[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
THE THREAT TO AMERICANS' PERSONAL INFORMATION: A LOOK INTO THE SECURITY 
            AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB 

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 11, 2013

                               __________

                           Serial No. 113-33

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

               [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________

                         U.S. GOVERNMENT PRINTING OFFICE 

86-247 PDF                       WASHINGTON : 2013 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001


                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Chris Stewart, Utah                  Steven A. Horsford, Nevada
Richard Hudson, North Carolina       Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
                       Greg Hill, Chief of Staff
          Michael Geffroy, Deputy Chief of Staff/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                 Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama                 Yvette D. Clarke, New York
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Jason Chaffetz, Utah                 Filemon Vela, Texas
Steve Daines, Montana                Steven A. Horsford, Nevada
Scott Perry, Pennsylvania, Vice      Bennie G. Thompson, Mississippi 
    Chair                                (ex officio)
Michael T. McCaul, Texas (ex 
    officio)
               Alex Manning, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk



                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Emergency Preparedness, Response, and Communications...........     1
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Emergency Preparedness, Response, and Communications:
  Oral Statement.................................................     3
  Prepared Statement.............................................     6
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     7

                               Witnesses

Mr. Michael J. Astrue, Former Social Security Commissioner, 
  Former U.S. Department of Health and Human Services General 
  Counsel:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Mr. Stephen T. Parente, Ph.D., Minnesota Insurance Industry Chair 
  of Health Finance, Director, Medical Industry Leadership 
  Institute, Professor, Department of Finance, Carlson School of 
  Management, University of Minnesota:
  Oral Statement.................................................    13
  Prepared Statement.............................................    15
Ms. Kay Daly, Assistant Inspector General, Audit Services, U.S. 
  Department of Health and Human Services:
  Oral Statement.................................................    16
  Prepared Statement.............................................    17
Mr. Matt Salo, Executive Director, National Association of 
  Medicaid Directors:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23

                             For the Record

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Emergency Preparedness, Response, and Communications:
  Letter.........................................................     5


THE THREAT TO AMERICANS' PERSONAL INFORMATION: A LOOK INTO THE SECURITY 
            AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB

