Cover Oregon inadequate security testing questioned

computer-womanAs part of its ongoing oversight efforts into problems associated with the President’s healthcare law, leaders on the House Oversight and Government Reform Committee this week sent letters to the governors of 10 states including Oregon and the mayor of the District of Columbia expressing concerns about inadequate security testing prior to the state exchanges connecting to ObamaCare’s federal data hub.

“Due to the decision of the Obama Administration to launch the exchanges on October 1, 2013, before states could properly test their systems and government security experts could properly review security documentation and address known problems, the personal information of millions of Americans who have sought to obtain coverage through the exchanges was put at risk ,” the letters, sent Tuesday and signed by Chairman Darrell Issa, R-Calif., Subcommittee Chairman James Lankford, R-Okla., and Subcommittee Chairman Jim Jordan, R-Ohio., state. “We write to provide you with information pertinent to the citizens of your state as well as to request your assistance with the Committee’s ongoing oversight.”

“State exchanges and Medicaid systems needed authority to connect (ATC) agreements from CMS in order to connect to the federal data services hub,” the letter continues. According to security risk assessment reviews, the Chief Information Security Officer (CISO) at CMS “deemed 35 state systems as a high risk and an additional ten state systems as a moderate risk of connecting to the data hub.” However, despite the “negative assessments that generally revealed incomplete documentation and inadequate security testing, CMS allowed most of these states to connect to the federal data hub on October 1, 2013.

A few days prior to October 1, 2013, Ryan Brewer, CMS’s CISO from 2009 through 2011 and currently an advisor to CMS on information security matters, offered the following assessment to current CMS CISO Teresa Fryer: “Allowing these states to connect to the Hub and FFM [Federally Facilitated Marketplace] without the appropriate review of their documentation introduces an unknown amount of risk to the Hub and FFM.  This in turn puts the PII of potentially millions of users at risk of identity theft and fraud to the CMS marketplace healthcare subsidy program.”

The letters request documents and communications, as well as any audits or readiness assessments, related to the state exchanges or federal data hub.

The letters were sent to the following states: