress has a legitimate oversight responsibility to
ensure that--whatever your feelings about the ACA--the final product is
trusted, functional, and secure for all Americans. Congress should take
that responsibility seriously--and the administration should help them
execute that responsibility.
In closing, I hope my efforts to bring transparency to operational
parameters of the hub only strengthen its operation. Failure to build a
secure hub could bring significant damage to the security of Federal
data systems. This must not be allowed to occur.
Thank for you this opportunity to be heard today. I welcome any
questions.
Mr. Meehan. Thank you, Dr. Parente.
The Chairman now recognizes that the gentlelady from the
IG's office, Ms. Daly.
STATEMENT OF KAY DALY, ASSISTANT INSPECTOR GENERAL, AUDIT
SERVICES, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Ms. Daly. Thank you, Chairman Meehan.
Thank you, Chairman Meehan, Ranking Member Clarke, and
other distinguished Members of the subcommittee. I appreciate
the opportunity to be here today to discuss the Office of
Inspector Generals' review of the Centers for Medicare and
Medicaid Services implementation of the Data Services Hub from
a security perspective.
My testimony today summarizes OIG's observations about CMS'
progress in implementing security requirements of the hub
including a recent update we received from CMS management on
the status of the project.
As you know, the hub plays a key role in providing
important data for health insurance exchanges that are also
called marketplaces, which are being established under the
Affordable Care Act.
The State-based exchanges will serve as the one-stop shop
where individuals will get information about their health
insurance options, be assessed for eligibility, and enroll in
the health plan of their choice.
The hub is intended to support those exchanges by providing
a single point where exchanges can access data from different
sources including Federal agencies and their State partners.
It is important to note that the hub does not store data,
rather, it simply acts as a conduit for the exchanges to access
data from where they are stored.
In a report issued on August 2, 2013, we assessed the
information technology security controls that CMS was
implementing for the hub and the coordination between CMS and
Federal and State agencies during the development of the hub.
We did not review the functionality of the hub or privacy
issues associated with it.
At the time of our reviews, CMS was addressing and testing
security controls of the hub during the development process.
Several critical tasks remained to be completed at the time,
such as the final independent testing of the hub security
controls, remediating the security vulnerabilities identified
during testing, and obtaining the security authorization for
the hub before opening the exchanges.
CMS' schedule at that time was to complete all of these
tasks by October 1 in time for the expected initial open
enrollment date for the health insurance exchanges.
Our report described the time lines that CMS provided us
for its system security plan, its risk assessment, and its
security control assessment and security authorization
decisions.
In our report, we noted that between March and July, some
key dates had moved back. These were internal target dates set
by CMS for these milestones and not mandated deadlines.
Subsequent to issuing our report, CMS has reported to us
that it has made additional progress on these key security
milestones. For example, since our review, CMS has reported to
us that the security authorization was completed on September
6, 2013. We have not independently verified CMS' progress since
completing our audit.
Our review also observed that CMS was coordinating with its
Federal and State partners during the development and testing
of the hub in part to ensure that security measures were
implemented by all stakeholders.
CMS had developed a testing approach and test plans for the
inter-agency testing aspect. At the time of our reviews, CMS
was in the process of executing those test plans.
In addition, CMS has developed security-related documents
and security agreements regarding its Federal partners and
information systems and networks.
Federal policy does require agencies to develop
interconnection security agreements for Federal information
systems and networks that share or exchange information.
Each of the Federal partners will provide information on
their systems' environments and the overall approach for
safeguarding the confidentiality, integrity, and availability
of shared data in systems interfaces.
Since our review, CMS has reported to us that all of these
agreements are expected to be approved by September 27, 2013.
In closing, I want to thank you for your interest in our
work on this important subject and the opportunity to be part
of this discussion. I would be very pleased to take any
questions you might have.
[The prepared statement of Ms. Daly follows:]
Prepared Statement of Kay Daly
September 11, 2013
introduction
Good afternoon, Chairman Meehan, Ranking Member Clarke, and other
distinguished Members of the subcommittee. Thank you for the
opportunity to testify about the Office of Inspector General's (OIG)
review of the Centers for Medicare & Medicaid Services' (CMS)
implementation of the Data Services Hub (hub) from a security
perspective, which we issued on August 2, 2013.\1\ My testimony today
summarizes OIG's observations about CMS's progress in implementing
security requirements of the hub during the period of our review.\2\ We
assessed the information technology (IT) security controls that CMS was
implementing for the hub, adequacy of the testing being performed
during its development, and the coordination between CMS and Federal
and State agencies during the development of the hub. We did not review
the functionality of the hub or issues specific to the Privacy Act.
---------------------------------------------------------------------------
\1\ Observations Noted During the OIG Review of CMS's
Implementation of the Health Insurance Exchange--Data Services Hub, A-
18-13-30070, August 2013, available on-line at https://oig.hhs.gov/oas/
reports/region1/181330070.asp.
\2\ We performed our fieldwork substantially from March through May
2013. We continued to receive updates from CMS through July 1, 2013,
and its comments on our draft report are included in the final report.
---------------------------------------------------------------------------
At the time of our review, CMS was addressing and testing security
controls for the hub during the development process. Several critical
tasks remained to be completed, such as the final independent testing
of the security controls, remediating security vulnerabilities
identified during testing, and obtaining the security authorization
decision for the hub before opening the exchanges. CMS's schedule at
that time was to complete all of these tasks by October 1, 2013, in
time for the expected initial open enrollment date for health insurance
exchanges.
Our report described the time lines that CMS provided us for its
system security plan, risk assessment, security control assessment, and
security authorization decisions. In our report, we noted that between
March and July, some key targets had been shifted to later dates. These
were internal target dates set by CMS for these milestones and not
mandated deadlines. Since issuing our report, CMS has reported to us
that it has made additional progress on these key milestones, including
obtaining its security authorization for the hub on September 6, 2013.
We have not independently verified CMS's progress since completing our
audit.
Following is a discussion of the hub's role within the health
insurance exchanges, the results of our review, and concluding
observations.
background
States must establish health insurance exchanges by January 1,
2014,\3\ and all health insurance exchanges must provide an initial
open enrollment period beginning October 1, 2013 (45 CFR � 155.410).
Health insurance exchanges, also known as Marketplaces, are State-based
competitive marketplaces where individuals and small businesses will be
able to purchase private health insurance.\4\ Exchanges will serve as a
one-stop shop where individuals will get information about their health
insurance options, be assessed for eligibility (for, among other
things, qualified health plans, premium tax credits, and cost-sharing
reductions), and enroll in the health plan of their choice.
---------------------------------------------------------------------------
\3\ The Patient Protection and Affordable Care Act � 1311(b) (Pub.
L. No. 111-148) and the Health Care Reconciliation Act of 2010 (Pub. L.
No. 111-152), collectively known as the Affordable Care Act (ACA).
\4\ A State may elect to operate its own State-based exchange or
partner with the Federal Government to operate a State partnership
exchange. If a State elects not to operate an exchange, the Department
of Health and Human Services will operate a Federally Facilitated
Exchange. For the purposes of this report, ``exchanges'' refers to all
three types of health insurance exchanges.
---------------------------------------------------------------------------
The hub is intended to support the exchanges by providing a single
point where exchanges may access data from different sources, primarily
Federal agencies. It is important to note that the hub does not store
data. Rather, it acts as a conduit for exchanges to access the data
from where they are originally stored. Hub functions will include
facilitating the access to data by exchanges, enabling verification of
coverage eligibility, providing a central point for the Internal
Revenue Service (IRS) when it asks for coverage information, providing
data for oversight of the exchanges, providing data for paying
insurers, and providing data for use in web portals for consumers.
Effective security controls are necessary to protect the
confidentiality, integrity, and availability of a system and its
information. The National Institute of Standards and Technology (NIST)
developed information security standards and guidelines, including
minimum requirements for Federal information systems. CMS is required
to follow the NIST security standards and guidelines in securing the
hub.\5\
---------------------------------------------------------------------------
\5\ NIST's security standards assist Federal agencies in
implementing the requirements under the Federal Information Security
Management Act of 2002, 44 U.S.C. �� 3541, et seq.
---------------------------------------------------------------------------
To determine CMS's progress in implementing security requirements
for the hub, OIG reviewed documentation, project schedules, and time
lines; interviewed CMS employees and contractors and personnel from key
Federal agencies working with CMS during development of the hub; and
reviewed CMS's security testing results.
results of oig's review
At the time of our review, CMS and its contractors were continuing
to develop the hub and work with its Federal and State partners in
testing the hub to ensure its readiness in time for the initial open
enrollment to begin on October 1, 2013. The following observations
provided the status of CMS's implementation related to security
controls, security testing, and coordination at the time of our
fieldwork.
Security Authorization
According to NIST security standards, every Federal information
system must obtain a security authorization before the system goes into
production. The security authorization is obtained from a senior
management official or executive with the authority to formally assume
responsibility for operating an information system at an acceptable
level of risk to agency operations. At CMS, the authorizing official is
the Chief Information Officer (CIO).
The security authorization package must include a system security
plan, information security risk assessment, and security control
assessment report. The security authorization package provides
important information about risks of the information system, security
controls necessary to mitigate those risks, and results of security
control testing to ensure that the risks have been properly mitigated.
Therefore, these documents must be completed before the security
authorization decision can be made by the authorizing official. Under
the NIST guidelines, the authorizing official may grant the security
authorization with the knowledge that there are still risks that have
not been fully addressed at the time of the authorization.
