- The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) requested emergency review in this week’s Federal Register of its proposed rule that state health insurance exchanges report data breaches within one hour of learning about the breach.
CMS sent the request to the Office of Management and Budget (OMB) and it wants OMB to approve the proposal by Sept. 25, with a 180-day approval period after that date. CMS said it was requesting an emergency review under 5 CFR Part 1320(a)(2)(i) because public harm is “reasonably likely to result” if the normal clearance procedures for these exchanges are followed.
The approval of this data collection process, according to CMS, is essential to ensuring that Information Security (IS) incidents, which also include Personally Identifiable Information (PII) and Protected Health Information (PHI), are captured within the specified timeframe. Without deviation in process, a “significant number of incidents will not be detected” and harm and potential risk to the public’s identity with identity fraud would result. State-Based Administering Entities (AEs) are state entities administering Insurance Affordability Programs that are supposed to use the data, accessed through the CMS Data Services Hub (Hub), to make Eligibility Determinations for Insurance Affordability Programs and certificates of exemption.
AEs shall report suspected or confirmed incidents affecting loss or suspected loss of PII within one hour of discovery to their designated Center for Consumer Information and Insurance Oversight State Officer who will then notify the affected Federal agency data sources, i.e., Internal Revenue Service, Department of Defense, Department of Homeland Security, Social Security Administration, Peace Corps, Office of Personnel Management and Veterans Health Administration. Additionally, AEs shall contact the office of the appropriate Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA), and the IRS Office of Safeguards within 24 hours of discovery of any potential breach, loss, or misuse of Return Information.
While CMS clearly believes this is a pressing matter that needs to be addressed right away, but there are some security experts out there who believe this is far too little time allowed to properly report a breach.
“The investigation of any type of reported incident or possible breach takes time,” independent security consultant Tom Walsh told govinfosecurity.com. “Those responding to the incident must be careful not to accidentally alter or destroy forensic data. The simple act of rebooting a computer could alter the audit trail and the investigation. Heck, it could easily take an hour just to assemble a knowledgeable incident response team.”