                              ----------                              


                     Wednesday, September 11, 2013

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:02 p.m., in 
Room 311, Cannon House Office Building, Hon. Patrick Meehan 
[Chairman of the subcommittee] presiding.
    Present: Representatives Meehan, Rogers, Marino, Perry, 
Clarke, Vela, and Horsford.
    Also present: Representative Jackson Lee.
    Mr. Meehan. The Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will come to order.
    The subcommittee is meeting today to examine the security 
and reliability of the Health Exchange Data Hub and the 
existence of any threat to Americans' personal information.
    Before beginning my opening statement, I think it is only 
appropriate on a day like today that we take a moment and join 
in a moment of silence, remembrance of the victims of September 
11 as we recognize the twelfth anniversary of that terrible 
tragedy.
    I thank you.
    I now recognize myself for an opening statement.
    Today's hearing, ``A Threat to Americans' Personal 
Information: A Look into the Security and Reliability of the 
Health Exchange Data Hub'' is the second hearing on this issue 
in less than 2 months by this committee or associated with this 
committee.
    The Federal Data Services Hub was established under the 
rulemaking for the Patient Protection and Affordable Care Act. 
Its purpose is to be the one-stop shop to connect applicants to 
the Affordable Care Act exchanges.
    The hub will connect to multiple Federal agencies including 
the Social Security Administration to verify an applicant's 
Social Security number, the IRS, to verify income and really 
not just for an applicant, but for an applicant's spouse and 
children and others.
    The Department of Homeland Security to verify citizenship 
and immigration status as well as other Federal agencies to 
determine an applicant's eligibility for Federal health 
insurance subsidies, the key aspect of it to be the ability to 
articulate the qualification, not just for subsidies but amount 
of subsidies.
    Personally identifiable information for any applicant and 
their families will pass through the data hub from these 
various agencies. In fact, over 20 million Americans are 
expected to enter the exchange over the next 5 years, and I 
know we will hear testimony about what the scope of this 
exchange is expected to be.
    This information will include an applicant's name, address, 
date of birth, Social Security number, household income, health 
status including whether an applicant is pregnant or has a 
disability, and will be stored in the exchange system of 
records for up to 10 years, stored in the system for up to 10 
years.
    The Government Accountability Office in a June 2, 2013 
report called the hub, ``a complex undertaking involving the 
coordinated actions of multiple Federal, State, and private 
stakeholders.'' The report concluded that, ``a timely and 
smooth implementation by October 13, 2013 cannot yet be 
determined.''
    In July, this subcommittee convened a joint hearing with 
the House Oversight and Government Reform Subcommittee. We 
heard directly from Centers for Medicare and Medicaid Services, 
Director Marilyn Tavenner, and acting commissioner of the IRS, 
Daniel Werfel, among others on the implementation of the hub.
    My personal take-away from that hearing is that CMS was not 
ready to embark on this giant responsibility. Since our 
hearing, the Health and Human Services inspector general 
conducted a report on the implementation of the hub from a 
security perspective.
    The IG report stated that the several critical tasks 
remained to be completed in a short period of time. That is why 
we are here today, to examine CMS' progress in securing 
America's personal information.
    I am thankful to the inspector general who sent a 
representative to participate in today's hearing. As we sit 
just 20 days removed from the exchanges and the data hub, going 
live on October 1, I have grave concerns from a cybersecurity 
standpoint.
    We have assembled a panel of witnesses uniquely qualified 
in commenting on the scope and readiness of the mounting task 
at hand. I thank them for participating, and I look forward to 
hearing their testimonies.
    Let me conclude my comments by saying that this is not a 
hearing that goes into the policy implications behind the 
Affordable Care Act. It is not our purpose here today to try to 
raise that issue.
    But we are a committee that is focused and focused 
importantly on the security of American citizens, and one of 
the highest issues we currently see is an appreciation for 
personal privacy and private identifying information and what 
the misuse of that information cannot just mean directly to a 
person but to a person who then has to go about trying to fix 
that in their lives.
    In the best of times, we have seen dramatic growth in those 
who have used and developed new and innovative ways to steal 
that information to use it in the markets in a variety of 
different capacities.
    So as we have dealt with increasing sophistication in those 
who would try to steal them and manipulate this information, we 
also recognize that we are in a unique time as well.
    A time in which cyber information is not just there to be 
manipulated or used or stolen by those if it is not 
appropriately secure, but we face a time in which there are 
very sophisticated actors, including state actors who may wish 
to do us harm.
    A database that it is the core of one of the central 
expenditures of American resources can certainly, foreseeably 
be a target. The extent to which we are ready not just for the 
kinds of challenges that are facing security databases in the 
normal course of business but the preparation readiness to 
stand up to what may be a sophisticated attack and one that 
seeks to do us damage are all relevant considerations for us at 
this important point.
    These are some of the issues I want to ask about the 
readiness before we get ready to go, and I appreciate those of 
you who are here today who are ready to testify on your 
opinions and knowledge with regard to the readiness of this 
database.
    Now the Chairman now recognizes the Ranking Minority Member 
of the subcommittee, the gentlelady from New York, Ms. Clarke, 
for any statement that she may have.
    Ms. Clarke. I thank you, Mr. Chairman, for holding a second 
hearing on one of the most important features of the Affordable 
Care Act, and I welcome our witnesses here today.
    When President Obama signed the Affordable Care Act in the 
East Room of the White House on March 23, 2010, the Federal 
Government started planning to operate health care insurance 
market places, also called exchanges, and assist States that 
opted to run their own marketplaces.
    All of this involves developing a complex computer web-
based service that would allow millions of Americans access to 
affordable health care in the most efficient and safe way 
possible.
    This is a large undertaking and involves a complicated 
inter-agency IT and web-based software effort commonly known as 
the Federal Data Services Hub based at the Department of Health 
and Human Services Center for Medicare, Medicaid Services, or 
CMS.
    What is important about this effort is that we must create, 
collect, and use or disclose personal information of millions 
of our citizens in a responsible and confidential way.
    The health care marketplaces must establish and implement 
cyber and personal information protection standards that are 
consistent with specific principles outlined in our current 
health care law.
    Those principles which are comparable to the ones upon 
which the HIPAA, the Health Insurance Portability and 
Accountability Act, provide and they include No. 1, providing a 
right of access to one's personally identifying information 
commonly referred to as PII, a right to have erroneous 
information corrected, and No. 3, providing accountability 
through appropriate monitoring and reporting of information 
breaches.
    Exchanges must also establish and implement reasonable 
operational, technical, administrative, and physical safeguards 
to ensure the confidentiality, integrity, and availability of 
PII and to prevent unauthorized or inappropriate access, use, 
or disclosure of PII.
    In addition, health exchanges must monitor, periodically 
access, and update their security controls and must develop and 
use secure electronic interfaces when sharing PII 
electronically.
    CMS has completed its technical design and build of Federal 
Data Services Hub and has established an inter-agency security 
framework as well as the protocols for connectivity.
    Importantly, in a letter to Ranking Member Thompson this 
