- Department of Health and Human Services (HHS) Secretary Kathleen Sebelius recently requested that Centers for Medicare and Medicaid Services (CMS) Administrator Marilyn Tavenner bring in a CMS chief risk officer to help improve HealthCare.gov security issues. This was an acknowledgement that there were some loose ends that needed to be tied up and the government would address the site’s risk-based problems. However, House Republicans are still targeting the site’s security as a key issue to address in 2014, saying that it will be susceptible to data breaches.
Though the House GOP’s political motivations are clear, as it’s trying to find as many reasons as possible to do away with the Affordable Care Act (ACA), there are undeniably technical security concerns on HealthCare.gov because of the fast-tracked security testing. Back in August, the Office of Inspector General (OIG) reviewed CMS’s implementation of the Data Services Hub and found that it had missed security testing deadlines. HealthCare.gov has passed security testing since, but Republicans still believe that the site is putting patient data at risk.
Because the site’s privacy and security isn’t HIPAA or HITECH-governed, the question should be whether there is currently a true “risk of harm”, according to talkingpointsmemo.com, for patients enrolling in the state health insurance exchanges, whether patients should be notified and what CMS is doing to resolve patient apprehension. The GOP maintains that, while there haven’t been any successful attacks on HealthCare.gov, patients have no reason to be confident that their data is secure. House Republican Leader Eric Cantor sent out a memo last week he plans to schedule legislation on the issue this week.
“The privacy and security of consumers’ personal information are a top priority for us. When consumers fill out their online Marketplace applications, they can trust that the information that they are providing is protected by stringent security standards. To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site,” said CMS spokesman Aaron Albright, according to talkingpointsmemo.com. “Security testing is conducted on an ongoing basis using industry best practices to appropriately safeguard consumers’ personal information. The security of the system is also monitored by sensors and other tools to deter and prevent any unauthorized access. The components of the HealthCare.gov website that are operational have been determined to be compliant with the Federal Information Security Management Act (FISMA), based on standards promulgated by the National Institutes of Standards and Technology (NIST) and promulgated through the Office of Management and Budget (OMB).”
The ACA’s major coverage benefits through the state exchanges and Medicaid expansion took effect on January 1.