At the time of our review, the security authorization decision by
the CMS CIO was expected by September 30, 2013. Since our review, CMS
has reported that the security authorization was obtained on September
6, 2013.
System Security Plan and Information Security Risk Assessment
CMS incorporated the elements required for adequate security into
the draft hub system security plan. The plan: (1) Provides an overview
of the security requirements of the system, (2) describes the controls
in place or planned (e.g., access controls, identification, and
authentication) for meeting those requirements, and (3) delineates the
responsibilities and behavior expected of all individuals who access
the system.
CMS was still drafting the information security risk assessment at
the time of our review. For this reason, we could not assess CMS's
efforts to identify security controls and system risks and implement
safeguards and controls to mitigate identified risks. Key aspects of
the assessment should identify risks to the operations (including
mission, functions, image, or reputation), agency assets, and
individuals by determining the probability of occurrence, the resulting
impact, and additional security controls that would mitigate this
impact.
At the time of our review, the CMS contractor did not expect to be
able to provide finalized security documents, including the system
security plan and risk assessment, to CMS for its review until July 15,
2013. Since our review, CMS reported to us that the documents were
provided to CMS on July 16, 2013.
Security Control Assessment and Testing
At the time of our review, CMS and its contractors were performing
security testing throughout the hub's development, including
vulnerability assessments of hub services. CMS was logging and tracking
defects and vulnerabilities, as well as correcting and retesting hub
services to ensure that vulnerabilities are remediated.
A security control assessment of the hub must be performed by an
independent testing organization before the security authorization is
granted.\6\ The assessment determines the extent to which the controls
are implemented correctly, operating as intended, and producing the
desired outcome of meeting the security requirements for the
information system. The goal of the security control assessment test
plan is to explain clearly the information the testing organization
expects to obtain prior to the assessment, the areas that will be
examined, and the activities expected to be performed during the
assessment.
---------------------------------------------------------------------------
\6\ NIST Special Publication 800-37, Guide for Applying the Risk
Management Framework to Federal Information Systems, Revision 1.
---------------------------------------------------------------------------
According to CMS, the assessment was scheduled to be performed
between August 5 and 16, 2013. Since the assessment was not completed
at the time of our review, we could not determine whether
vulnerabilities identified by the testing would be mitigated. Since our
review, CMS has reported to us that the assessment was completed on
August 23, 2013.
Adjustments to CMS Time Lines
CMS provided us with time lines in March 2013 and May 2013 for its
system security plan, risk assessment, security control assessment, and
security authorization decisions. CMS also provided us additional
information on timing of certain steps after the May time line. Some
key targets had been moved to later dates as the development of the hub
was continuing. It is important to note that these were internal target
dates set by CMS for these milestones and not mandated deadlines.
For example, in March, the security control assessment test plan
was targeted to be provided to CMS on May 13, 2013, and this due date
was subsequently moved to July 15, 2013, and the start date of the
security control assessment was moved from June 3, 2013, to August 5,
2013. CMS stated that the security control assessment time frame was
moved so that performance stress testing of the hub could be finished
before the assessment and any vulnerabilities identified during the
stress testing could be remediated. Otherwise, CMS might need to
perform an additional assessment after the remediation was complete.
According to CMS's time line from May 2013, the security
authorization decision by the CMS CIO was expected on September 30,
2013. OIG noted in our report that if there were additional delays in
completing the security authorization package, the CMS CIO may not have
a full assessment of system risks and security controls needed for the
security authorization decision by the initial open enrollment period
set to begin on October 1, 2013. In its comments on our draft report,
CMS stated that it was confident that the hub would be operationally
secure and it would have a security authorization before October 1,
2013.
Since our review, CMS has reported to us that the security
authorization was obtained on September 6, 2013.
Coordination Between CMS and Its Federal and State Partners
Our review observed that CMS was coordinating with its Federal and
State partners during the development and testing of the hub, in part
to ensure that security measures are implemented by all stakeholders.
CMS developed an approach for interagency testing and has developed
test plans. At the time of our review, CMS was in the process of
executing its test plans, which included testing for secure
communications between CMS and its Federal and State partners and
performance stress testing of the hub. In addition, CMS has developed
security-related documents and security agreements regarding Federal
information systems and networks. The Federal partners are the IRS,
Social Security Administration (SSA), Department of Homeland Security
(DHS), Veterans Health Administration (VHA), Department of Defense
(DoD), Office of Personnel Management (OPM), and Peace Corps.
CMS has developed security-related documents related to the hub and
the exchanges. CMS developed Interface Control Documents (ICD) with all
of its Federal partners. The ICDs provide a common, standard technical
specification for transferring ACA-related information between CMS (the
hub) and its Federal partners. The ICDs establish standard rules,
requirements, and policies (including security-related policies) with
which the development and implementation of the interfaces between CMS
and its Federal partner must comply. CMS and its Federal partners
collaborated in developing the ICDs and signed the ICDs in May 2013.
Federal policy requires agencies to develop Interconnection
Security Agreements (ISAs) for Federal information systems and networks
that share or exchange information with external information systems
and networks.\7\ The Master ISA describes the systems' environment; the
network architecture; and the overall approach for safeguarding the
confidentiality, integrity, and availability of shared data and system
interfaces. In addition, the Master ISA contains information on CMS
information security policy and the roles and responsibilities for
maintaining the security of ACA systems.
---------------------------------------------------------------------------
\7\ Specifically, Office of Management and Budget Circular A-130,
Appendix III, requires agencies to obtain written management
authorization before connecting their IT systems to other systems. The
written authorization should define the rules of behavior and controls
that must be maintained for the system interconnection.
---------------------------------------------------------------------------
CMS completed a preliminary review of the Master ISA between CMS
and the developer of the hub on April 2, 2013, and the Associate ISAs
on May 15, 2013. Each of the Federal partners will provide similar
information pertaining to the partner agency in the Associate ISAs,
which will be signed by the Federal partner authorized official. Since
our review, CMS has reported to us that all ISAs with its Federal
partners are expected to be approved by September 27, 2013.
A service-level agreement (SLA) is a negotiated agreement between a
service provider and the customer that defines services, priorities,
responsibilities, guarantees, and warranties by specifying levels of
availability, serviceability, performance, operation, or other service
attributes. A SLA is needed between CMS and each of its Federal
partners to establish agreed-upon services and availability, including
response time and days and hours of availability of the hub and the
Federal partner's ACA systems. According to CMS's project schedule, the
SLA with IRS was completed on March 15, 2013; the SLA with DHS was
expected to be signed by July 26, 2013; and the SLA with SSA was
expected to be signed by September 27, 2013. The SLAs with the
remaining Federal partners (VHA, DoD, OPM, and Peace Corps) were
expected to be signed by September 20, 2013. Since our review, CMS has
reported to us that the SLAs with IRS, VHA, and DHS are expected to be
signed before the end of September. CMS also reported that DoD-Tricare
and CMS have agreed to allow transactions to occur and monitor the
``response time metric'' to set a baseline for the interaction
standards before they execute their SLA. They expect to execute their
SLA by the end of December.
concluding observations
CMS is taking steps to ensure that there are adequate security
measures for the hub in compliance with NIST guidelines. At the time of
our review, CMS was working with very tight deadlines to ensure that
security measures for the hub were assessed, tested, and implemented by
the expected initial open enrollment date of October 1, 2013.
Our report provided the status of the implementation of key
security requirements at a point in time. CMS has reported to us that
it has completed all of the required steps and obtained its security
authorization on September 6, 2013. We have not independently verified
CMS's progress since completing our audit.
Thank you for your interest in our work on this important issue and
the opportunity to be a part of this discussion. I would be pleased to
answer your questions.
Mr. Meehan. Thank you, Ms. Daly.
The Chairman now recognizes our last panelist, Mr. Salo.
Mr. Salo----
STATEMENT OF MATT SALO, EXECUTIVE DIRECTOR, NATIONAL
ASSOCIATION OF MEDICAID DIRECTORS
Mr. Salo. Great. Thank you very much, Chairman Meehan,
Ranking Member Clarke, other Members of the committee and
subcommittee.
My name is Matt Salo. I am the Executive Director of the
National Association of Medicaid Directors. I appreciate the
opportunity to testify on their behalf.
It is important to talk a little bit about what Medicaid
is; why is Medicaid here at this conversation about the hub?
Medicaid itself does a lot more than most people think.
We deal in numbers of that are astronomical. We are going
to spend close to $500 billion this year covering 72 million
Americans. It is a State and Federal program. Our members are
the ones in every State and territory who actually administer
the program.
We are here in large part because again, not very well-
known, but Medicaid really is kind of the centerpiece of the
ACA. The ACA spent about $1 trillion over 10 years, half of
that goes into Medicaid, to the expansion, and for other
changes to it.
So obviously, the ACA or Obamacare is a highly politically-
charged issue. We know this, but what is also true is that the
impacts of the law are very real and are very real for the
citizens of this country, the citizens of each one of our
States.
For my members, as public servants, their primary job is to
uphold the law but also to ensure the health and the well-being
and yes, the security of their citizens.
If things don't go well, we get the calls. So it is very,
very important that we make sure that things do go as well as
possible, and there is going to be a lot of aspects of that.
I think the primary ones for this issue are that our
citizens not only understand but are able to access, afford,
and be safe in their security in terms of the new health
options that are going to be available to them.
So while there has been a lot of talk and a lot of
attention to bigger picture issues like the expansion and State
versus Federal exchanges, we welcome the opportunity to talk
about some of these under-the-hood types of conversations and
the work that is going on.