morning, HHS has revealed that as of Friday, September 6, they 
had taken the necessary steps to obtain security authorization 
for the data hub and the CMS chief information officer has 
assigned to the security authorization.
    This is an important milestone and it shows that CMS will 
be ready to operate the hub securely on October 1.
    This will provide a common, secure connection for 
marketplaces to seek information from Federal databases 
necessary to verify eligibility, excuse me, for the millions of 
Americans who can begin to shop for quality, affordable health 
care coverage in just a few weeks.
    The hub has several layers of protection to mitigate 
information security risks. For example, marketplace systems 
will employ a continuous monitoring model that will utilize 
sensors and active event monitoring to quickly identify and 
take action.
    Let us remember, it is simple. The Data Services Hub will 
transfer data and be used to verify applicant information data 
for eligibility. The Data Services Hub is not a database. It 
will not function as a database. It will not contain health 
care records.
    The hub will send queries and responses among given 
marketplaces and data services to determine eligibility. The 
Data Services Hub will not determine consumer eligibility nor 
will it determine which health plans are available in the 
marketplaces.
    CMS and its vendors have told us and testified before this 
subcommittee and Energy and Commerce subcommittees that 
delivery milestones for the Data Services Hub completion are 
being met on time and they expect that the Data Services Hub 
will be ready as planned by October 1.
    I am looking forward to the testimony of the HHS Office of 
the Inspector General to learn more about their important role 
in the implementation of the Federal data hub.
    Also, we are going to hear testimony today from the 
director of the State Medicaid Directors Association whose 
members have been working on this effort from the ground up.
    I am eager to learn about the massive efforts of that State 
and the Federal Centers for Medicaid and Medicaid Services have 
made to stand up to this complex data hub. This is the kind of 
information we need to help us deliver health care to citizens 
who really need it.
    Mr. Chairman, I ask for unanimous consent to submit a copy 
of the letter received by Ranking Member Bennie Thompson.
    Mr. Meehan. Without objection, so ordered.
    [The information follows:]
          Letter Submitted by Ranking Member Yvette D. Clarke
                     Washington, DC, Sep. 10, 2013.
The Honorable Bennie Thompson,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, DC 20515.
    Dear Representative Thompson: Thank you for your inquiry related to 
privacy and security protections associated with the Data Services Hub 
(hub) and the status of our work to protect people and programs from 
cyber-attacks in this area. At the Department of Health and Human 
Services (HHS), we take very seriously our responsibility to safeguard 
personal information in all of our programs, including in the 
Affordable Care Act Marketplace. Collectively, the tools, methods, 
policies, and procedures we have developed provide a safe and sound 
security framework to safeguard consumer data, allowing eligible 
Americans to confidently and securely enroll in quality affordable 
health coverage starting on October 1, 2013. This framework is 
consistent with the framework that exists for all other HHS programs, 
such as Medicare, which Americans rely on every day.
    HHS's Centers for Medicare & Medicaid Services (CMS) has a strong 
track record of preventing breaches involving the loss of personally 
identifiable information from cyber-attacks. This is due in large part 
to the establishment of an information security program with consistent 
risk management, security controls assessment, and security 
authorization processes for all enterprise systems. Our system and 
security protocols are grounded in statutes, guidelines and industry 
standards that ensure the security, privacy, and integrity of our 
systems and the data that flow through them. These protections include 
a series of statutes and amendments to these laws, such as the Privacy 
Act of 1974, the Computer Security Act of 1987 and the Federal 
Information Security Management Act (FISMA) of 2002, as well as various 
regulations and policies promulgated by HHS, the Office of Management 
and Budget, the Department of Homeland Security, and the National 
Institute of Standards and Technology (NIST).
    In accordance with these provisions, CMS has developed the hub, a 
routing tool that helps Marketplaces provide accurate and timely 
eligibility determinations. It is important to point out that the hub 
will not retain or store Personally Identifiable Information. Rather, 
the hub is a routing system that CMS is using to verify data against 
information contained in already existing, secure, and trusted Federal 
and State databases. CMS will have security and privacy agreements with 
all Federal agencies and States with which we are validating data. 
These include the Social Security Administration, the Internal Revenue 
Service, the Department of Homeland Security, the Department of 
Veterans Affairs, Medicare, TRICARE, the Peace Corps, and the Office of 
Personnel Management.
    The hub is designed to comply with the comprehensive information 
security standards developed by NIST in support of FISMA. NIST has 
emerged as the gold standard for information security standards and 
guidelines that all Federal agencies follow. Several layers of 
protection will be in place to help protect against potential damage 
from attackers and mitigate risks. For example, the hub will employ a 
continuous monitoring model that will utilize sensors and active event 
monitoring to quickly identify and take action against irregular 
behavior and unauthorized system changes that could indicate potential 
attacks. Automated methods will ensure that system administrators have 
access to only the parts of the system that are necessary to perform 
their jobs. These protocols, combined with continuous monitoring, will 
alert system security personnel when any system administrator attempts 
to perform functions or access data for which they are not authorized 
or are inconsistent with their job functions.
    Should security incidents occur, an Incident Response capability 
built on the model developed by NIST would be activated. The Incident 
Response function allows for the tracking, investigation, and reporting 
of incidents so that HHS may quickly identify security incidents and 
ensure that the relevant law enforcement authorities, such as the HHS 
Office of Inspector General Cyber Crimes Unit, are notified for 
purposes of possible criminal investigation.
    Before Marketplace systems are allowed to operate and begin serving 
consumers across the country, they must comply with the rigorous 
standards that we apply to all Federal operational systems and CMS's 
Chief Information Officer must authorize the systems to begin 
operation. I am pleased to report that the hub completed its 
independent Security Controls Assessment on August 23, 2013 and was 
authorized to operate on September 6, 2013. The completion of this 
testing confirms that the hub comports with the stringent standards 
discussed above and that HHS has implemented the appropriate procedures 
and safeguards necessary for the hub to operate securely on October 1.
    The privacy and security of consumer data are a top priority for 
HHS and our Federal, State, and private partners. We understand that 
our responsibility to safeguard our systems is an on-going process, and 
that we must remain vigilant throughout their operations to anticipate 
and protect against evolving data security threats. Accordingly, we 
have implemented privacy and security measures for the Marketplace 
systems that employ measures similar to those in the private sector and 
we will continually validate through a variety of methods.
    In closing, we have produced an extremely strong enterprise 
information security program by implementing state-of-the-art controls 
and business processes based on statutory requirements, agency and 
organizational commitments, best practices, and the experience and 
knowledge of our subject matter team members. This has resulted in the 
development, testing, and readiness of the hub to operate on October 1 
to serve consumers across the country in a secure and efficient manner. 
We hope this information is responsive to your inquiry. Thank you for 
your interest in and leadership on this important issue.
            Sincerely,
                                          Marilyn Tavenner.

