Health Exchange Data Hub Raises Security, Privacy Concerns, Members Say
Members of Congress questioned along partisan lines the security and privacy implications of the data exchange hub required under the Affordable Care Act (ACA). Their questions in a Wednesday hearing of the House Homeland Security Cybersecurity Subcommittee continued after our deadline. Republican members said they are concerned the hub could open Americans to attacks on personally identifiable information like Social Security numbers and financial data, noting that the ACA exchanges are set to open Oct. 1. Democrats said the Department of Health and Human Services (HHS) had taken pains to develop a secure hub, pointing to a security authorization the data exchange hub got last week.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Subcommittee Chairman Patrick Meehan, R-Pa., said he has “grave concerns” about the data exchange hub, from a cybersecurity standpoint: “A database that is the core of one of the central expenditures of American resources can certainly foreseeably be a target” for cyberattack. He said he had significant questions about the hub’s preparation and readiness for a sophisticated attack. Meehan held a hearing on the subject in July, at which the HHS inspector general testified that several internal deadlines had been moved back, Meehan said.
The Centers for Medicare and Medicaid Services (CMS) told Congress in a letter Wednesday it has, ahead of schedule, completed testing of and received security authorization for the data hub, said Homeland Security Committee Ranking Member Bennie Thompson, D-Miss., who received the letter. “This will give confidence to those shopping for healthcare starting October 1st that the government will ensure their privacy,” Thompson said in a written statement. “The alarms about security and privacy expressed by my colleagues on the other side of the aisle appear to be misplaced and political.” Under National Institute of Standards and Technology standards, every federal information system must obtain a security authorization and undergo a security control assessment report, said Kay Daly, assistant inspector general for audit services at HHS, at the hearing. Though that report and authorization was expected by Sept. 30, HHS obtained the authorization for the hub on Sept. 6, Daly confirmed. Daly said the OIG had not independently verified CMS’s progress since its audit earlier this year.
"CMS is taking steps to ensure that there are adequate security measures for the hub in compliance with NIST guidelines,” Daly said. She said the HHS OIG had worked with the Government Accountability Office, state auditors and state inspectors general throughout the program to verify the security of the program throughout its development. If a breach occurs, the HHS chief information officer would be notified, Daly said. If there’s encryption on the data breached, the individuals whose data has been breached would not be notified, she said in response to a question from Rep. Mike D. Rogers, R-Ala. But if there were determined to be a risk to those individuals, they would “of course” be notified, Daly said.
"We must be prepared for a turbulent takeoff,” said Matt Salo, executive director of the National Association for Medicaid Directors, in testimony at the hearing. “In many instances, the consumer experience will not be immediately smooth. … However, it’s also reasonable to expect that the experience can and will improve over time,” he said. He said credit card agencies and financial institutions have all experienced breaches of their data. “It is unrealistic to expect that these things can be prevented entirely; it is more important that we focus on how to minimize and mitigate the risks that are inherent in an interconnected society.” He said those involved in the program have paid special attention to the security and privacy of data in setting up the exchange, in response to a question from Rep. Sheila Jackson Lee, D-Texas. “The security and privacy of data is always a concern,” he said. Connecting all data “is a good thing. It does bring with it different challenges for security and privacy, but not insurmountable ones,” he said.
Several witnesses agreed the implementation of the hub, and therefore the exchanges, should be delayed to allow for more review of the security of the hub. “Whether or not you support an individual mandate, you can embrace the principle that no one should be forced to sacrifice privacy in order to comply with that mandate,” said Former Social Security Commissioner Michael Astrue. Stephen Parente, director of the Medical Industry Leadership Institute at the Carlson School of Management at the University of Minnesota, said HHS was working to solve a complex puzzle, but tight deadlines should be less important than privacy concerns. “Greater transparency is needed, as well as a frank acknowledgement that the ACA’s posted deadlines should take second place to reasonable data concerns,” he said. “Failure to build a secure hub could bring significant damage to the security of federal data systems."
Members also disagreed whether the hub would store data or whether it would simply connect various agencies to access separate databases of Social Security numbers, household income levels or eligibility for federal subsidies. Meehan said the data will be “stored in the system of record for up to 10 years,” while Thompson reiterated previous statements that “the hub does not store personal information but simply verifies it through secure connections with appropriate government entities.” -- Erin Mershon (emershon@warren-news.com)