This is an archive page. The links are no longer being updated.
Draft Testimony of
DEPUTY CHIEF INFORMATION OFFICER
HEALTH CARE FINANCING ADMINISTRATION
HOUSE COMMITTEE ON ENERGY AND COMMERCE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
May 23, 2000
Chairman Greenwood, Congressman Deutsch, other distinguished members of the Subcommittee, thank you for inviting me to discuss the Health Care Financing Administration’s (HCFA) information technology security efforts and our plans for the future. Protecting the confidential health information of the Americans who rely on our programs is a critical responsibility, and we take this duty seriously. I appreciate the opportunity to share our efforts and plans with you.
Confidential data are essential to carry out many of our business functions. For example, to pay a Medicare claim, we must confirm the beneficiary’s eligibility for Medicare benefits, obtain information about secondary payers, review the claims history, and perform other data-intensive activities. Similarly, for a Medicare managed care payment, we have to establish the beneficiary’s enrollment, calculate the payment amount, and forward that amount to the plan. As manager and custodian of this data, we have a legal and practical responsibility to assure that proper security safeguards are in place for maintaining confidentiality, integrity, and appropriate availability of this data. We take this responsibility seriously, and the public counts on us to do so.
The Commerce Committee and Congress recognized this when they passed the Government Information Security Reform Act, focusing attention across the government on information security concerns. While we have not yet experienced any significant breach of our systems’ security, we remain vigilant in our efforts to protect beneficiary information. Our staff and partners like the Inspector General (IG) have identified security vulnerabilities within our systems, and we have taken appropriate steps to address them. I want to commend the IG, as well as the General Accounting Office (GAO) and others, for their assistance in highlighting these vulnerabilities and their recommendations for solutions. Their work serves as an important roadmap for us as we work to improve security across our Agency. Moreover, in our recent Chief Financial Officer Electronic Data Processing audit, the IG acknowledged that we have made progress with our security efforts, and identified no material weaknesses in our systems. As a result of increasing use and changing technologies, the demands on our information technology architecture are greater than ever before, and security risks continue to evolve. Clearly, we must continue to enhance and improve security in order to meet today's needs and tomorrow’s challenges.
We recognize that although perfect security is unattainable, we must constantly and rigorously improve our defenses. As the technology we use in administering our programs has grown more complex, new security threats have emerged and old threats have intensified, as they have with others. Even the smallest technological change can open us to new threats, which cannot always be anticipated.
As the Deputy Director of HCFA’s Office of Information Services and Deputy Chief Information Officer, I am acutely aware of our computer system security responsibilities. We have worked hard, especially in the past 5 years, to proactively identify, correct, and prevent problems with the security of our computer systems. We have instituted a comprehensive and effective system security program across our entire enterprise, and we continue to make great strides in improving security both in our internal systems and the systems of the private sector contractors that process Medicare claims. Our systems are not perfect – no one’s are – but we have greatly improved our security, and we have concrete plans to improve it further.
In the history of the Medicare program, there have been no significant security or privacy breaches with Medicare systems, nor have there been substantial problems with breaches of confidential beneficiary or provider data. However, we face considerable security challenges due to Medicare’s current, complex environment. The complexity of this environment is driven by the increasingly data-intensive nature of modern health care as we strive to meet our mission of providing health insurance coverage to nearly 40 million older and disabled Americans. By law, Medicare fee-for-service claims are processed by about 50 private sector insurance companies who each have their own business processes and variations in the use of Medicare claims processing software, which we are responsible for overseeing. From a technology standpoint, such decentralization requires that we transmit data to ensure that we bring together up-to-date information on eligibility, enrollment, deductibles, utilization, and other potential insurance payers. We also must share eligibility and managed care enrollment data with the approximately 540 managed care plans providing services to Medicare beneficiaries.
In addition to these demands, we are striving to make information about our programs and services more readily available to Medicare beneficiaries, physicians, and other providers. We need to provide timely solutions and ready access to information for a wide variety of customers and partners so they can research Medicare benefits, billing rules and procedures, and a host of other subjects. However, we must balance this need with our responsibility to protect sensitive information from unauthorized access, such as preventing "hackers" from violating our internal systems via our public Internet sites. And we must address both of these priorities within the aging nature of our current information technology infrastructure and our available resources.
We learned a great deal about how to address information technology challenges two years ago when, in partnership with Congress and over one million health care providers across the country, we successfully met the Year 2000 challenge. Now, with our resources no longer committed to that effort, we have resumed efforts to implement legislative changes mandated by the Health Insurance Portability and Accountability Act, the Balanced Budget Act of 1997, the Balanced Budget Refinement Act of 1999, and the Medicare, Medicaid, and SCHIP Benefits and Improvement Act of 2000. We also have initiatives to modernize other areas related to our business functions, including establishing the HCFA Integrated General Ledger Accounting System, to readily support a "clean opinion" on our Chief Financial Officer audit; and we have refocused on the security responsibility that comes with using ever-improving information technology.
