The data system supporting President Barack Obama's healthcare reform has been tested and certified as secure for millions of Americans who will seek health coverage beginning on October 1, meeting a critical deadline for launching the program, the administration said on Wednesday.
Concerns over whether consumer information would be secure in time were raised last month, when a government report said it could take until September 30 to sign off on the system's data protections, leaving little room for error before Obamacare is due to go live.
The Centers for Medicare & Medicaid Services (CMS), part of the U.S. Department of Health and Human Services, said on Wednesday that the federal data system used to determine eligibility for government subsidies for this new healthcare was ready to go.
The news came as a House of Representatives subcommittee on cybersecurity held a hearing to discuss the system, called the Hub. Republican lawmakers and panel witnesses raised questions about the ability to secure the system ahead of the Oct 1 launch.
IT security is a concern because the health exchanges that will sell insurance plans to individuals under the new program need various federal agencies to communicate on sensitive information about applicants, such as social security numbers, through the Hub.
Stephen Parente, a finance professor at the University of Minnesota who specializes in health insurance and health information technology, told the House hearing that the Hub is "the largest personal data integration government project in the history of the republic."
"Greater transparency is needed, as well as a frank acknowledgement that the (healthcare law's) posted deadlines should take second place to reasonable data concerns," Parente, a health policy adviser to Senator John McCain's failed 2008 presidential campaign, said in his testimony.
Last month, the HHS inspector general said in a report that missed deadlines this summer had pushed back the critical security testing. In particular, the date for CMS to certify that the Hub met requirements for information technology security was moved to September 30 from September 4.
Security requirements for the Hub, which is being built by an outside contractor, include access controls and authentication to help prevent hackers from viewing personal information such as tax records.
CMS, which will be overseeing the health exchanges, said on Wednesday in a statement that the IT-security authorization occurred on September 6.
"The completion of this testing confirms that the Hub complies with federal standards and that HHS and CMS have implemented the appropriate procedures and safeguards necessary for the Hub to operate securely on October 1," CMS said.
The inspector general's office has not independently verified CMS' progress since the office's August audit, Kay Daly, assistant inspector general in the inspector general's office, testified on Wednesday.
Representative Patrick Meehan, a Pennsylvania Republican who chairs the subcommittee, was dubious of the agency's ability to address all the security concerns.
"This is an agency who for three years failed to meet a single deadline," Meehan said during the hearing. "The word continues to be, 'Just trust us.'"
(Reporting by Caroline Humer and Lewis Krauskopf; Editing by Leslie Adler)