Other panelists have talked about the Herculean nature of
what we are building here, the unprecedented nature. We have
bandied around terms like moonshot earlier.
There really is no precedence in terms of what we are
trying to build here, and I think it is important to keep all
of that in mind especially when confronting the fact that I
think at least at the onset, people were envisioning that this
was going to be a Travelocity of health care.
While I think we may get there someday, I do not think it
will look like that on Day 1 because in many ways, what is
happening is the creation of the system is kind of like
building a bridge starting at opposite ends of a river and
trusting that they meet in the center.
The challenge for Medicaid is that in many ways it is
building 56 different bridges and hoping and trusting that they
will meet in the center. The challenges obviously are that
there is never enough time, never enough money, never enough
bandwidth to do all of these things.
But having said all of that, again, this has been issue No.
1 for our members for the past several years. While there are
many aspects of this, security is a very, very important one as
well.
It is important to know that from our perspective as we
build the connectivity between Medicaid and the hub, the
concepts of the security of the information are being baked in
to that connectivity, and that the security and the privacy and
the confidentiality of information is not something that is new
to us.
We served 72 million people last year and we did so in a
way that bridged lots of different gaps. Medicaid was able to
communicate with other programs like TANF for food stamps,
SNAP.
Medicaid was able to bridge the gap with Medicare to ensure
care coordination for dual eligibles. Medicaid is able to
bridge the gap with private insurance to do third-party
liability, to look at citizenship documentation and that became
part of the law a couple years ago, and in many of the aspects
of program integrity that State and Medicaid programs take
very, very seriously.
This is a very, very important issue and it will be
addressed and it will be one of the core functions of what we
do.
By all that, I do want to say though that when we are
looking at October 1 or January 1, it is important to recognize
that we are going to have a turbulent takeoff and we are going
to have a bumpy road as we move forward because of the
complexity of what we are doing, because of the nature of what
we are doing.
But I think it is also important to note that from our
perspective, we do not believe that security is one of those
things that is going to be sacrificed or jettisoned in order to
get this done right on time.
That in fact we think there will be a lot of Day 2, Day 3,
Day 4 mitigation plans and work that is being done, work that
is being planned as we speak to try to figure out how do we
take what we know will break down and fix it.
Again, not on the security side, but in terms of the
consumer interface where we know that people's lives, people's
situations are messier than rules engines can usually handle,
but we are working on this. This is what we do.
I would just close with an analogy, you know, in some
sense, what we are doing here is analogous to rolling out the
Medicare Part D program.
Although that seemed relatively straightforward, on Day 1
when we turned on all the lights, it was a bit of a mess, and
we had a lot of seniors who were in pharmacies who didn't know
what was going on, couldn't get their prescriptions, couldn't
get anyone to give them clear answers.
It was the States, the Feds, and the plans who worked
together tirelessly for months to figure out, how do we fix
this? Now, in many respects, this is like Part D on steroids,
but that is the commitment we have, and that is the vision that
we see moving forward.
This will work. It will not work perfectly. We do not
believe security is going to be a primary concern on Day 1, and
we will fix what happens and what breaks as we move forward.
Thank you, and I am happy to answer any questions.
[The prepared statement of Mr. Salo follows:]
Prepared Statement of Matt Salo
September 11, 2013
Good afternoon Chairman Meehan, Ranking Member Clarke, and
distinguished Members of the subcommittee. My name is Matt Salo, and I
am the executive director of the National Association of Medicaid
Directors (NAMD). I appreciate the opportunity to testify before you
today.
medicaid
Medicaid is the Nation's health care safety net. Jointly financed
by the States and the Federal Government, Medicaid spent more than $420
billion last year to provide health care to more than 72 million
Americans. The program is administered by the States within a broad
Federal framework which leads to enormous variation across States in
terms of who is covered, what services are provided, and how those
services are paid for and delivered. Furthermore, within any given
State, Medicaid's role is broad, varied, and complex. Medicaid funds
close to 50 percent of all births, and the majority of all publicly-
financed long-term care in this country.
It also provides most of the Nation's funding for HIV/AIDS-related
treatments, mental health services, and others.
It is therefore very difficult to talk simplistically about
Medicaid (either Nationally, or within a State), despite its incredible
importance in the U.S. health care system.
NAMD was created with the sole purpose of providing a home for the
Nation's Medicaid directors and we represent all 56 of the State,
territorial, and DC agency heads. Our two broad objectives are to give
the Medicaid directors a strong, unified voice on National and Federal
matters as well as helping develop a robust body of technical
assistance and best practices for them to improve their own programs.
While no two programs look exactly alike, the directors are unified in
their heartfelt desire to improve the health and health care of the
growing number of Americans who rely on the program.
implementing the affordable care act--overview
No issue has been more polarizing in recent memory than the
Affordable Care Act (ACA), often known as ``Obamacare.'' While the ACA
may not be wildly politically popular, or even well-understood, it is
the law of the land, and it will have far-reaching and fundamental
impacts on the citizens of every State in the Nation.
Politics aside, the key to the success or failure of this new law
lies in how well it serves our citizens; and how well they are able to
understand, access, and afford their new health insurance options. In
many ways much of the foundation hinges on reforms to the Medicaid
program. The States have been working as quickly and effectively as
possible for months, even years, to put together the pieces of this
complex health insurance overhaul.
To fully understand the Herculean task the ACA presented to State
Medicaid programs, we must acknowledge that States began this journey
from very different starting points. Likewise, even several years after
the official ACA launch we can still expect to see differences in the
structure of Medicaid programs--and health care systems generally--as
States determine how to best meet the diverse needs of their citizens.
Regardless of their starting or ending points, there is a long list
of changes that all States have to make to comply with the law. These
include overhauling complex eligibility systems to conform to new
standardized Federal rules. State Medicaid agencies also have been
working to integrate with new health insurance marketplaces to ensure
that individuals and families receive consistent, accurate information
about their eligibility for public insurance programs. And they have
endeavored to minimize the burden and confusion for individuals and
families trying to navigate the rules for these new programs.
Investments in this system overhaul are being made by States, and
by the Federal Government--with everyone involved fully committed to
ensuring that they work as well as possible. As envisioned, the new
system would be able to process a few consumer data points (name,
Social Security number) and determine the insurance program--Medicaid
or the marketplace--for which each individual in a family would be
eligible. It also would begin the actual process of enrolling and
paying for that coverage.
Achieving this vision requires real-time communication between
States and the Federal Government and among multiple Federal
departments that historically have never talked to one another. In many
States, it requires a complete overhaul of decades-old Medicaid
eligibility systems in order to interface with a new Federal ``hub.''
In addition to these technical hurdles, there is another reality to
contend with: No two State Medicaid programs are alike. These
differences have developed over the nearly 50 years of the program's
existence, and reflect the political and cultural dynamics of each
State. These differences range from who is covered, which benefits are
available and how care is both delivered and paid for, as well as the
sophistication (or too often, lack thereof) of the State eligibility
and information systems, many of which were built in the 1980s.
In a sense, States are building 50+ bridges all at the same time,
from different starting points and hoping that these efforts meet
exactly in the middle. These bridges CAN be built and they are in fact
being built now. But it is vitally important that we take heed of the
lessons of complex policy implementations in the past as well as the
expertise States have with program and system implementations.
privacy, security, confidentiality of information
Security, privacy, and confidentiality are among the highest
priorities for State Medicaid Directors. They also hold their vendors
to the same high expectations and work with them to ensure they too
appropriately safeguard personal information.
While there have been security breaches in Medicaid, there have
also been security breaches in the banking and credit card industries,
with internet service providers, and practically every other component
of our increasingly interdependent economy. It is unrealistic to expect
that these things can be prevented entirely, it is more important that
we focus on how to minimize and mitigate the risks that are inherent in
an interconnected society.
States currently handle many of these types of information in a
highly secure way as they make eligibility determinations for the more
than 70 million Americans currently on the program. States routinely
work with chief information officers, consumer protection agencies, the
inspector general's offices in a variety of State and Federal agencies,
and more in their efforts to protect consumer information.
While the specifications of the systems being built to interface
with the Federal data hub and the Insurance Marketplaces are new,
States have decades of experience working across program platforms to
ensure privacy, confidentiality, and security of patient information
(medical and otherwise). Whether its communicating with private
insurance companies to do third-party liability determinations, working
with other programs such as TANF or SNAP to eliminate redundancies,
working with a range of Federal agencies to implement citizenship
documentation requirements, or working with Medicare to improve care
coordination for individuals dually eligible for both programs, State
Medicaid directors have significant experience and perspective.
In each of these examples, it is important to note that the sharing
of information across programs or payors is a vitally important
function. In fact, the entire field of public health and program
integrity would barely exist if data could not flow securely, quickly,
and effectively.
While I am not here to testify to the readiness schedule of the
Federal data hub, we do know from experience of the high-level
commitment to privacy and security. In fact, this commitment is one of
the main drivers of our concern that the full range of operational
capacity is not likely to be met by October 1. In fact, some of the
earliest conversations with our Federal partners revealed a significant
stance on behalf of IRS that it was more important to ensure that the
exchange of data was done securely than it was to do it quickly.
the road ahead
As we approach the open enrollment date of October 1, 2013, there
is one lesson that clearly stands out: We must be prepared for a
turbulent take-off.
