When members of the U.S. House return from their holiday recess, they will consider legislation aimed at bolstering the security of the federal HealthCare.gov website and systems for Obamacare.
See Also: Don't Be The Next OPM: Recognizing Risk
House Majority Leader Eric Cantor, R-Va., sent a memo to House Republicans on Jan. 2 aimed at rallying them to pass legislation to address the security of Healthcare.gov site, particularly data breach notification.
"To date, the administration has downplayed the risk of a data breach, perhaps in part because their primary goal is signing people up for insurance through the exchange," wrote Cantor in the memo, which was provided to Information Security Media Group.
"Regardless, if there is a breach, Americans shouldn't have to wonder whether or not they will receive prompt notification so that they may act to protect their personal identity and finances," Cantor says. "It is my intent to schedule legislation on this topic when we return next week," he wrote in the Jan. 2 memo.
The focus on the security of Healthcare.gov is just one part of Cantor's larger call for "greater transparency" overall from the Obama administration for the Affordable Care Act, including "disclosure of reliable and complete enrollment data."
Tapping Other Proposals
A schedule for consideration of the new Cantor legislation, as well as the bill's specific provisions and sponsors, were still being worked out on Jan. 3, sources told Information Security Media Group. The legislation will draw from other Healthcare.gov security-related legislation that was introduced late last year by three other House Republicans - Diane Black of Tennesee, Kerry Bentivolio of Michigan and Gus Bilirakis of Florida.
A spokesman for Bilirakus says key provisions of his proposal include requirements for the Department of Health and Human Services to notify affected individuals and Congress when a data breach occurs. Black's legislation also focuses on breach notification for individuals whose information is exposed.
A provision in Bentivolio's legislation that says a federal agency "may not deploy or make available to the public a new website involving personally identifiable information until the date on which a certification is submitted to Congress that the website is fully functional and secure."
In response to Cantor's memo, Drew Hammill, a spokesman for House Democratic Leader Nancy Pelosi, issued a statement saying, "It is clear that the new year has brought no change in heart for House Republicans. They continue to remain intent on undermining or repealing the Affordable Care Act at every turn, and that effort even extends to scaring their constituents from obtaining health coverage."
Officials at the Centers for Medicare and Medicaid Services, which oversees Healthcare.gov, said in a statement that so far, there have been no successful security attacks or malicious data breaches involving the website. CMS did not respond to Information Security Media Group's request for additional comment.
Cantor's plans for Obamacare-related security legislation, as well as the proposals by the other GOP representatives, came after a series of congressional hearings probing the problems with the HealthCare.gov launch (see: IT Experts Answer Obamacare Questions).
In addition to the many technical woes that initially affected the accessibility and functionality of HealthCare.gov, members of Congress and others criticized the lack of an end-to-end security analysis and test before its Oct. 1 launch.
Viability of Proposal
Even if a Healthcare.gov security bill gets approved by the House, it's far from certain whether the legislation would advance any further in the Senate, where Democrats are in the majority.
"Any new GOP legislation attempting to regulate the health insurance exchanges has no chance of passing the Senate unless it is narrowing limited to tactical consumer protections that can attract bipartisan support," says Kev Coleman, who tracks government activity as head of research and data at HealthPocket Inc., a technology and research firm that ranks health plans.
"My preference would be to approach security improvements from means other than the legislative process," he says. "Legislation is only as effective as the processes that implement and enforce it. The best way to improve security - public confidence - of Healthcare.gov is through transparency."
The government should clarify whether comprehensive security testing was completed on all exchange system components, including security regression tests related to the bug fixes implemented, Coleman says. "If the testing is not completed, public knowledge of this situation would create internal pressure within the exchange to prioritize the completion of the testing."
Risk Management at HHS
The Department of Health and Human Services is taking steps to improve HealthCare.gov and prevent "the structural and managerial policies" that led to the flawed launch of HealthCare.gov from re-occurring, wrote HHS secretary Kathleen Sebelius in a Dec. 11 blog. Those steps include creating the new position of chief risk officer to assess risk management practices across HHS, with an initial focus on the troubled Healthcare.gov website (see: CMS to Appoint Chief Risk Officer).
On Dec. 31, Michelle Snyder, chief operating officer at CMS, retired. As COO, Snyder was in charge of the agency's day-to-day activities, and technology experts who built HealthCare.gov reported to her, according to news reports (see: Another CMS Official Steps Down).
In November, CMS announced that Tony Trenkle, CIO and director of information services at CMS, was also leaving his post (see: CIO at CMS Stepping Down).