The Office of Inspector General (OIG) recently reviewed the Centers for Medicare & Medicaid Services’ (CMS) implementation of the Data Services Hub (Hub) and found that missed security testing deadlines for the Hub may enhance risk for enrolled patients’ data. Patient enrollment had been set to begin on Oct. 1, 2013 and the OIG provided some observations on the Hub’s security controls, security testing and coordination.
CMS had originally intended on implementing a Security Control Assessment (SCA) for the Hub, which is intended to support health insurance exchanges, on May 13 but that timeline has been thrown off considerably. After delaying the assessment to June 3 -7, the SCA test plan due date was moved to July 15 and now it’s slated to occur between August 5 and 16.
The OIG broke down CMS’s security responsibilities, including National Institute of Standards and Technology (NIST) regulations that include the need for system security plan (SSP), information security risk assessment (RA) and security control assessment (SCA) report. The issue at hand isn’t so much what CMS has done to this point; it’s the organization’s timing that has a domino effect on ensuring the system will be ready and secure by Oct. 1. The SSP, RA and SCA documents must be completed before the security authorization decision can be made by the authorizing official. (The authorizing official, however, may grant the security authorization with the knowledge that there are still risks that have not been fully addressed at the time of the authorization.)
CMS has already incorporated the elements required for adequate security into the draft Hub SSP, which provides an overview of the security requirements of the system and describes the controls in place or planned (e.g., access controls, identification and authentication) for meeting those requirements. The OIG said that the information security Hub RA was being drafted by CMS during its fieldwork and the CMS contractor did not expect to provide finalized security documents, including the SSP and RA, to CMS for its review until July 15, 2013.
Because the documents were still drafts, we could not assess CMS’s efforts to identify security controls and system risks for the Hub and implement safeguards and controls to mitigate identified risks. According to CMS’s current timeline, the security authorization decision by the authorizing official, the CMS Chief Information Officer (CIO), is expected on September 30, 2013; the March 2013 schedule reported the date as September 4, 2013. If there are additional delays in completing the security authorization package, the CMS CIO may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013.
Tentative timeline
CMS told OIG that the SCA was moved back so that performance stress testing of the Hub could be finished before the SCA and any vulnerabilities identified during the stress testing could be remediated. Otherwise, it would’ve had to perform an additional SCA after the remediation was complete.
CMS will have 3 weeks between the receipt of the SCA test plan and the start of the SCA for CMS to make changes to the plan and for the independent testing organization to adjust the plan. According to the OIG, CMS must ensure that all devices in the Hub environment, including all firewalls and servers, are analyzed during the SCA. In addition, the draft report with the results of the SCA is not due from the contractor performing the SCA until September 9, 2013, and the final report is not due until September 20, 2013.
We could not assess planned testing or whether vulnerabilities identified by the testing would be mitigated because the SCA test plan had not been provided and the SCA had not been completed at the time of our review. If there are additional delays in completing the SCA test plan and performing the SCA, the authorizing official may not have the full assessment of implemented security controls needed for the security authorization decision by the initial opening enrollment period expected to begin on October 1, 2013.
CMS is obviously working within a very small window of time and the concern is that the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub. But CMS stated that it is confident that the Hub will be operationally secure and it will have a security authorization before Oct. 1.
Medicare spokesman Brian Cook told the Washington Post in an email, “We are on schedule and will be ready for the Marketplaces to open on October 1. This study was conducted in May, and we have made significant progress in the three months since then. CMS has extensive experience building and operating information technology systems that handle sensitive data. This experience comes from many years administering the Medicare, Medicaid, and CHIP programs.”