The magnitude of the changes and the many different pieces that
have to be linked together mean everyone--consumers, policymakers, and
other interested stakeholders--must have reasonable expectations of the
systems and programs early on. In many instances, the consumer
experience will not be immediately smooth. Real people are going to be
frustrated when accessing the system. Whether it's a failure of
computer algorithms to properly account for the startling complexity of
real people's lives, or the difficulty in ensuring that these multiple
State and Federal agencies are communicating in real time, it will be
bumpy.
However, it's also reasonable to expect that the experience can and
will improve over time. As they do in advance of any major
implementation, Medicaid agencies are trying to predict, plan for and
set up procedures to resolve the problems that will inevitably arise.
At the same time they will continue working towards the ultimate goal
of compliance with the law's requirements and seizing other
opportunities they've identified.
The health and safety of Medicaid clients is the main concern of
Medicaid directors, and they will continue their on-going commitment to
provide the best possible service to beneficiaries, while protecting
the integrity of the program, and being responsible stewards of
taxpayer dollars.
Mr. Meehan. Well, thank you Mr. Salo.
I thank all of the panelists for their testimony.
Let me begin, Mr. Salo, you made an observation and I think
it was really important to recognize that some of the people
that are at the most risk here are those in Medicaid, the
poorest, those in the least capacity to be able to recover or
help themselves in situations where they may be taken advantage
of.
You used the word ``no precedence in its size.'' Dr.
Parente called it I think the greatest--the ``largest personal
data Government integration project in the history of the
Republic.''
Ms. Daly, let's get the elephant out of the room. You know,
we are talking here about representations that have been made
by an agency and findings that you made about their readiness
to meet these deadlines.
But we had the IG before us just a few weeks ago, the HHS
itself said, and your reports confirmed they would not be ready
until the 30th at the end of this month.
That is in the course of the normal business. We know the
challenges. I am already suggesting this is the largest
database in the history of the Republic.
Now, we received a report which you just said that lo and
behold it was done on the 6th. They are ready to go.
Now this is an agency who for 3 years failed to meet a
single deadline, and in your own IG's report and virtue of
every single deadline that was articulated as much as 3 months
before there was not a single deadline met.
Now you have stated yourself that this has not been done
with any independent verification and the word continues to be
just ``trust us.''
Ms. Daly, you are the Inspector General. Do you trust them?
Ms. Daly. Chairman Meehan, I appreciate the opportunity to
respond to that. In our report, we did point out that they
had--some of the dates had moved from their original plan date.
In fact, the date for the security authorization that was
recently provided on September 6, in our report, we pointed out
that it was--that is on September 30--so that is what gave us
pause and wanted to get that--the early information out to the
Members of this oversight body so that steps could be at taken
and pressure to bear where appropriate.
So with that, we have recently been provided the assurance
from the CIO at CMS through that security authorization
decision, that is part of the normal NIST standards that are
used and NIST, as you know, sir, it is the National Institute--
--
Mr. Meehan. I know those----
Ms. Daly. Yes, sir, very good. So with that, you know, we
are just providing that information to you. We have not had a
chance to go in and do a thorough assessment of it at this time
given the short time span.
Mr. Meehan. So you have passed this on, but let's go
through. Now what are the three steps? We understand that there
are three steps in a NIST process.
There is the identification of the program that we have.
There is beta testing of that program. Once that is beta
tested, you identify the flaws in that program, you then fix
that program, you then test it again to assure--and it is at
that point in time that there is the certification.
They were not even ready at that point in time, which was
only 2 or 3 weeks ago to certify to us that they had even done
the appropriate beta testing.
Now you tell me how it is; we need your help. You are the
person who is the independent verification, not just ``trust
us.'' So how can we believe that what was originally scheduled
not to be done 'til the 30th on a massive project in which they
have failed to meet a single deadline has been done on the 6th
and they have failed to give you any information as we said,
did you get, when you asked for information about the
documents--Mr. Astrue identified them specifically--you were
not given those documents. They were held back from you. You
are an Inspector General. Why wasn't a demand made for those
documents?
Ms. Daly. Well, sir, actually, to be clear, in our report,
we discuss a number of documents that weren't available at the
time----
Mr. Meehan. Well, if they are not available then, what
makes you think that they were? Because that is part of the
legal obligations. This isn't something that they just get to
decide. They are going to determine how this process takes
place. That is the NIST standards.
Do you believe that they made up all of that ground in that
short period of time?
Ms. Daly. Well, sir, I can't speak to that at this time.
Mr. Meehan. What does your gut tell you?
Ms. Daly. I don't have a reaction. I generally, you know,
being an auditor, I base our work on, you know, the generally
accepted auditing standards and that is how we go about and do
our work and I would have to go in and do a number of
procedures in order to report back to----
Mr. Meehan. One of them might be real beta testing. Do you
intend in light of what they--they have just made
representations to you, we still have a period, do you intend
to have the inspector general's office use all of its resources
to do the actual beta testing of certain parts of the facility
before October 1?
Ms. Daly. Well, sir, let me clarify for you that the beta
testing is generally focused on the functionality of the system
and with the functionality of the system, that is really more
about how the user experiences that system and so forth.
Mr. Meehan. But not security----
Ms. Daly. It is not really security.
Mr. Meehan. So we haven't even tested for security.
Ms. Daly. Well, sir, to be--one of the key elements that
the CIO should be considering as part of his security
authorization decision is the independent security testing of
its being done, and I want to highlight that it is independent,
being done by a contractor, so that that provides that
independent assurance to the CIO in performing that. But again,
we have not seen the results of that.
Mr. Meehan. Okay. My time has expired.
I now recognize the Ranking Member, the gentlelady from New
York, Ms. Clarke.
Ms. Clarke. Thank you, Mr. Chairman.
Ms. Daly, I just want to get some fundamental facts from
you. If you can just give us a definition of the OIG's role in
the marketplace and exchange and the Federal data hub, what
exactly is OIG's role there?
Ms. Daly. Well, with regard to that, the OIG, as you know
under the Inspector General Act, has certain responsibilities
for fighting waste, fraud, and abuse, and protecting the health
and safety of the you know, people and beneficiaries--the U.S.
taxpayers basically--and all of our citizens.
That is where we emphasize. We don't have a role in the
operation whatsoever. So it is very important that we maintain
our independence in order to provide such an independent
assessment when it is appropriate to do so.
Ms. Clarke. So would you state that your role has not been
fully activated yet just in light of the fact that No. 1, the
data hub is just coming on-line, and the marketplaces are
beginning to emerge now?
Or are you giving oversight to this process and looking or
scrutinizing the process to see whether in fact it is efficient
or effective? Where do you see yourselves right now? What is
the office doing at this particular point in time?
Ms. Daly. Well, at this particular point in time, we have
been, as you know, monitoring the situation because it is
unfolding daily, you know, trying to stay abreast of some of
the prior work that had been done, looking forward and doing
risk assessments on what is the appropriate use of our
resources because our resources are stretched pretty thin.
We have also been and I want to highlight this for the
Members today, you know, coordinating with GAO, with State
auditors, and with other inspector generals because we see that
as critical because this, is as everyone has noted, a huge
enterprise.
Ms. Clarke. So can you tell us about how you have performed
your audit of the hub preparations and testing?
Ms. Daly. Certainly. Our work really followed the generally
accepted Government auditing standards, and to do so, what we
did is we were coordinating with GAO. GAO was in there
reviewing the data hub and certain aspects of the exchanges
through a, you know, a request that they had received.
So we coordinated with them--I am sorry--to ensure that we
didn't duplicate any effort. You know, we have got a lot of the
ground to cover, so we want to make sure that our work is
complementary, not duplicative.
So in that regard, they were doing certain aspects. They
advised that they were not looking at the security over the
hub, so we said, all right, we will look at the security over
the hub.
So we designed a program to ensure that the agents--to be
able to assess whether the agency was in fact following the
NIST standards in that regard.
Ms. Clarke. So why did you, as some suggest, just briefly
note in the audit that you did not have access to the CMS
security documents?
Ms. Daly. Well, Ranking Member Clarke, in our report we
indicated that the agency had not provided us certain documents
at that time. I think one of them specifically was a security
test plan because it wasn't available at that point in time.
Then, you know, of course subsequently, it may have become
available. It wasn't that they refused, it just wasn't
available.
Ms. Clarke. Okay. Is it available now?
Ms. Daly. It could be. I think if we requested--I am pretty
comfortable it has been available now. They have provided us
some updates of data that you know, has subsequently been done
and some of the dates it was done on.
Ms. Clarke. Can you, again, just give us a sense of why you
didn't engage the beta testing on the hub?
Ms. Daly. Well, we didn't engage that part because No. 1,
that is usually towards the end of the project and our work
primarily wrapped up really by the end of June.
We got, you know, a quick update of certain dates before we
published the report, but most of the work was done a bit
earlier and some of that information and certainly any sort of
beta version wasn't available.
The other part would be that that would cover more
functionality issues too, and that was really beyond our scope
because we were, as we understood it, GAO would have been
looking more at the functionality over the hub. We were focused
on the security over the hub.
Ms. Clarke. So is it that to a certain degree, there are
some theoretical aspects to I guess standing up the hub that
makes it somewhat exercise of futility for us to begin the
testing?
Or is it that you are waiting for a certain level of the
operation to be complete before the testing becomes applicable?
I am not clear on that.
Ms. Daly. I appreciate that. The issue is there are certain
aspects of testing that cannot be done until the process is far
enough along; until enough has been built in order to do any
testing.