    Ms. Clarke. Thank you, Mr. Chairman, and I yield back.
    [The statement of Ranking Member Clarke follows:]
              Statement of Ranking Member Yvette D. Clarke
                           September 11, 2013
    Thank you Mr. Chairman for holding a second hearing on one of the 
most important features of the Affordable Care Act.
    When President Obama signed the Affordable Care Act in the East 
Room of the White House on March 23, 2010, the Federal Government 
started planning to operate health care insurance marketplaces, also 
called exchanges, and assist States that opted to run their own 
marketplaces.
    All of this involves developing a complex computer web-based 
service that would allow millions of Americans access to affordable 
health care, in the most efficient and safe way possible.
    This is a large undertaking, and involves a complicated inter-
agency IT and web-based software effort, commonly known as a ``Federal 
Data Services Hub'' based at The Department of Health and Human 
Services, Center for Medicare and Medicaid Services, or CMS.
    What is important about this effort is that we must create, 
collect, and use or disclose personal information of millions of our 
citizens in a responsible and confidential way.
    The health care marketplaces must establish and implement cyber and 
personal information protection standards that are consistent with 
specific principles outlined in our current health care law.
    Those principles, which are comparable to the ones upon which the 
HIPAA, the Health Insurance Portability and Accountability Act provide, 
and they include:
   Providing a right of access to one's Personally Identifying 
        Information, commonly referred to as PII;
   A right to have erroneous information corrected;
   And providing accountability through appropriate monitoring 
        and reporting of information breaches.
    Exchanges must also establish and implement reasonable operational, 
technical, administrative, and physical safeguards to ensure the 
confidentiality, integrity, and availability of PII, and to prevent 
unauthorized or inappropriate access, use, or disclosure of PII.
    In addition, Health Exchanges must monitor, periodically access, 
and update their security controls, and must develop and use secure 
electronic interfaces when sharing PII electronically.
    CMS has completed its technical design, and build of Federal Data 
Services Hub and has established an interagency security framework as 
well as the protocols for connectivity.
    Importantly, in a letter to Ranking Member Thompson this morning, 
HHS has revealed that as of Friday, September 6, they had taken the 
necessary steps to obtain security authorization for the data hub, and 
the CMS Chief Information Officer has signed the security 
authorization. This is an important milestone, and it shows that CMS 
will be ready to operate the hub securely on October 1.
    This will provide a common, secure connection for Marketplaces to 
seek information from Federal databases necessary to verify eligibly 
for the millions of Americans can begin to shop for quality, affordable 
health coverage in just a few weeks.
    The hub has several layers of protection to mitigate information 
security risk. For example, Marketplace systems will employ a 
continuous monitoring model that will utilize sensors and active event 
monitoring to quickly identify and take action.
    Let us remember, it's simple . . . the Data Services Hub will 
transfer data and be used to verify applicant information data for 
eligibility. The Data Services Hub is NOT a database, it will not 
function as a database, and it will not contain health care records.
    The hub will send queries and responses among given marketplaces 
and data sources to determine eligibility. The Data Services Hub will 
not determine consumer eligibility, nor will it determine which health 
plans are available in the marketplaces.
    CMS and its vendors have told us, and testified before this 
subcommittee and Energy and Commerce subcommittees, that delivery 
milestones for the Data Services Hub completion are being met on time, 
and they expect the Data Services Hub will be ready as planned by 
October 1.
    I am looking forward to the testimony of the HHS Office of 
Inspector General to learn more about their important role in the 
implementation of the Federal Data Hub.
    Also, we are going to hear testimony today from the director of the 
State Medicaid Directors Association, whose members have been working 
on this effort from the ground up.
    I am eager to learn about the massive efforts that States, and the 
Federal Centers for Medicare and Medicaid Services, have made to stand 
up this complex data hub.
    This is the kind of information we need to help us deliver health 
care to citizens who really need it.
    Mr. Chairman, I yield back.

