Deputy Chief Information Officer &
Deputy Director, Office of Information Services
Centers for Medicare & Medicaid Services
U.S. Department of Health and Human Services (HHS)
Security of Healthcare.Gov
Committee on Energy & Commerce
Subcommittee on Oversight & Investigations
United States House of Representatives
Tuesday November 19, 2013
Good morning, Chairman Murphy, Ranking Member DeGette, and members of the Subcommittee. Since the passage of the Affordable Care Act, the Centers for Medicare & Medicaid Services (CMS), in partnership with private sector contractors, has been hard at work to design, build, and test secure systems that ensure Americans are able to enroll in affordable health care coverage. I serve as CMS’s Deputy Chief Information Officer (CIO), and I am a career civil servant. As Deputy CIO, my role has been to guide the technical aspects of Marketplace development and implementation in accordance with all applicable laws, regulations, and agreements. While consumers using HealthCare.gov have been frustrated in these initial weeks after the site’s October 1, 2013 launch, CMS is working around the clock to address problems so that the site works smoothly for the vast majority of users by the end of this month.
Overview of Marketplace Information Technology (IT)
The Affordable Care Act directs states to establish State-based Marketplaces by January 1, 2014. In states electing not to establish and operate such a Marketplace, the Affordable Care Act requires the Federal Government to establish and operate a Marketplace in the state, referred to as a Federally-facilitated Marketplace. The Marketplace provides consumers access to health care coverage through private, qualified health plans, and consumers seeking financial assistance may qualify for insurance affordability programs like Medicaid, the Children's Health Insurance Program (CHIP), or the advance payment of the premium tax credits and cost-sharing reductions that can lower consumers’ upfront and out-of-pocket costs.
Marketplace IT System Functions
To fulfill the functions specified in the Affordable Care Act, Federally-facilitated and State-based Marketplaces developed eligibility and enrollment, redetermination, and appeals systems. In many ways, these systems are similar to what private issuers, Medicare Advantage issuers, and State Medicaid agencies currently use to determine eligibility, enroll applicants into health coverage, process appeals, and perform customer service, as well as prevent fraud, waste, and abuse.
- Determine a consumer’s eligibility to enroll in a qualified health plan through the Marketplace and for insurance affordability programs;
- Transmit consumer information to state Medicaid/CHIP agencies or the private, qualified health plan issuer they have chosen;
- Redetermine consumer eligibility status during the year, as needed; and
- Allow individuals to appeal an eligibility determination.
Privacy, Security, and Integrity Controls for the Marketplace IT Systems
A key feature of the Marketplace IT systems is that they employ stringent privacy and security controls to safeguard consumer data. CMS developed the data services Hub and Federally-facilitated Marketplace eligibility and enrollment system consistent with Federal statutes, guidelines and industry standards that ensure the security, privacy, and integrity of systems and the data that flows through them. All of CMS’ IT systems—including Federal Marketplace systems of records and systems used to support State-based Marketplaces and Medicaid/CHIP agencies—are subject to the Privacy Act of 1974, the Computer Security Act of 1987, and the Federal Information Security Management Act of 2002 (FISMA). These systems must also comply with various rules, regulations, and standards promulgated by the Department of Health and Human Services (HHS), the Office of Management and Budget, the Department of Homeland Security, and the National Institute of Standards and Technology (NIST).
Key Marketplace IT Functions
To facilitate the back-end online eligibility and enrollment, redetermination, and appeals functions consumers access through HealthCare.gov, CMS developed two key tools, in partnership with private sector contractors. CMS contracted with QSSI to build the Hub, which provides an electronic connection between the eligibility systems of the Marketplace and State Medicaid and CHIP agencies to already existing, secure Federal and state databases to verify the information consumers provide in their applications for coverage. In addition, CMS contracted with CGI Federal to build the Federally-facilitated Marketplace eligibility and enrollment system, which consumers use to create an account on HealthCare.gov, verify their identity, fill out an electronic application to determine their eligibility for health care coverage through private, qualified health plans, Medicaid, CHIP or other insurance affordability programs, choose a health insurance plan and ultimately enroll in health coverage.
