WASHINGTON — Senators grilled a top health care official Tuesday over the security of information gathered by the government’s month-old health care website.
Members of the Senate Health, Education, Labor and Pensions Committee jumped on a recent audit of Quality Software Services, Inc., – or QSSI – regarding the security of information of 6 million Medicare recipients. The report said personal information was left vulnerable to high-tech gadgets such as smartphones and tablets.
“Were you aware of that?” Sen. Johnny Isakson, R-Ga., asked Marilyn Tavenner, administrator of the Centers for Medicare and Medicaid Services, during the hearing.
Tavenner’s response: “No, sir.”
According to a June report from the Inspector General — the internal watchdog for the Health and Human Services Department — QSSI’s computer systems were at risk because of outdated policies dealing with USB ports.
With advancing technology, cell phones, video cameras and tablets as well as thumb drives can steal sensitive information or dump destructive viruses onto a computer.
At the time, the software company tested changes to Medicare service systems by using real, but not live, data.
Now, QSSI has been tasked with oversight of the floundering federal health care website, which contains personal information of 700,000 enrollees. And Isakson demanded that Tavenner make sure the company is in compliance with federal security regulations.
Quality Software has made all of the changes recommended by the Inspector General, such as establishing usage limitations, and placing restrictions on how USB ports are used. The company is also scanning portable and mobile devices, according to the IG’s report.
QSSI did not respond to emails or phone calls seeking comment.
Isakson’s concerns, similar to other senators on the HELP committee, stemmed from a security mishap in North Carolina where a man trying to enroll on the federal health care website was able to access personal information of another man in South Carolina.
We called the 1-800 number “and asked a very specific question. Can you remove (that) personal information?” said Sen. Tim Scott, R-S.C. “The response was silence, not ‘yes’, not ‘no’, not ‘maybe’ not ‘let me check with my supervisor’.”
QSSI was not involved in that incident. Tavenner noted Mitre Corp. is responsible for securing the marketplace, not QSSI. And Mitre is working on the issue.
During the hearing, Tavenner told lawmakers the data hub of the Affordable Care Act’s online system had undergone “end-to-end” testing. But the exchange portion of the website was tested differently, in segments. That meant Tavenner did not sign off on the “complete package,” which she called “customary.”
A memo signed by Tavenner on Sept. 27, authorizing the website’s operation before the Oct. 1 health care kickoff, noted that “aspects of the system that were not tested during the ongoing development exposed a level of uncertainty that can be deemed as a high risk of a federally facilitated marketplace systems.”
Tavenner said she did not voice that concern to Health and Human Services Secretary Kathleen Sebelius, her superior at HHS.
Tavenner assured the panel that the website will be fixed and “fully functional“ by the end of November. She said security testing is happening on a weekly, and at times a daily, basis.