Now to be clear, part of our audit approach was to look at
the testing that was on-going by the agency as it was being
built because the agency employed a--actually, it is a system
development process called Agile, and it is very popular right
now because you can build things out fairly quickly.
With that though, they are doing continuous testing as it
goes on, but this is by, if you will, development personnel. So
what happens later on then is all independently confirmed, in
accordance with what NIST calls for, and an independent
security assessment that is done after all of the internal
testing is done.
So with that, you know, we said there wasn't any time for
us to go in and do it, and we didn't want to duplicate any
effort that was on-going. Instead, we reviewed the documents
that they had available.
For example, as part of their on-going testing, we looked
at whether they had identified any issues, whether they had
logged those issues in as they should, whether they had
corrective action plans in place, and saw the process that they
were following. So that is the answer to that.
Ms. Clarke. Okay. I am going to yield back, Mr. Chairman.
Thank you for your testimony.
Ms. Daly. Thank you.
Mr. Meehan. I thank the gentlelady.
The Chairman now--we will recognize as we do under the
rules of the committee those Members in order of their
appearance at the time of the gaveling down, and so
appropriately, the Chairman now recognizes Mr. Perry, from
Pennsylvania.
Mr. Perry. Thank you, Mr. Chairman.
Thank you folks for coming to testify. I must tell you that
every single one of you with all due candor, your testimony is
breathtaking in concern for me, and I think most Americans, and
I imagine other Members of the panel.
That having been said, I am not even sure. Maybe Mr. Salo,
you can, I will direct my question to you, but just, I am not
sure who should field this, but, you know, I think Americans
and Members of Congress are concerned about the navigators.
This is a new position for most people and we don't know
exactly what it is going to be like going to a navigator, but
we have heard about some of their training.
It is my understanding that they will receive 20 hours of
training. I just think about that in the context of the
information that these--folks they will be helping us as
consumers decide what insurance is best and how to enroll and
while right now Members of Congress in our offices cannot
advise the public on questions.
We can't do that right now but these folks are going to do
that with 20 hours of training and I just want to alert you to
the fact that in Pennsylvania--I don't know about other
States--but in Pennsylvania, it takes 1,250 hours to become a
barber.
All right, it takes a massage therapist 500 hours, and if
you want to get a driver's license in Pennsylvania, you have to
have 65 hours on the road.
But to navigate insurance for which has been--this thing
has been on-going for a couple of years now and Members of
Congress and the whole Federal Government can't seem to get
information out, these folks are going to be advising us with
20 hours.
So with that, I am wondering, why--it was my understanding
first of all, that it was originally 30 hours. Can you verify,
can anybody verify that, and if so, why was it cut?
Okay, nobody can verify that.
These folks are, I guess, in that 20 hours--can anybody
tell me what training these folks, navigators are going to
perceive regarding the security of personal information?
Okay, so--not that--necessarily that you should be able to
answer those questions. You know, this is going to range from
Social Security numbers to if a woman is pregnant or not.
Various organizations which include these individuals are going
to be contracted to do this.
Let's just pick one. I know it is somewhat inflammatory,
but one would be Planned Parenthood. With the issue of
pregnancy being one of the questions being asked, is there some
safeguard? Is there some safeguard which offers consumers some
kind of recourse?
Let's say that you know, in the information that is
gleaned, the woman is pregnant and then this organization, any
organization uses that information to advertise to this person
their services. Is that appropriate? Is that allowed? What is
the recourse? Can anybody provide any information? Okay.
Let me ask you this. With regard to--and this is to Ms.
Daly. Thank you very much. According to your testimony, you did
not review the functionality of the hub or issues specific to
the Privacy Act, but there is an independent--is it my
understanding, there is an independent contractor that is going
to be doing that or that is doing that currently?
Ms. Daly. That is correct, Congressman. An independent
contractor was supposed to be doing this security assessment
that would cover over all issues related to security.
With that though, that is supposed to have already been
done because it is supposed to be a critical part of the
systems authorization that was just recently provided on
September 6.
Mr. Perry. So if that is done, is that information
available? The outcomes so to speak or the report on that?
Ms. Daly. I don't believe that is generally available to
the public, sir, just because of the sensitivity surrounding
that because it would show what was tested, how the system is
configured, things of that nature.
Mr. Perry. Well, would it--is there some report that will
inform the public and Congress, Members of Congress, the
Federal Government, regarding the efficacy of that testing and
the results? Is this system ready? Is it not?
If it is not, because it is my understanding that the final
testing for some of this stuff happens at the end of this month
and it is supposed to go live the first of the next month, so
we are 20 days away or thereabout, what is the plan or do you
know of a plan if it fails?
Ms. Daly. Well, sir, that is a very good point, and I just
want to clarify that the testing I've been talking about
focused on security aspects of the system, not on the
functionality or efficacy of the system.
So that was beyond our scope, so we didn't focus on that
because as I mentioned earlier, we were coordinating with GAO
and we understood that GAO was going to cover those aspects.
Mr. Perry. But it is my understanding that the private
contractor will be assessing those other milestones so to speak
or efficacy. Is that your understanding or don't you know?
Ms. Daly. I honestly can't speak to that, sir. I am sorry.
Mr. Perry. Can anybody else? One of my--go ahead, Mr.
Astrue.
Mr. Astrue. I will say one thing. Speaking for myself, I
never relied on a contractor to give complete assurance on
these things because I mean, no disrespect to this particular
contractor, but they are in business to keep the Federal
Government contractors happy.
They are not necessarily going to rock the boat. This is
why an independent--this is exactly what Offices of Inspector
General are set up to do is to make independent assessments
about, you know, violations of legal rights, openness to fraud,
these types of things.
I am outraged that you would rely on any--I mean, MITRE is
a terrific corporation, but I would never rely on MITRE, and I
didn't when I was going through dozens of these kinds of
programs at SSA.
Mr. Perry. I have a lot more questions, but I see my time
has expired.
I yield back. Thank you.
Thank you, folks.
Mr. Meehan. I thank the gentleman.
The Chairman now recognizes the gentleman from Nevada, Mr.
Horsford.
Mr. Horsford. Thank you, Mr. Chairman. I thank you for this
session.
I want to start by first asking: There is in fact a private
contractor who is doing this software system development on
income and eligibility verification? Is that correct? Whoever
can answer the question?
Mr. Salo. At both the State and the Federal levels, yes. I
am not the expert at the Federal level; I believe there is one
contractor who is doing it at the Federal level.
At the State, generally, it is one contractor, but there
are a variety of different private entities that have all bid
out with the respective States to do this and to do various
components of it ranging from eligibility and enrollment to
identity-proofing to conductivity with the hub, et cetera.
But yes, these are generally private contractors. To be
honest, I wish that the State experience with IT systems
vendors was as rosy as Mr. Astrue said that they are all in the
business of making them happy. That is not always true for us.
Mr. Parente. But there is only one contractor that has
responsibility for building the Federal data hub.
Mr. Horsford. Now under at least the Health and Human
Services Department, the collection of this type of income and
eligibility data occurs across many programs currently, today,
correct?
Mr. Salo. Yes, that is correct at least with respect to
Medicaid. As I referenced earlier, there are a number of
different crosswalks that Medicaid has to do every single day
for many of the 72 million people who walk in and out of the
door whether that is other Federal or State programs they may
be eligible for; TANF, food stamps. You can sometimes work on a
joint application to make sure that the shared information
works there.
For individuals who are dually-eligible for Medicare and
Medicaid, you are cross-walking information across those two
programs both from a claims system, from a care coordination
perspective, from a program integrity perspective.
You know, Medicaid is the payer of last resort, so we tend
to look for you know, does an individual have coverage from
some other third-party insurance, or even some sort of
settlement from a car crash or something?
So we interface with those systems. Like I said in terms of
citizenship documentation, we do all of that. We do all of that
every day. The program couldn't run if you didn't do all of
those things.
You wouldn't want the program to run if you weren't
accessing across programs to get that kind of information
because if you are doing that without that kind of information,
then you are working blind and that is not the way to go.
Mr. Horsford. So Mr. Salo, you said in your testimony that
it is important that we focus on how to minimize and mitigate
the risks that are inherent in the interconnected parts of
these systems and how they work.
So my question and the question I hear from the majority of
my constituents including the insurance companies, agents,
businesses, they just want this to work, and they want Congress
to stop playing games and to figure out ways to make the law
work better.
This is the same problem that there was under Medicare and
Social Security when they were implemented. It is not going to
be perfect on Day 1. So my question is: What are some specific
recommendations where we can identify the potential risks and
mitigate those risks and what are the steps that we need as
Members of Congress to do to ensure that we are putting those
steps in place?
Mr. Salo. Well, I am sure you will get a lot of input from
other members of the panel, but, you know, I would just say
that I agree, you know, from our members' perspective, we just
want this to work because at the end of the day, it is the
citizen, U.S. citizens, citizens of the State who are impacted
and they don't care whose fault it is. If it goes wrong, they
are going to blame us.
You know, in terms of trying to make it work well for them,
again, I think this type of conversation is and can be very
useful as we raise potential issues. You know, are there, you
know, contingencies that perhaps we haven't thought of, whether
they are security-related or what have you. I think it is
important to get those out in the open so we can think about
those and plan for those.
In terms of concrete recommendations, you know, the
challenge really is, you know, again, we have got States coming
at this from 50 different places and, you know, there has been
a challenge--there is a challenge in trying to build a system
up in terms of time, in terms of money, in terms of bandwidth.