The Data Services Hub
CMS designed the Hub, a routing tool that helps the Marketplace and State Medicaid and CHIP agencies provide accurate and timely eligibility determinations. The Hub verifies data against information contained in already existing, secure and trusted Federal databases. CMS has security and privacy agreements with all Federal agencies and states connecting to the Hub. These include the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace Corps and the Office of Personnel Management. The Hub increases efficiency and security by eliminating the need for each Marketplace, Medicaid agency, and CHIP agency to set up separate data connections to each database. Risk increases when the number of connections to a data source increase—which is why CMS has designed the Hub to minimize these risks. The Hub provides one highly secured connection among trusted Federal and state databases instead of requiring each agency to set up what could have amounted to hundreds of independently established connections. Further, the Hub is not a database; it does not retain or store information. It is a routing tool that can validate applicant information from various trusted Government databases through secure networks.
Every Federal IT system must comply with rigorous standards before the system is allowed to operate. The Hub’s independent Security Controls Assessment was completed on August 23, 2013 and it received an authorization to operate on September 6, 2013. This authorization confirms that the Hub complies with Federal standards and that CMS implemented the appropriate procedures and safeguards necessary for the Hub to operate securely.
The Hub and the Federally-facilitated Marketplace eligibility and enrollment system have several layers of protection in place to mitigate information security risk. For example, these Marketplace IT systems will employ a continuous monitoring model that will utilize sensors and active event monitoring to quickly identify and take action against irregular behavior and unauthorized system changes that could indicate a potential incident. If a security incident occurs, an Incident Response capability would be activated, which allows for the tracking, investigation, and reporting of incidents. This allows CMS to quickly identify security incidents and ensure that the relevant law enforcement authorities, such as the HHS Office of Inspector General Cyber Crimes Unit, are notified for purposes of possible criminal investigation. As with all systems, the responsibility to safeguard information is an ongoing process, and CMS will remain vigilant throughout operations to anticipate and protect against data security concerns. The Marketplace IT monitoring program will continually be reviewed for effectiveness of the IT’s security controls, through methods that include independent penetration testing, automated vulnerability scans, system configuration monitoring, and active web application scanning.
The Federally-Facilitated Marketplace Eligibility and Enrollment System
As described above, the Affordable Care Act directs states to establish State-based Marketplaces by January 1, 2014. In states electing not to establish and operate such a Marketplace, the Affordable Care Act requires the Federal Government to establish and operate a Marketplace for the state, referred to as a Federally-facilitated Marketplace. CMS contracted with CGI Federal to build the Federally-facilitated Marketplace system, including the eligibility and enrollment system. This system lets consumers establish a HealthCare.gov account that they can return to at any point in the application process, and the system connects to the Hub to validate the information consumers submit. Once consumer information is verified, the eligibility and enrollment system forwards consumer applications to an eligibility tool to determine the consumer’s eligibility for Medicaid, CHIP, or tax subsidies. For those consumers eligible for tax subsidies, it then allows consumers to compare qualified health plans and start to enroll in the plan of their choosing, transferring the consumer’s information to the issuer to complete the enrollment process.
Separate from the Federally-facilitated Marketplace eligibility and enrollment system on HealthCare.gov is a premium estimation tool, launched on October 10, 2013, that allows consumers to browse health plans without creating a HealthCare.gov account. While the tool could only sort consumers into two age categories when it was first launched, its functionality will be expanded to accommodate additional scenarios to better fit consumer shopping profiles. This tool is different from the Federally-facilitated Marketplace application because determinations about consumers’ eligibility for insurance affordability programs, Medicaid, and CHIP are specific to the characteristics of an applicant and his or her household and can only be calculated when an application is completed—after income, citizenship, and other information is verified.