    Mr. Meehan. Okay. I thank the gentlelady.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                           September 11, 2013
    Thank you, Mr. Chairman, for holding a second hearing on one of the 
most important features of the Affordable Care Act. I also want to 
thank the witnesses for appearing here today.
    On March 23, 2010, President Obama signed the Affordable Care Act 
into law. I should note that today, the Majority will bring their 41st 
vote to undermine and repeal the Affordable Care Act to the Floor of 
the House. The ACA requires the development of a computer-based service 
that will allow millions of Americans the ability to purchase 
affordable health care policies for their families, in the most 
efficient and safest way possible. This undertaking requires the 
development of a ``Federal Data Services Hub.''
    My colleagues on the other side of the aisle have used the 
development of this hub to promote uncertainty and fear about the 
ability of these computer systems to keep the personal and health 
information of millions of Americans safe and secure. I appreciate 
their concern. It seems that last year, a poll conducted by the 
National Foundation for Credit Counseling found that 64% of Americans 
fear identity theft. Given the widespread fear of identity theft, the 
American public should have the facts on whether there is any danger in 
personal and health information leaking out or being hacked from this 
system.
    This kind of assurance is extremely important if we want millions 
of people who do not have health care to feel that they can trust this 
system and use it to get the care they need and the policies they can 
afford. We all know that sowing fear in a new system is one way to 
discourage participation and drive down enrollment figures. I am sure 
no one would want that outcome. So here are the facts that people need 
to know to have confidence in this system:
    (1) The use of computers to obtain, verify, and transmit 
        information in Government programs is nothing new;
    (2) The information contained on your driver's license and Social 
        Security card and any other piece of Government-issued 
        identification you have is housed somewhere on a Government 
        database;
    (3) The Federal Government and the States already use and exchange 
        personal data to determine eligibility for various programs;
    (4) Leaks involving personal data by State and local governments 
        are a rare occurrence. Information leaks involving personal 
        data held by private companies, such as banks, credit card 
        issuers, and retail stores, are common; and,
    (5) As of Friday, September 6, 2013, HHS/CMS had taken the 
        necessary steps to obtain a security authorization for this 
        system.
    Thus, while I appreciate the Majority's concern about the 
Government's ability to safeguard this information, it appears to be 
misplaced.
    Thank you, Mr. Chairman, and I yield back.