There is a challenge when it comes to the timeliness of
Federal guidance, in terms of, you know, what States can
expect, what States have to go, because this is all being done
with private contractors, you know, you need time to build into
a proposal, into a contract, what exactly they are trying to
build, and if you don't know until the last minute, it is
really hard to sort-of build that out quickly.
So, you know, the extent to which transparency of
information from the Federal perspective comes out in a
quicker, more clear way, that would be helpful. I could go on,
but I don't want to take up too much time.
Mr. Astrue. If I could add for just a few moments.
Transparency, as my colleague has pointed out, is important and
it is also important as the OIG said that these security
documents not be fully public.
I agree with that, but there is a difference in terms of
transparency with you and you need to know whether the system
is secure, whether it is violating privacy, whether it is doing
its job, and you don't know that right now.
If the inspector general defines its job so that those
things aren't relevant areas, you need to go to GAO and you
need to say to them, ``You need to fill the gap where the
inspector general is not fulfilling its responsibilities.'' I
believe that the Senate has started to do that.
Mr. Horsford. Thank you, Mr. Chairman.
Mr. Meehan. Does the gentleman yield back? Oh, okay. I
don't want to assume anything. I am just--okay, thank you.
At this point in time, the Chairman now recognizes the
gentleman, Mr. Rogers.
Mr. Rogers. Thank you, Mr. Chairman.
Ms. Daly, based on your testimony, it seems to me that the
issue isn't when, or if, but when we are going to have a breach
of the data hub or it is going to be leaked or some other
problem.
My question is: Has the IG's office developed standards by
which a breach such as that would have to be reported to you?
Ms. Daly. Well, Congressman Rogers, the NIST also guides
this area in which breaches are reported. There are, you know,
certain ways that information needs to be reported, it has to
be reported within a certain----
Mr. Rogers. So you don't have to come in afterwards and
audit to find out about it, they have to notify you when they
realize there has been a breach or a leak?
Ms. Daly. That is exactly right. They don't notify our
office actually, they notify the CIO's office. That is who is
responsible for managing that.
Mr. Rogers. Are they also required to notify the individual
whose information was leaked or breached?
Ms. Daly. Well, it depends on if a true breach occurs.
First, there is an assessment that is done of it determining
the amount of encryption that might have been over the data,
and if it is a high enough level of encryption, the individual
does not need to be notified.
If there is a certain amount of, you know, risk involved
with it and that is a determination that is made in the CIO's
office, then the individual of course is notified.
Mr. Rogers. What about consequences for the navigators, the
workers or navigators? If we find one of them has intentionally
leaked or breached the security, are there criminal penalties
of that you are aware of built into the law or regulations?
Ms. Daly. Well, unfortunately, sir, I am not in a position
to answer that today.
Mr. Rogers. Anybody else on the panel?
Mr. Astrue. Yes, there should be an array of--it depends on
the nature of the offense, but there should be an array of
Federal and State penalties.
Mr. Rogers. That would already be in existence regardless?
Mr. Astrue. It wouldn't--not to say that it might not help
for Congress to clarify on that, but there would be existing
tools for enforcement if HHS chose to use them.
Mr. Rogers. Great. This question would be for Mr. Salo or
Mr. Astrue.
I have got here a letter signed by 10 State attorneys
general, Alabama as being one of them, to Kathleen Sebelius
last month and among the questions--they asked several
questions they would like clarification on, but among the
questions they ask is--and this, I think about Medicaid when I
think about this since the State is so heavily involved in it
is what is the State's legal liability in this new endeavor if
there is a breach? Do either one of you know?
Mr. Astrue. Well, with the qualification that I gave up my
law license a few years ago, I think generally on these
matters----
Mr. Rogers. Voluntarily?
Mr. Astrue. Yes, I did. I did.
Mr. Rogers. Just joking.
[Laughter.]
Mr. Astrue. No, actually, I was afraid as a head of a
Government agency I was going to get sued individually, people
would go after my bar license, and I decided to give it up.
Mr. Rogers. I am a recovering attorney myself.
Mr. Astrue. Yes. I think as a general matter, this statute,
whatever else you might say about it is a classic example of a
statute that preempts a lot of State laws. In fact, that has
been part of the challenge to the validity of the statute in
the first place.
So I think while I would not want to say that there might
not be some liabilities for States depending on how much
discretion they were using implementing the act, my personal
view would be that most of the activities because they are
being required by the Federal Government would give the State
some immunity from suit.
Mr. Rogers. Well, it just concerns me that 10 State
attorneys general collectively, legally can't discern whether
or not they have that liability and one of the things they ask
in the letter is do they have or do their respective States
have the legal capacity or obligation to add to or supplement
the criteria by which this system is operated to make sure they
don't have legal liability. Do you know if the States will have
that latitude to supplement the security criteria?
Mr. Astrue. I think certainly for some features of the act
they will have ability to do add-ons. I believe it was designed
with, I mean, it is tough to tell from the statute, but it does
appear that to me, that it was designed with that intent, and
certainly to the extent that you are going beyond the Federal
mandate in a discretionary way, it does seem to me that you
would be running some risk of losing the protection of the
Federal preemption.
Mr. Rogers. Great. My time is expired.
Thank you very much, Mr. Chairman, I yield back.
Mr. Meehan. Does the Ranking Member have a request?
Ms. Clarke. Yes, Mr. Chairman. I have a request that the
committee--a request for unanimous consent to have
Congresswoman Sheila Jackson Lee of Texas sit in and make a
comment during our proceedings today.
Mr. Meehan. Without objection, so ordered.
Consistent with the rules of the committee, those Members
of the committee who are present will take precedence over
those who join us.
So I know the gentlelady will yield while we turn to the
former U.S. attorney from Pennsylvania, Mr. Marino, for his
questioning.
Mr. Marino. Thank you, Chairman.
Good afternoon, and thank you, folks, for being here today.
Ms. Daly, you have some tough questions that you answered
and you are between the devil and the deep blue sea here
because of what the AIG technically is supposed to do but based
on the lack of information that you may have.
So my question to you is: How can security authorization be
made without assurances to you as the IG, that the system
itself is secure? Could you explain that to me please?
Ms. Daly. Well, thank you for the question, Congressman
Marino.
As part of the NIST guidelines for developing systems,
rolling them out, what are the best practices agencies should
be following, that is what we have looked at with regards to
security for the data hub.
As part of that process, the agencies are supposed to be
doing some, you know, continuous testing as it is developed
that looks at security and other things too, but our focus was
on security, and then at the end, once they get everything
developed, they are supposed to have an independent security
assessment. That is critical.
Mr. Marino. But your assessment then is based on the
information that you are provided. Correct?
Ms. Daly. That is correct, sir.
Mr. Marino. You are not making any leaps of faith or
conjectures beyond at that point? You are not determining any
what-if's?
Ms. Daly. That is correct, sir. Yes, we basically are
reporting out facts in this case. If we had seen something that
was a significant violation in any way, we certainly would have
reported that and made a recommendation that things be fixed.
Mr. Marino. Based on what you received.
Ms. Daly. Exactly.
Mr. Marino. It is like a computer, whatever you put in is
the only thing you are going to get out of it. So the only
information you get, you based your assessment on what you are
given?
Ms. Daly. That is correct, sir. We compared what the
testing and the system development documents showed compared to
the standards that were in place at that time for that purpose.
Mr. Marino. This is interesting. I got a phone call from a
constituent who works for the State and that person has an
insurance health program paid for in part by the State. So that
person went to the Social Security Office and because he wanted
to get information about Medicare because of the age; 64, 65.
That person asked why I needed to sign up. As that person
explained, ``I already have insurance, I don't need it. It is
being paid for. Why put the taxpayers to an extra cost of now
the Federal Government paying and my employer coming in
second?''
The answer the clerk gave him was that, ``We need this to
track you and to garner information about you.''
Okay, now, I found that kind of odd. He said, ``Well, I
only want to sign up for Part A of this,'' and he again told
her that he had insurance and she told him that he would be
charged the penalty if he signed up later but the Government
needed a system whereby--needed information whereby to track
him so they could have information on him to see if he is
paying for insurance or has insurance.
Can anyone address this for me? Because I am at quandary as
to why.
Mr. Astrue. Mr. Marino, with all due respect to my former
employee, I don't think that that is an accurate description.
My recollection, which is a little soft on the edges is that
there was a policy decision made in the late 1960s to link the
two together in this way.
It has been litigated. I don't think the rationale of HEW
at that time is 100 percent clear. It was litigated fairly
recently and I remember being consulted on that litigation a
couple of times within the administration in 2007, 2008.
I don't remember when the case was decided. I think it was
about 2010, but the decision was that the agency had
appropriately linked those two programs together.
But again, I don't think the rationale for why was ever
particularly--I think it was lost in the midst of time by the
time it got litigated, but I don't think that my former
employee's description is probably accurate.
Mr. Marino. Okay. Mr. Astrue, since we are talking here,
can you give me--I know you can go on for a while here, but I
only actually have--no, actually, I am over my time, but if you
could give us a little synopsis of your opinion of the IG
report; pro and con.
Mr. Astrue. Yes, I am extremely negative. I think that
essentially what happened here is this is not according to GAAP
principles.
Essentially, they went in, said, ``How are you doing?'' And
they said, ``Well, we are running behind, but we are doing
great.'' And they said, ``Can we see all of the relevant
documents?'' And they said, ``No.''
If you go and read through the report carefully, you will
see that the security plan was due on July 15 and there is
nothing in the report that says that it wasn't done on July 15,
and this is an August 2 report.