The Federally-facilitated Marketplace eligibility and enrollment system consists of numerous modules. Each module of this system was tested for functionality. Each interface with our business partners and other Federal agencies was also tested. Numerous test cases were used to exercise the end-to-end functionality of the system. Given the user experience, we know now that we underestimated the volume of users who would attempt to log onto the system at the same time, and therefore our testing did not include performance testing at the volume we experienced at launch.
On September 27, 2013, CMS granted authority for the Federally-facilitated Marketplace eligibility and enrollment system to begin operations, with authority to operate for six months. Consistent with security practices as required by FISMA and NIST, CMS identified a number of strategies that we are deploying to continue to monitor operations and mitigate any potential risk, including through regular additional testing. The authorization to operate the Federally-facilitated Marketplace eligibility and enrollment system is consistent with NIST guidance. FISMA and the NIST Risk Management framework permit agencies to authorize an “authority to operate” when there is a risk-mitigation strategy in place. To follow through on the risk mitigation strategy identified in the authorization to operate the Federally-facilitated Marketplace eligibility and enrollment system, we continue to conduct security testing on an ongoing basis as we add new IT functionality.
Improvements to the Federally-facilitated Marketplace Eligibility and Enrollment System
While the Hub is working as intended, after the launch of the Federally-facilitated Marketplace eligibility and enrollment system, numerous unanticipated technical problems surfaced which have prevented some consumers from moving through the account creation, application, eligibility, and enrollment processes in a smooth, seamless manner. Some of those problems have been resolved, and the site is functioning much better than it did initially. We are committed to fixing these problems so that the experience using the Federally-facilitated eligibility and enrollment system improves for the vast majority of consumers by the end of November 2013.
To ensure that we make swift progress, and that the consumer experience continues to improve, our team called in additional help to solve some of the more complex technical issues we are encountering. We brought on board management expert and former CEO and Chairman of two publicly‑traded companies, Jeff Zients, to work in close cooperation with our team to provide management advice and counsel to the project. We have also enlisted the help of QSSI to serve as a general contractor for the project. They are familiar with the complexity of the system, and the work they provided—the Hub—is working well and performing as it should. They are working with CMS leadership and contractors to prioritize the needed fixes and make sure they get done.
A number of fixes have already been completed. One place where we have seen a lot of consumer frustration is in the ability to successfully create an account. This issue is something that we identified on October 1, and we have made significant progress since then to deliver a much smoother process for consumers. Users can now successfully create an account and continue through the full application and enrollment process. We are now able to process nearly 17,000 registrants per hour, or 5 per second, with almost no errors.
The tech team put into place enhanced monitoring tools for HealthCare.gov, enabling us to get a high level picture of the Federally-facilitated Marketplace eligibility and enrollment system. Thanks to this work, we are now better able to see how quickly pages are responding, and to measure how changes improve user experience on the site.
We reconfigured various system components to improve site responsiveness. This has increased performance across the site, but in particular the viewing and filtering of health plans during the online shopping process now responds in just seconds. It was taking minutes. We have also resolved issues with how the eligibility notices are presented to consumers. They now display properly at the completion of the application process.
Other fixes include software configuration changes and optimization that have increased the efficiency of system interactions. We also added capacity by doubling the number of servers and have replaced the virtual database with a high-capacity physical one. This allowed us to be more efficient and effective in our processing time and significantly reduced the account registration failures. While significant work remains, these changes are already making the shopping process easier for consumers.
CMS is committed to creating safe, secure, and resilient IT systems that help expand access to the quality, affordable health coverage every American needs. We are encouraged that the Hub is working as intended, and that the framework for a better-functioning Federally-facilitated Marketplace eligibility and enrollment system is in place. By enlisting additional technical help, aggressively monitoring for errors, testing to prevent new issues from cropping up, and regularly deploying fixes to the site, we have already made significant improvements to the performance and functionality of the system. We expect that over the next few weeks, consumers will see improvements to the site each week, and that the consumer experience using the Federally-facilitated Marketplaces eligibility and enrollment system through HealthCare.gov will be greatly improved for the vast majority of users by November 30.
Last revised: December 19, 2013