The hub to retrieve and exchange information for the upcoming health care exchanges is a prime target for cyber-attacks and raises significant privacy concerns, said Republican lawmakers and panelists at a hearing Wednesday.
“A database that is the core of one of the central expenditures of American resources can certainly foreseeably be a target” for cyber-attacks, said Rep. Patrick Meehan, R-Pa., chairman of the subcommittee on cybersecurity, which held the hearing.
Pointing to delayed timelines, inadequate oversight and potential privacy violations, witnesses called on Congress to delay the data hub’s release. Defenders of the hub countered that while several internal deadlines had been moved back over the summer, the data exchange system had actually received security authorization Sept. 6 — weeks ahead of the Sept. 30 deadline — meaning it meets privacy standards set by the National Institute of Standards and Technology.
That argument was not enough to satisfy the information system’s critics.
“This isn’t a political point, and isn’t meant to impinge upon anyone’s motives inside [Health and Human Services],” said Dr. Stephen Parente, director of the Medical Industry Leadership Institute at the Carlson School of Management at the University of Minnesota. “The fact that only a handful of individuals know truly how this will operate may preserve some security.”
Health care exchanges, an online marketplace for individuals to purchase health care plans, are set to go live on New Year’s Day. Enrollment is supposed to open up Oct. 1, but several states have faced challenges — both technical and political — in meeting those deadlines.
The data hub is intended to support those exchanges “by providing a single point where exchanges may access data from different sources, primarily federal agencies,” said Kay Daly, assistant inspector general for audit services at HHS. Some of the information accessed might include Social Security numbers, household income levels and federal subsidy eligibility.
But witnesses and lawmakers said HHS had been opaque about exactly how the hub would do this. How could citizens be sure their identity wasn’t being protected from fraud, or that the hub wasn’t storing their information? Meehan said the data would be stored “up to 10 years.”
Daly denied the charge: “The hub does not store data,” she said. “Rather, it acts as a conduit for exchanges to access the data from where they are originally stored.”
Parente said confusion could be alleviated with the release of more information.
“Greater transparency is needed, as well as a frank acknowledgement that the [Affordable Care Act’s] posted deadlines should take second place to reasonable data concerns,” he said. “Failure to build a secure hub could bring significant damage to the security of federal data systems.”