There must have been a draft at that point and I am just
not used to the idea that the inspector general comes in and
asks for things and you say no. I logged years in the agency
and I can't remember that happening.
So this is a new IG. This is a new IG that is failing in
its duty to the American people to dig into what is happening
and give answers to the Congress and the American people. I
think it is really sad.
Mr. Marino. Thank you. I yield back my over-spent time.
Mr. Meehan. I thank the gentleman, and the Chairman now
recognizes the gentlelady from Texas who we are happy to have
joined us on the panel today for 5 minutes.
Ms. Jackson Lee. I thank the gentleman and the Ranking
Member for their courtesies, and I think I have some pointed 2
or 3 questions and then a brief comment.
I just always believe the importance of oversight and fact-
finding, and I wanted to ask Mr. Astrue, has he engaged our
present inspector general in a one-on-one conversation or
viewed his documents before your testimony was prepared?
Mr. Astrue. No, I have not.
Ms. Jackson Lee. Then I guess the follow-up is you have
first-hand knowledge of what might be some fractures in the
structure of exchanges presently being constructed.
Mr. Astrue. I had first-hand knowledge through, to some
extent, through February of this year, yes.
Ms. Jackson Lee. In what capacity?
Mr. Astrue. As commissioner of Social Security.
Ms. Jackson Lee. Had the infrastructure of the exchanges
begun and to what extent?
Mr. Astrue. They had begun since at that point in time, but
there was a still a great deal of fluidity in it which for me
was the source of considerable concern because the time at that
point was really, in my opinion, already too short to do the
job properly.
Ms. Jackson Lee. But that was an opinion? Wasn't it?
Mr. Astrue. Yes, indeed.
Ms. Jackson Lee. It was February 2013?
Mr. Astrue. I left office on February 13, 2013.
Ms. Jackson Lee. But of this year or last year?
Mr. Astrue. This year.
Ms. Jackson Lee. Yes. So we are now in September.
Mr. Astrue. That is right.
Ms. Jackson Lee. So you are reflecting on the first-hand
knowledge that took you up to February and not much further
than that.
Let's--I thank you for that.
Let me just go to Mr. Salo. National Association of
Medicaid Directors, and I am sorry that I missed the
explanation of that, but let me go right to the crux of where
we are. We all should be concerned about personal information.
However, I think the magnitude of the Affordable Care Act
and its overall impact on health care in America is an enormous
a step forward for saving lives in America.
What would be--do you think we are in the mouth of a whale?
Are we about to be swallowed or are we moving forward with the
appreciation and respect for personal data as you can see it
from your perspective?
Mr. Salo. Oh, I think there has been a very, very long-
standing and very, very serious commitment to personal data on
behalf of Medicaid, on behalf of the Medicaid directors. They
know full well what happens if there is a security breach, and
it something that nobody wants.
There are contingency plans. There is constant work being
done with chief information officers, with the State IGs, with
security experts all the time in Medicaid.
I think the thing to keep in mind about the big picture
here, you know, whether we are talking about being swallowed by
whales or not, is that security and privacy of data is always a
concern, but the thing that has changed is the increasingly
interconnected nature of not just our health care system but
our overall lives in general.
You know, I am not an expert in banking or credit cards or
internet service providers. There are challenges there. The
challenges in health care have changed.
You know, we used to store information in unlocked file
cabinets in the back of somebody's office. Was that secure? No,
it wasn't. So you had to put in place procedures. We have
decided as a society, I think rightfully so, that that is not
where we want to be and what we need for a variety of reasons
is to have much more fluid interconnection of data
electronically; whether it is claims or insurance information
or what have you.
This is a good thing. It does bring with it different
challenges to secure privacy. Not insurmountable ones,
different ones. So we adapt accordingly. So I would just see
what we are looking at here, whether it is dealing with the
Federal hub or what have you, is an outgrowth of that natural
progression of how do we figure out how best to secure this
information in this inevitable changing world.
Ms. Jackson Lee. My time is ending, I just want one simple
question. Is this any reason to stop moving forward on the
Affordable Care Act processes that have been put in place by
the Congress and by Health and Human Services?
Mr. Salo. To the best of my knowledge, we will not have
security breaches----
Ms. Jackson Lee. But this is no reason not to go forward?
Mr. Salo. That is correct.
Ms. Jackson Lee. Thank you.
Let me thank my colleagues and to say that this is an
important hearing, and I also think the issue of affordable
care is crucial and I think that we are where we need to be, we
just need to be particularly more cautious, and I think we can
all work together to do that.
Let me yield back. Thank you so very much.
Mr. Meehan. I thank the gentlelady for taking the time to
join us here today. Let me--I have a few follow-up questions
that I would like to pursue. So I recognize myself again for 5
minutes.
Let me just--Dr. Parente, you made some observations in
your testimony and I don't want to just leave them hanging out
there. You are an expert in dealing with health care databases,
you worked intimately in these in the past. You opined in your
testimony about concerns of not understanding how the system
would work and the potential for fraud. Would you please
elaborate on that?
Mr. Parente. I will even go further and say most of what I
have heard today has not reassured me for several reasons. The
first is I have worked, myself, as an independent verification
and validation contractor for some Federal databases, actually
one in the State of Maryland when Maryland took a step in the
1990s to put together an all-payer database, one of the first
in the Nation.
I worked at the time with the Delmarva Medical Foundation
and where I worked at Project Hope to essentially be that
independent verification and validation contractor and there
was a public report and because the Maryland State legislature
required it.
I personally find it unconscionable that this contractor,
whoever it is, is not at least going to have an executive
summary that actually talks about by efficacy the performance
standards that would be essentially the safeguards that have
been put in for vulnerability tests for the white-hat types of
operations that are supposed to be put into place to make sure
that all potential compromises have been taken into
consideration.
Mr. Meehan. Those would be the kinds of things that the
certifying officer would have to not only look at but review
and rely on. Isn't that right?
Mr. Parente. Absolutely, and when I took that roll-on for
the State of Maryland, it was a 1-year contract. When I entered
and went to look at those databases, worked with other
contractors to look at them at different State sites because
there were several different vendors involved, and that is one
small State, let alone the scale and enormity of what we are
discussing today.
Mr. Meehan. Well, in light of that, and that is one of the
concerns because we talked about the scope and scale of this--
Mr. Astrue, you as well, and again, I know that we are asking
only for your opinion and not the kinds of asking statements of
fact, but I do appreciate once again your testimony touched on
something rather significant and you discussed that there was a
period of time in which you believed that the HHS may have
backed away from its obligations under the Privacy Act and
potentially even in violation of the law. Can you articulate?
Did I get that correctly and would you say what you mean?
Mr. Astrue. Yes, no, and there is a process for this in
both--and the IRS came to the same conclusion at about the same
time--so we both filed. OMB is the arbiter on those cases and
they stalled for a very long time because HHS really didn't
have very much to say on the Privacy Act issues.
So it sat for months and months and months. It was not
resolved at the time that I left and at some point subsequently
I understand they decided that all these issues were under the
routine-use exception, but I think that is a real abuse of
routine use.
You know, whether you believe in the Affordable Care Act or
not, you in the Congress wrote the Privacy Act. You imposed
criminal penalties for violations of the Privacy Act and so
those of us who are in the Executive branch or were in the
Executive branch, we are supposed to be respecting that. I
found the HHS disregard for the Privacy Act to be really
shocking.
Mr. Meehan. Let's pursue that for a second. Again, as a
former prosecutor, I am concerned about this issue of routine
use and, for the record, routine use is, ``a disclosure of a
record, the use of such record for a purpose which is
compatible with the purpose for which it was collected.''
So anything beyond that would be a violation of routine
use. So we are already beginning to collect information that
relies to some database and then there is a broad, broad
expansion of how information originally collected is going to
be utilized. Is that not accurate?
Mr. Astrue. Yes, that is correct.
Mr. Meehan. Okay, so even if there is an interpretation
with regard to that within routine use because it is all part
of a hub and it is used as verification, one of the great
concerns I have has been the derivative use of information that
is being gathered by navigators.
So where we have navigators who are going to be asking
personally identifying information, do we have any checks on
whether or not they will have any other kind of use except for
the sole purpose, the entire sole purpose of facilitating
activities on the exchange?
Mr. Astrue. No, I think that is a fine point. You, Mr.
Chairman, and other Members of the committee earlier pointed
out that these are not even typical Americans. These are
disproportionately disadvantaged Americans in some of our most
vulnerable populations.
To send navigators out with a minimum of training, no
background checks in many instances, that is an invitation for
fraud. I have spent--I have been working on fraud against the
elderly since 1979 off and on in my career, and I just shudder
at the thought of untrained people, unsupervised by, in any
substantial way by HHS, going out with no real monitoring or
accountability systems saying, ``Hi, I am here from the Federal
Government. Let's talk about some of the most intimate choices
you need to do, and you need to apply for this, and by the way,
what is your Social Security number?''
I mean, that is exactly the thing that the inspector
general should be screaming bloody murder about because if that
is not an invitation to widespread fraud against our most
vulnerable people in this country, I don't know what is.
Mr. Meehan. Are you aware of whether or not there is,
within this, the requirement that there be background checks
for any individual who is going to serve as a navigator?
Mr. Astrue. My understanding is that many of these people
are being hired without background checks.
Mr. Meehan. So somebody could be actually convicted of
identity theft and then become a navigator?