In 1997, HCFA’s first Chief Information Officer, Dr. Gary Christoph, was hired, and he began an intensive, proactive effort to identify security deficiencies in our internal systems. Under Dr. Christoph, we began proactively testing for security problems so we could better realize what problems exist, where they are located, and how we can prevent them. Under this guiding principle, we became one of the first non-military Federal agencies to initiate third-party penetration testing of systems. We used an "ethical hacker" to test for vulnerabilities at our Agency and at some of our claims processing contractors before someone actually seeking to do harm could discover them. It is imperative to uncover these vulnerabilities, and in many cases we agreed with and implemented the contractors’ recommendations. In other cases, we analyzed the findings, considered the recommendations, and developed solutions that more appropriately fit our business needs while still addressing the underlying vulnerability. In all cases, we recognize the seriousness of any vulnerability and know we must carefully balance security with our other business responsibilities. We also have been conservative in moving to new e-business technology, to ensure that adequate protections are in place before we use this type of technology. Moreover, in the last three years we have essentially doubled the funds expended for security activities from $5.9 million to $11.7 million, and we have increased the number of FTE’s devoted to security from 31 to 59.
In 1998 we began work on an Enterprise-wide Systems Security Initiative that follows guidance from the National Institute of Standards and Technology and the Office of Management Budget Circular A-130, which established policy for the management of Federal information resources. The central tenet of our initiative is to understand and mitigate the risks to our information in the most cost-effective manner. As you know, this effort was put on hold when we had to dedicate the vast majority of our information technology staff time and resources to Year 2000 remediation efforts. We began refocusing on the Security Initiative in 2000, implementing it along two parallel tracks: one track focuses on security inside the Agency, and one examines our external business partners, beginning with the Medicare contractors.
The Security Initiative’s implementation at the Medicare contractors began in earnest earlier this year when we published baseline security requirements and followed up with an assessment tool to compare how their security measures to our core requirements. The results of those assessments will serve as a valuable work plan for our security efforts in the future.
Our internal HCFA efforts have been ongoing for a longer period of time and we have made substantial progress. We continually assess our internal risks and vulnerabilities and take remedial actions to address them as aggressively as possible within our available resources. For example, we have developed improved procedures and tools for managing access to our data. These efforts help ensure that only staff who have a proper and legitimate professional need have access to sensitive information and that the staff use these data appropriately within our strict guidelines. We look carefully at whether an employee’s job entails a "need to know" confidential information. Even our senior staff, including the Chief Information Officer and I, cannot browse this information because we do not have a "need to know." Additionally, we are publicizing our intensified data security efforts to the entire Agency and contractor staff, informing them of their responsibilities, and reminding them that bad habits, such as sharing systems passwords, could lead to unintended consequences. And beginning this summer, all HCFA staff will complete mandatory annual training on computer security. We believe that this strong effort to protect sensitive material will itself deter individuals from even attempting to violate our systems.
Throughout our implementation of the Security Initiative, we have proactively pursued self-testing of our security controls. Periodic recurrent testing can detect new vulnerabilities that have surfaced because of new technology, and reaffirm that old vulnerabilities have not been reopened. We also continue to use third party contractors to conduct "white hat" penetration tests of various portions of our computer network. When we began these tests over 3 years ago, we focused on looking into the Agency from external networks such as the Internet. Recently, we conducted more refined testing by looking internally at our network from the perspective of an authorized HCFA user. This is important because published industry-wide statistics indicate that authorized users or employees are suspected as the largest source of security breaches.
Along with our own self-assessments and contractor testing, audits performed by the IG have aided us in identifying security vulnerabilities in our information systems. For example, the IG found that Agency and contractor employees could have had unauthorized access to confidential information, because passwords were not being administered properly or computer programmers could have had inappropriate access to some files. They also found instances where people could have had inappropriate access to the areas where computers were stored. In each of these instances, we have worked hard to address the vulnerabilities, and we have made significant progress. For example, we have recertified all of the individuals with password access to our systems, purging hundreds of individual passwords from our systems. Additionally, we have secured areas that before permitted inappropriate access to our computer hardware.
Some of these vulnerabilities were very easy to address, while others are longer-term projects that require more intensive attention and resources. And we remain open to suggestions of additional ways to improve our security. Information technology continues to evolve, and we will always have to strive to keep our health data as secure as possible with the resources that we have available.
A determined adversary with the necessary resources to get into a computer system will always find a way to do so, and we face major challenges in continuing to implement and improve our computer security program. Over the next fiscal year, we expect to put our security policy statements into action and develop specific standards, including establishing minimum floors for protecting all of our sensitive data. We also will continue to update our security initiatives to keep pace with the development of new threats and the proliferation of old ones. Our goal is to create a multi-layered series of security defenses, utilizing firewalls, scanning software, intrusion detection, administrative controls, access controls, good authorization procedures, and recurrent security training and education for staff. Taken together, these layers of protection establish a solid security posture for our agency.
We want to work with you and our other partners to make sure that we protect this information and fulfill all of our responsibilities as effectively and efficiently as possible. Thank you for your support and assistance, and the opportunity to discuss these important issues with you today. I am happy to answer your questions.
HHS Home (www.hhs.gov) |
Topics (www.hhs.gov/SiteMap.html) |
What's New (www.hhs.gov/about/index.html#topiclist) |
For Kids (www.hhs.gov/kids/) |
FAQs (answers.hhs.gov) |
Site Info (www.hhs.gov/SiteMap.html) |
Disclaimers (www.hhs.gov/Disclaimer.html) |
Privacy Notice (www.hhs.gov/Privacy.html) |
FOIA (www.hhs.gov/foia/) |
Accessibility (www.hhs.gov/Accessibility.html) |
Contact Us (www.hhs.gov/ContactUs.html)
Last revised: June 25, 2001