    Mr. Meehan. I am going to take a moment to introduce the 
distinguished panel that we have before us, and we are 
appreciating having such a distinguished panel on this topic.
    First, let me introduce Mr. Michael Astrue who formally 
served as the commissioner of Social Security from 2007 until 
January 2013 as well as the general counsel for the Department 
of Health and Human Services from 1989 until 1992.
    As commissioner of Social Security, he focused his efforts 
on reducing the disability backlog and improving services to 
the public particularly through electronic services.
    He spearheaded highly-successful new systems for fast-
tracking disability claims, created National hearing centers to 
reduce backlogs, and expanded and overhauled the agency's suite 
of electronic services to make them simpler, faster, and more 
user-friendly.
    Dr. Stephen Parente is the Minnesota Insurance Industry 
Professor of Health Finance and Insurance in the Carlson School 
of Management at the University of Minnesota. He specializes in 
health economics, health insurance, medical technology 
evaluation in health information technology.
    He is acknowledged as a National expert on using 
administrative databases particularly Medicare and health 
insurer data for health policy research and has served as a 
consultant to several of the largest health care organizations 
in the country.
    Ms. Kay Daly is the assistant inspector general for audit 
services at the United States Department of Health and Human 
Services.
    Ms. Daly's responsibilities include overseeing the chief 
financial officer financial statement audits at HHS, reporting 
on compliance with improper payment acts, providing oversight 
of over 300 grant programs as ministered by HHS, and overseeing 
audits related to the implementation of health care reform.
    Prior to joining HHS OIG, Ms. Daly worked at the Government 
Accountability Office for 23 years.
    Finally, we are joined by Mr. Matt Salo. He is the 
executive director of the National Association of Medicaid 
Directors since February 2011.
    This is a newly-formed association. It represents all 56 of 
the Nation's State and territorial Medicaid directors and 
provides them with a strong unified voice in National 
discussions as well as a locus for technical assistance and 
best practices.
    Mr. Salo formally spent 12 years at the National Governors 
Association where he worked on the Governor's Health Care and 
Human Services agendas and spent 5 years prior to that as a 
health policy analyst working for the State Medicaid directors.
    There will be full written statements of the witnesses 
which will appear in the record.
    Now I have got to sort of make a judgment, and I see that 
we have a little less than 8 minutes to go on the existing vote 
responsibilities that we have. Having teed this very, very 
impressive panel up, I am sort of hesitant to see a rain delay.
    So what I think I am going to recommend to our panel is 
that we will vote as quickly as we can, and I will make the 
representation that I will hustle back as quickly as I can, 
gavel in as soon as I get here, and I know my colleagues will 
do their best as well after last vote.
    I think it is probably better to allow the panelists to 
testify in order than to start the process, break, and start 
again.
    So with your forgiveness, so to speak, we thank you for 
understanding the nature of the world in which we work and we 
look forward upon our return to your testimony in engaging in, 
in, in our dialogue.
    So, at the moment, the Chairman, the committee stands in 
recess.
    Thank you.
    [Recess.]
    Mr. Meehan. The Committee and the Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will return to order.
    I thank you once again for your indulgence. I know my 
colleagues are working their way back as quickly as possible, 
but we thank--we appreciate your indulgence, and now we would 
like to create the opportunity for you to begin your testimony.
    As I have had said before, the full written statements of 
the witnesses will appear in the record. So I now look forward 
to the verbal testimony of each of our witnesses on the issue 
that we are here to meet with today.
    So the Chairman now recognizes Mr. Astrue for his 
testimony. Thank you.
    Mr. Astrue, yes, you may want to touch--thank you.

    STATEMENT OF MICHAEL J. ASTRUE, FORMER SOCIAL SECURITY 
   COMMISSIONER, FORMER U.S. DEPARTMENT OF HEALTH AND HUMAN 
                    SERVICES GENERAL COUNSEL