Mr. Astrue. I think you need to ask----
Mr. Meehan. Mr. Salo, is that accurate? Are you doing
background checks on anybody that you are familiar with?
Mr. Salo. Navigators aren't actually a Medicaid function so
we are not directly involved in the hiring of them so I can't
speak to whether or not there are adequate background checks or
other securities there.
Mr. Meehan. Mr. Astrue, let me just ask one other question
again because I am trying to create a record because I want to
see what is going to happen at some future time, and the bottom
line is again because we can foresee the potential for
utilization of information that is beyond the scope of even an
interpretation of what would routine use be and we have now
identified.
Now those people who have certified the stability of this
system in light of the recognition that those are potential
things here, willful acts of the privacy, the Federal
Government itself, and I have the case law that supports it.
It is a willful--it is the--imposes liability on the agency
when they violate the Privacy Act by willful or an intentional
matter either by committing the act without grounds for
believing it to be lawful or flagrantly disregarding other's
rights under the Act.
Mr. Astrue. That is exactly right and the issue first came
to my attention, and I know I talked to a Washington Post
reporter last night who was quite sure that everything I said
was horribly political and ideological, but this issue first
came to my attention because my own civil servants who would be
doing this came to me and said, ``I am afraid I am going to be
prosecuted for doing this.''
Mr. Meehan. Wouldn't it be prudent and do you believe that
the standard of responsibility is such that before certifying
it there would be checks to assure that people with criminal
records would not have access to personally identifying
information of individuals who were going to be signed on to
the exchange?
Mr. Astrue. Absolutely. They are going to be asking for
extraordinarily sensitive information in many cases including--
it is just a Social Security number. You know, people can run
wild and destroy someone's life, you know, taking a Social
Security number. It is a big problem in our society.
Mr. Meehan. My time has expired.
I now ask the Ranking Member if she has follow-up
questions.
Ms. Clarke. I do, Mr. Chairman.
I would like to follow up with Mr. Salo. Your testimony
mentions all of the ways in which States and State Medicaid
programs already work with a variety of public and private data
systems. State Medicaid programs already communicate with
Federal agencies to verify citizenship. Isn't that correct?
Mr. Salo. That is correct.
Ms. Clarke. They may communicate with other programs like
TANF and SNAP as well?
Mr. Salo. Correct.
Ms. Clarke. They also communicate with private entities
like private insurance companies, right?
Mr. Salo. Correct.
Ms. Clarke. Is it correct for me to assume that data that
is transmitted is personally identifiable?
Mr. Salo. In many cases, yes it is. Not always, but if it
needs to be, it is.
Ms. Clarke. So State Medicaid programs across the country
have for years exchanged personally identifiable data with
Federal and private data systems. We know that any data system
can be susceptible to a breach, but have State Medicaid
programs experienced any program beyond of those we see in the
data systems of private industry?
Mr. Salo. No.
Ms. Clarke. So could State Medicaid programs function
without this ability to share and retrieve data from other
systems?
Mr. Salo. No, and I don't think we would want it to.
Ms. Clarke. You have described a heavy lift for States, but
also a good partnership with the Federal Government to get this
accomplished. It is my understanding that HHS has made a 90:10
matching rate available for upgrades to States' eligibility and
enrollment systems regardless of whether a State chooses to
expand.
Can you comment on the number of States that have availed
themselves of this funding?
Mr. Salo. Yes, my understanding is that literally every
State has availed itself of that funding. There were certainly
some examples of States that had turned back other specific
funding for, call it early innovator grants, but in terms of
the money that it took and that it is taking to update, to
upgrade, to transform the current Medicaid eligibility systems,
many of which are legacy systems that go back unfortunately to
the 1980s, every State has availed itself of the 90:10 funding.
The question then actually is: Is 90:10 enough? The
question is: Even with that, even if there were enough funding,
is there enough time to make those changes? Is there the
bandwidth within the IT systems vendor community?
You know, I often used to joke that when we look at the
history of Medicaid and systems changes, the number of times
that you got a contract in on time, on budget, and to spec was,
well three times in the history of Medicaid.
[Laughter.]
Mr. Salo. So, a lot of people, I think myself included
would argue you just need to do something very, very different
here. But having said that, in the run-up to October 1, and in
the time soon thereafter, the States and the Feds and the IT
systems vendors have worked double, triple, quadruple overtime
to make this work.
So we do believe the system will be up and running come
October 1. As I said, it will be bumpy. The consumer experience
will not be a smooth and seamless Travelocity, but it will be a
system in place that with workarounds, with, you know, having
contingency plans going back to using paper, going into the
Medicaid office, what have you, insurance and subsidies, and
that will be available, and it is our goal, it is our plan over
the next couple of months to make sure that we improve that as
we go.
Ms. Clarke. I would agree with you. So much of our
information is in the public and private domain that, you know,
I think we need to take a step back and give this an
opportunity to rollout and work with it to make sure that the
American people get the very best access to health insurance
that they possibly can.
I mean, just about every American has had an opportunity to
go on-line and to provide information and you know, we don't
have the most secure, unbreachable IT operations in our own
homes and families.
So to sort of prejudge just how secure this process will
be, will be pretty relative to the security of our IT systems,
Nation-wide, the ones that we use each and every day whether it
is to pay a phone bill, whether it is to purchase something on-
line.
I am concerned that we not create a panic around the
situation but that we give it our best efforts in terms of
providing an opportunity to make this thing work and to work
out the kinks as we go along.
There are going to be kinks. We all know that. There is not
one system that I know of that has been perfect. People have
bought iPhones and they have been, you know, breachable right
out of the box. So, you know, let's not sit here and act as
though we have perfection on our side.
Personal information is critical and its security is
critical to all of us, but at the same time we have managed
given the massive use of IT systems around this Nation to keep
breaches to a minimum given the number of people and
transactions that take place each and every day.
With that, Mr. Chairman, I yield back.
Mr. Meehan. Well I want to thank the gentlelady for
yielding back.
I want to thank each of the witnesses for your testimony
here today. I am grateful and I appreciate, with the exception
of Ms. Daly, each and every one of you effectively don't have
to be here, that you were responsive to our inquiries, and I am
grateful for your taking the time using your professional
expertise to help us better understand a situation in which it
is still my considered opinion that this hearing has
demonstrated by virtue of testimony even more questions about
the readiness.
There has been testimony as said it is not a question that
this needs to be a stepping-off point to prevent a system from
being put in place, but is it ready to go today?
At a certain point, is it so clear that it is not ready
that the requirements that are continuing to push this forward
at a certain point start to become perhaps not even just
negligent, but otherwise. Great concern to me.
Once again, I want to thank each of the panelists for their
valuable testimony.
Well, I am not getting ready to close because the Member
from Pennsylvania has one final question.
Mr. Marino. Thank you. I refer to my prosecutorial
background as the Chairman does. We were U.S. attorneys
together, but I want to bring up two points if I may.
Mr. Astrue, you were questioned about when you left the
agency, and I think it was pointed out that you hadn't been
there in, what would it be now, 9 months or 8 months. How long
were you with the agency before that?
Mr. Astrue. Six years and a day.
Mr. Marino. You based your opinion on your experience over
that 6-year period and what you had gleaned even before that in
your career.
Mr. Astrue. Sure, and since that time, I have tried to keep
up on the issue. I don't call into the agency, but people
retire, you talk to people----
Mr. Marino. Well, we do call into the agency and ask
because we get calls from our constituents, ``What do I do
about this?'' ``What do I do about that?''
Since last year up until September, and I get the same
answers now in September that I did last year and in January
and February of this year is ``We don't know.'' So given the
fact that there have been waivers, delays, I don't think much
has changed over the last 1.5 to 2 years.
In conclusion, ma'am, could you please tell me, did you
ever have a point when you were doing these investigations
concerning security that you thought maybe a statement should
have been made to HHS, Health and Human Services, HHS
concerning I don't have enough data to form an opinion as to
what the security is going to be or not be?
Ms. Daly. Well, Congressman, I want to focus--initially, on
the scope of our work, the scope of our work really wasn't to
provide an opinion. We were actually going out there to do just
an audit over that. We were provided the data that we had
requested if it was, even had been created.
That is one of the challenges. I have done a number of
system development jobs over my career of a variety of systems
and it is always a challenge when you are doing this because
you are doing something that doesn't exist yet and so that
makes it more challenging to get all of the information----
Mr. Marino. Good point. I mean, did you ever raise that?
These things do not exist yet, so how can we form a conclusion,
a factual conclusion?
Ms. Daly. Well, that is exactly right. So in those cases,
that is why we reported that the information wasn't available
and when they expected to have it available. That is clearly
what was in our report.
If you could beg me an indulgence, I would like to say that
I think our office of inspector general is one of the most
highly-respected in the accountability community and that we do
a tremendous job for the American citizen and taxpayer.
Our office returned $6.9 billion in expected recoveries
last year along with over 1,100 civil and criminal actions, and
I think our record speaks for itself. Thank you.
Mr. Marino. We rely on you.
Ms. Daly. Thank you. Thank you.
Mr. Marino. We rely on you.
Again, thank you so much.
Chairman, thank you so much for indulging me.
Mr. Meehan. Thank you.
Ms. Daly, I do thank you for your service.
I thank each of the panelists. The Members of the committee
may have some additional questions for the witnesses, and if
they are directed to you I would ask that if you can, you would
respond in writing.
So without objection, the committee, the subcommittee now
stands adjourned.
[Whereupon, at 4:32 p.m., the subcommittee was adjourned.]
