(Reuters) - The federal government is months behind in testing data security for the main pillar of Obamacare: allowing Americans to buy health insurance on state exchanges due to open by October 1| Is that a bug or a feature? |
As a result, experts say, the exchanges might open with security flaws or, possibly but less likely, be delayed.
"They've removed their margin for error," said Deven McGraw, director of the health privacy project at the non-profit Center for Democracy & Technology. "There is huge pressure to get (the exchanges) up and running on time, but if there is a security incident they are done. It would be a complete disaster from a PR viewpoint."
The most likely serious security breach would be identity theft, in which a hacker steals the social security numbers and other information people provide when signing up for insurance.
| But a beneficial side effect is that it allows political snoops to check out your medical condition whenever they want in case they want to use that against you. Just ask Joe the Plumber... |
A test was to have been performed between June 3 and 7. But the delivery deadline slipped and the test - assessing firewalls and other security elements - is now set for this week and next.
"CMS," concludes the inspector general's report, "is working with very tight deadlines."
| What are they using, Windows ME? |
"Several critical tasks remain to be completed in a short period of time," the report concluded.
Any additional delays could mean CMS would not have the information it needs to authorize use of the system by October 1, the inspector general found.
CMS spokesman Brian Cook said the agency is confident the Obamacare exchanges will open on time. "We are on schedule and will be ready for the marketplaces to open on October 1," he said.
| Brian is practicing keeping his lips on when he says stuff like that. When he gets it right he'll go to work for Hillary... |
The hub is like a traffic circle for data. It does not itself store information, but instead has digital spokes connecting to the Internal Revenue Service and other agencies that will allow it to verify information people provide. Opponents of Obamacare have repeatedly raised concerns that sensitive personal information could be stolen.
| Not 'stolen', just 'borrowed'... |
The first component of the package provides an overview of the system's security requirements and describes the controls the contractor has installed. It covers access controls and authentication, for instance, so that hackers cannot ping the hub and access IRS data.
A second component is a risk assessment that identifies vulnerabilities and determines the probability of a data breach.
The final component is an assessment by an independent testing organization that proper security controls have been implemented correctly, are operating as intended, and are meeting security requirements.
"CMS has extensive experience building and operating information technology systems that handle sensitive data" as a result of its experience with Medicare and Medicaid, the agency said in a statement.
Despite the tight IT deadlines Obamacare faces, the 2002 federal law on information security might provide an important loophole. The requirement that CMS's chief information officer make a "security authorization" decision does not mean the CIO has to conclude that the data hub is impregnable. He can decide that, despite identified security risks, the hub can operate.
| After all, it's only a "small risk"... |
| All is proceeding as has been foretold. |