    Mr. Astrue. Out of practice, sorry.
    Chairman Meehan, Ranking Member Clarke, and Members of the 
subcommittee, no day is more fitting than 9/11 for us to 
cherish and safeguard our liberties as Americans. Thank you for 
inviting me here today.
    I testify only as a former official. A quarter-century ago, 
I briefly was the White House's Privacy Act officer. I then 
served as general counsel of the U.S. Department of Health & 
Human Services and as commissioner of Social Security for 
Presidents Bush and Obama. As commissioner, I also served as a 
trustee of the Medicare Trust Fund.
    Some history helps us understand why we needed to have this 
hearing. Infighting and paralysis marked the first year of the 
effort to construct the Federal health exchanges, including 
what is called the ``data hub.''
    Administrator Berwick claimed that he could not find the 
money to build the system, and he criticized Congress for not 
specifically appropriating money for it. He also criticized 
Secretary Sebelius for refusing to release money from the ACA 
discretionary fund.
    Berwick pressed other agencies to pay for the exchanges, 
even though such payments would have violated appropriations 
restrictions. When development started in earnest after 
Berwick's departure, CMS struggled to meet its deadlines.
    CMS' failures and delays have been common knowledge within 
the administration, yet HHS was never candid with the States 
about these problems as they were choosing either to build 
their own exchanges or to use the CMS exchanges.
    From 2007-2013, I led the overhaul and expansion of the 
Social Security's suite of electronic services. I personally 
reviewed every major system before beta testing, and extensive 
beta testing often revealed the need for delays to make 
changes. We involved not only random focus groups, but also 
advocates for various people, such as victims of domestic 
violence.
    We need to be vigilant about the privacy of the data stored 
in these types of systems, which I believe are not being 
adequately protected by CMS.
    The defense offered by the HHS inspector general, the 
Center for Democracy & Technology, and others, that the CMS 
systems are just a ``routing tool,'' not a repository, is 
either untrue or problematic.
    CMS needs to store data to create forensic trails necessary 
to track security breaches. Failure to establish forensic 
trails would create a serious issue under the Federal 
Information Security Management Act of 2002 and would create a 
serious operational vulnerability.
    We also need to know whether unauthorized changes of 
insurance could leave Americans unexpectedly uninsured. We need 
to know how CMS will define and respond to breaches.
    I know how important that is because I suffered through the 
Office of Personal Mangement's inept response when my personal 
Federal financial records were breached 2 years ago. We need to 
know why many of the people who will deal with the public are 
just being hired now and being hired without background checks.
    A rigorous authentication process may result in as many as 
2 to 5 million people who will need to interact with CMS 
contractors when they fail to access the system. Is CMS ready 
for that workload or are they going to sacrifice service or 
authentication?
    Greater transparency about these issues would have improved 
the quality of the exchanges and would have increased public 
confidence in the system, which is sorely lacking today.
    Both SSA and the IRS formally appealed to OMB that the 
exchanges would violate the Privacy Act, violations which 
potentially carry criminal penalties.
    OMB eventually denied that appeal, but in my view HHS will 
be violating the Privacy Act on a massive scale by allowing 
people to make insurance decisions for other adults without 
their written consent. This feature of the system may also 
allow domestic abusers to track down their victims.
    An August 2, 2013 inspector general report revealed that 
the CMS schedule had slipped so badly that mandatory security 
findings were scheduled for the day before implementation.
    Despite HHS' letter this morning, yesterday's testimony 
before the House Energy and Commerce Committee indicate that 
many States will be unready for October 1, and that CMS may be 
unready given that the contractors were still citing October 1 
as their date of readiness.
    The main reason we have so little information about the 
status of the exchanges is the failure of the office of the HHS 
inspector general. Relying only on interviews and documents, 
its August 2, 2013 report on the exchanges contained less than 
5 pages of analysis; its total work product for this subject 
for the year.
    Moreover, the inspector general did not inspect the beta 
version and meekly noted that CMS withheld security documents. 
He ignored the vulnerabilities in the system that transmits, 
largely through the so-called cloud, sensitive personal 
information to CMS contractors and private insurers.
    He ignored the privacy issues, the security issues, and the 
issues associated with poorly screened and trained contractors. 
He did not assess usability, performance measures, governance, 
or contingency plans. With HHS' greatly expanded role in health 
care, Americans need an inspector general who is a watchdog, 
not a lapdog.
    Congress is bitterly divided about the Affordable Care Act, 
but the topics for my presentation should be common ground. 
Whether or not you support an individual mandate, you can 
embrace the principle that no one should be forced to sacrifice 
privacy in order to comply with that mandate.
    To the best of my knowledge, work on systems that would 
comply with the Privacy Act ended in early 2013. A system 
respecting the Privacy Act would probably take an additional 6 
to 18 months to develop.
    President Obama has delayed other parts of the Affordable 
Care Act. Vulnerable Americans without lobbyists deserve the 
same respect and deference given to the business community.
    You should support a moratorium on the exchanges until HHS 
secrecy ends, and until we know whether uninsured Americans 
will be forced to pay, along with their premiums, the high 
price of their privacy, and the safety of their personal data.
    Thank you.
    [The prepared statement of Mr. Astrue follows:]
                Prepared Statement of Michael J. Astrue
                           September 11, 2013
    Chairman Meehan, Ranking Member Clarke, and Members of the 
subcommittee, no day is more fitting than 9/11 for us to cherish and 
safeguard our liberties as Americans.
    I testify today only as a former official. A quarter-century ago, I 
briefly was the White House's Privacy Act officer. I then served as 
general counsel of the U.S. Department of Health & Human Services and 
as commissioner of Social Security for Presidents Bush and Obama. As 
commissioner, I also served as a trustee of the Medicare Trust Fund.
    Some history helps us understand why we needed to have this 
hearing. Infighting and paralysis marked the first year of the effort 
to construct the Federal health exchanges, including what is called the 
``data hub.'' Administrator Berwick claimed that he could not find the 
money to build the system, and he criticized Congress for not 
specifically appropriating money for it. He also criticized Secretary 
Sebelius for refusing to release money from the ACA discretionary fund.
    Berwick pressed other agencies to pay for the exchange, even though 
such payments would violate appropriations restrictions. When 
development started in earnest after Berwick's departure, CMS struggled 
to meet its deadline. CMS's failures and delays have been common 
knowledge within the administration, yet HHS was never candid with 
States as they were choosing either to build their own exchanges or to 
use the CMS exchanges.
    From 2007-2013, I led the overhaul and expansion of Social 
Security's suite of electronic services. I personally reviewed every 
major system before beta testing, and extensive beta testing often 
revealed the need for delays to make changes. We involved not only 
random focus groups, but also advocates for various people, such as 
victims of domestic violence.
    We need to be very concerned about protecting the privacy of the 
data stored in these types of systems, which I believe are not 
adequately protected. The defense offered by the Center for Democracy & 
Technology and others--that the CMS systems are just a ``routing 
tool,'' not a repository--is either untrue or problematic. CMS needs to 
store data to create forensic trails necessary to track security 
breaches; failure to establish forensic trails would create a serious 
issue under the Federal Information Security Management Act of 2002.
    We need to know whether unauthorized changes of insurance could 
leave Americans unexpectedly uninsured. We need to know how CMS will 
define and respond to breaches--I know how important that is because I 
suffered through OPM's inept response when my Federal financial records 
were breached 2 years ago. We need to know why many of the people who 
will deal with the public are just being hired now, and being hired 
without background checks. A rigorous authentication process may result 
in as many as 2 million people who will need to interact with CMS 
contractors when they fail to access the system--is CMS ready for that 
workload or are they going to sacrifice service or authentication? 
Greater transparency about these issues would improve the quality of 
the exchanges--and increase public confidence in the system.
    Both SSA and the IRS formally appealed to OMB that the exchanges 
would violate the Privacy Act, violations which potentially carry 
criminal penalties. OMB eventually denied that appeal, but in my view 
HHS will be violating the Privacy Act on a massive scale by allowing 
people to make insurance decisions for other adult family members 
without their written consent. This feature of the system may well 
allow domestic abusers to track down their victims.
    An August 2, 2013 inspector general report revealed that the CMS 
schedule has slipped so badly that mandatory security findings are 
scheduled for the day before implementation. With no room for adequate 
beta testing and revisions, HHS's claim that it will be ready to make 
security findings on its September 30 deadline is a fiction designed to 
preserve the larger fiction that the exchanges will be ready for 
uninsured Americans.
    Before I conclude, I urge President Obama and Congress to 
scrutinize the performance of HHS Inspector General Levinson. Relying 
only on interviews and documents, his August 2, 2013 report on the 
exchanges contained less than 5 pages of analysis. His staff did not 
even try to use the beta version of the system.
    HHS cannot have it both ways. If the exchanges can function on 
October 1, by July of this year there must have been a beta version. 
However, the inspector general did not inspect the beta version, and 
meekly noted that CMS withheld security documents. He ignored the 
vulnerabilities of a system that transmits, largely through the so-
called ``cloud,'' sensitive personal information to CMS contractors and 
private insurers. He ignored the privacy issues, the security issues, 
and the issues associated with poorly screened and trained contractors. 
He did not assess usability, performance measures, governance, or 
contingency plans. With HHS's expanded role in health care, Americans 
need an inspector general who is a watchdog, not a lapdog.
    Congress is bitterly divided about the Affordable Care Act, but 
there should be common ground. Whether or not you support an individual 
mandate, you can embrace the principle that no one should be forced to 
sacrifice privacy in order to comply with that mandate. To the best of 
my knowledge, work on systems that would comply with the Privacy Act 
stopped in early 2013 after OMB brushed aside the Privacy Act appeals 
of SSA and the IRS. A system respecting the Privacy Act would probably 
take an additional 6-18 months to develop.
    President Obama has delayed other parts of the Affordable Care Act. 
Vulnerable Americans without lobbyists deserve the same respect and 
deference given to the business community. You should support a 
moratorium on the exchanges until HHS secrecy ends, and until we know 
whether uninsured Americans, will be forced to pay--along with their 
premiums--the high price of their privacy.
    Thank you.

