Two Republican lawmakers Wednesday demanded that the U.S. Department of Health and Human Services (HSS) provide information on security measures used to secure the Federal Data Services Hub that was built to support Obamacare healthcare exchanges.
In a letter to HHS Inspector General Daniel Levinson, Congressmen Patrick Meehan (R-Pa) and Diane Black (R-Tenn.) requested information on the results of tests condusted to verify the security of the data hub. They also wanted HHS to identify the consultants used to help carry out the tests, and to disclose what measures are currently in place to protect against cyberattacks.
"It is imperative that Congress be provided with the information necessary to understand how the Data Hub was certified and what continuing controls have been put in place to protect Americans who are currently accessing the system," the two lawmakers wrote.
"Specifically, we request information on the user access controls for the (HHS) staff and Navigators that have been determined appropriate for using the Data Hub," they noted. The letter also asked for details on any measures the HHS might have implemented to monitor for and detect suspicious activity on the data hub.
The data hub, often referred to as the Obamacare Hub, is a routing tool operated by the Centers for Medicare & Medicaid Services (CMS). The technology is designed to let state and federally facilitated healthcare marketplaces quickly verify the eligibility of individuals seeking insurance coverage.
The Hub itself does not store data and merely connects healthcare insurance exchanges with numerous federal databases at the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs and other agencies.
Though the CMS insists it has measures in place to protect data passing through the hub, many groups, including the Heritage Foundation and the Citizens Council for Health Freedom, contend that it exposes users to identify fraud.
The skepticism of such groups remained in place even after CMS reported last month that the Hub successfully passed an independent security controls assessment by an independent third party auditor.
At the time, the CMS said that it had implemented controls for tracking, investigating and reporting suspicious activities and incidents on the Hub.
In the letter, the two lawmakers asked Levinson for a copy of the security audit and the subsequent authorization it received to operate the data hub. The lawmakers noted that such documents would identify any vulnerabilities in the system and the security controls it uses.
The lawmakers said the complexity of the data hub raises concerns about the security of the names, addresses, Social Security Numbers and other personal data that flows through it.
"It is unclear if certain critical best practices were conducted prior to releasing the Data Hub -- such as pilot programs and employing White Knight hackers to provide feedback on the system's vulnerabilities," they said.
The CMS did not respond to a request for comment.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.