    Mr. Meehan. Thank you, Mr. Astrue.
    The Chairman now recognizes Dr. Parente for his testimony.

  STATEMENT OF STEPHEN T. PARENTE, PH.D., MINNESOTA INSURANCE 
 INDUSTRY CHAIR OF HEALTH FINANCE, DIRECTOR, MEDICAL INDUSTRY 
LEADERSHIP INSTITUTE, PROFESSOR, DEPARTMENT OF FINANCE, CARLSON 
         SCHOOL OF MANAGEMENT, UNIVERSITY OF MINNESOTA

    Mr. Parente. Thank you, Chairman Meehan, Ranking Member 
Clarke, and Members of the committee, for this opportunity to 
speak to you today.
    My name is Steve Parente. I hold the Minnesota Insurance 
Industry Chair of Health Finance at the University of 
Minnesota. There, I serve as the professor in the Finance 
Department at the Carlson School and director of the Medical 
Industry Leadership Institute growing MBA program.
    As I just stated, my expertise are health insurance, health 
information technology, and a medical technology evaluation. I 
have an appointment at Johns Hopkins University as a faculty 
member.
    In the summer of 2011, I and my colleague from the 
Manhattan Institute, Paul Howard, wrote about implementation of 
the Affordable Care Act and security concerns regarding the 
Health Insurance Exchange Hub that is scheduled to be fully-
operational in less than 20 days.
    This essay received little attention at that time. On 
December 7, 2012, USA Today printed an op-ed written by Dr. 
Howard and myself that described the same issues as we did a 
year before. The 2012 op-ed received far greater attention 
Nationally and particularly from the administration.
    The principal concern I sought to examine was the 
Government's capability to rapidly and securely combine 
information at a personal level from multiple Federal agencies 
in order to make eligibility determinations for Americans to 
purchase health insurance on a State or Federal insurance 
exchange.
    I have stated and continue to posit that the combination of 
such data would be the largest personal data integration 
Government project in the history of this Republic with up to 
300 million American citizens' records needing to be combined 
from several Federal agencies.
    The Federal agencies involved in this integration are the 
Department of Health and Human Services to facilitate the data 
and operating parameters of the Federally-facilitated exchange 
and the State-based exchanges as well as insure that the 
applicants are not already eligible for Medicare benefits; the 
Social Security Administration to verify Social Security 
numbers, death indicator status, disability status under Title 
II of the Social Security Act, prisoner data or incarceration 
status, annual and monthly Social Security benefit information, 
and a confirmation to claim of citizenship is consistent with 
Social Security records; the Department of Treasury to verify 
income as well as transfer subsidies as necessary to purchase 
health insurance; the Office of Personnel Management, Peace 
Corps, and Department of Defense and Veterans Administration to 
make sure that applicants don't have access to health care 
coverage from other alternative sources; and finally, the 
Department of Homeland Security to verify whether the 
individual is indeed legally present in the United States.
    My expressed concern is that it is not clear how the data 
hub will operate. Ideally, the hub should function as a switch 
that routes information but does not retain the personal 
identifying information it is routing.
    Major credit card purchases today operate this way where a 
retailer at the point of purchase uses your credit card to link 
a variety of data sources about you to make sure you are not a 
credit risk and then clears you to purchase for a large screen 
TV for the holidays.
    This approach minimizes privacy risks and provides good 
data security, and the Federal data hub should operate this 
way, coupled to either a State or Federal insurance exchange as 
well as to the Social Security Administration, Treasury 
Department, Homeland Security, and Department of Justice, et 
cetera.
    Operating this would create a fire-and-forget data system 
that would instantaneously link to an abstract piece of 
information and then delete it to prevent it from becoming a 
privacy concern.
    Major financial services firms have been providing these 
services for nearly 2 decades, and if there ever has been a 
privacy breach, it is not from a pure data switch.
    Now having said that about how one can provide reliable 
data protection, no one has said how this hub will actually 
operate to ensure that every precaution possible has been taken 
to avert privacy breaches as well as safeguard against identity 
fraud.
    Greater transparency is needed as well as frank 
acknowledgment that the ACA's posted deadlines should take 
second place to reasonable data privacy and security concerns. 
This isn't a political point, it isn't meant to impinge on 
anyone's motives inside of HHS or the administration.
    The fact that only a handful of individuals know truly how 
this will operate may preserve some security but it is 
operating as--not operating as planned, it could also be viewed 
as a failure with the execution for full transparency and 
provision of law that could--that had 3 years to implement but 
did not get the job done.
    HHS's job is to implement this law and as much as some 
citizens may dislike an assortment of the law's underlying 
provisions, HHS' staff are doing exactly what they need to get 
it done under the constraints they can't control.
    They are doing so in a politically-charged environment and 
crashing headlong into constraints of scarce human capital, 
complex regulatory environments, and of a massive IT project 
with literally no technical precedent.
    I believe Congress has a legitimate oversight 
responsibility to ensure that whatever your feelings about the 
ACA, the final product is trusted, functional, and secure for 
all Americans. Congress should take that responsibility 
seriously and the administration should help them execute that 
responsibility.
    In closing, I hope my efforts to bring transparency to 
operational parameters of the hub only strengthen its 
operation. Failure to build a secure hub could bring 
significant damage to the privacy and security of Federal data 
systems and cause irreparable harm to Americans whose personal 
information would be lost to fraud and identity theft. This 
must not be allowed to occur.
    Thank you for this opportunity to be heard today. I welcome 
your questions.
    [The prepared statement of Mr. Parente follows:]
                Prepared Statement of Stephen T. Parente
                           September 11, 2013
    Thank you, Chairman Meehan, Ranking Member Clarke, and Members of 
the committee, for this opportunity to speak to you today.
    My name is Steve Parente. I hold the Minnesota Insurance Industry 
Chair in Health Finance at the University of Minnesota. There, I serve 
as professor in the Finance Department at the Carlson School of 
Management and director of the Medical Industry Leadership Institute, a 
growing MBA program. My areas of expertise are health insurance, health 
information technology, and medical technology evaluation. I also have 
an appointment at the Johns Hopkins University in Baltimore, Maryland.
    In summer 2011, I and my colleague from the Manhattan Institute 
Paul Howard wrote about implementation of the Affordable Care Act (ACA) 
and security concerns regarding the Health Insurance Exchange Hub that 
is scheduled to be fully operational in less than 20 days. This essay 
received little attention at the time. On December 7, 2012 USA Today 
printed an op-ed on written by Dr. Howard and myself that described the 
same issues as we did a year before. The 2012 op-ed received far 
greater attention Nationally and in particular from the administration.
    The principal concern I sought to examine was the Government's 
capability to rapidly and securely combine information at a personal 
level from five Federal agencies in order for someone to purchase 
health insurance on a State or Federal exchange. I have stated and 
continue to posit that the combination of such data would constitute 
the largest personal data integration Government project in the history 
of the Republic, with up to 300 million American citizen records 
needing to be combined from five Federal agencies.
    The five agencies involved in this integration are: The Department 
of Health and Human Services, to facilitate the data and operating 
parameters of the exchanges; the Social Security Administration, to 
verify if the person to be insured is indeed living; the Department of 
Treasury, to verify income level, as well as transfer subsidies as 
necessary to purchase health insurance; the Department of Justice, to 
verify that the insured is not incarcerated; and finally, the 
Department of Homeland Security, to verify the citizenship of the 
individual.
    My expressed concern is that it's not clear exactly how the data 
hub will operate. Ideally, the hub should function as a switch that 
routes information but does not retain the person-identifying 
information it is routing. Major credit card purchases today operate 
this way: Where a retail vendor, at the point of purchase, uses your 
credit card to link a variety of data about you to make sure you are 
not a credit risk and then clears you for purchase of your 70" LCD TV 
for the holidays. This approach minimizes privacy risks and provides 
good data security.
    The Federal data hub should operate this way, coupled to either a 
State or Federal insurance exchange as well as to the Social Security 
Administration, Treasury Department, Homeland Security, and Department 
of Justice, et al. Operating this would create a fire-and-forget data 
system that would instantaneously link to an abstract piece of 
information and then delete it to prevent it from becoming a privacy 
concern. Major financial services firms have been providing these 
services for nearly 2 decades, and if there ever has been a privacy 
breach, it is not from a pure data switch.
    Having said how you could provide reliable data privacy protection, 
no one has said how the data hub will actually operate to ensure no 
privacy breaches as well as safeguard against identity fraud. Greater 
transparency is needed, as well as a frank acknowledgement that the 
ACA's posted deadlines should take second place to reasonable data 
concerns. This isn't a political point, and isn't meant to impinge upon 
anyone's motives inside HHS. The fact that only a handful of 
individuals know truly how this will operate may preserve some 
security. Alternatively, if the hub does not operate as planned, it may 
also be viewed as a failure to plan and execute with full transparency 
a provision of the law the agencies had over 3 years to implement.
    HHS' job is to implement the law. As much as some citizens dislike 
an assortment of the law's underlying provisions HHS staff are doing 
exactly what they are supposed to do and facing constraints they can't 
always control. They are doing so in a politically-charged 
environment--and crashing headlong into the constraints of scarce human 
capital, complex regulatory requirements, and a massive IT project with 
literally no technical precedent.
    I believe Congress has a legitimate oversight responsibility to 
ensure that--whatever your feelings about the ACA--the final product is 
trusted, functional, and secure for all Americans. Congress should take 
that responsibility seriously--and the administration should help them 
execute that responsibility.
    In closing, I hope my efforts to bring transparency to operational 
parameters of the hub only strengthen its operation. Failure to build a 
secure hub could bring significant damage to the security of Federal 
data systems. This must not be allowed to occur.
    Thank for you this opportunity to be heard today. I welcome any 
questions.

    Mr. Meehan. Thank you, Dr. Parente.
    The Chairman now recognizes that the gentlelady from the 
IG's office, Ms. Daly.

   STATEMENT OF KAY DALY, ASSISTANT INSPECTOR GENERAL, AUDIT 
     SERVICES, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Ms. Daly. Thank you, Chairman Meehan.
    Thank you, Chairman Meehan, Ranking Member Clarke, and 
other distinguished Members of the subcommittee. I appreciate 
the opportunity to be here today to discuss the Office of 
Inspector Generals' review of the Centers for Medicare and 
Medicaid Services implementation of the Data Services Hub from 
a security perspective.
    My testimony today summarizes OIG's observations about CMS' 
progress in implementing security requirements of the hub 
including a recent update we received from CMS management on 
the status of the project.
    As you know, the hub plays a key role in providing 
important data for health insurance exchanges that are also 
called marketplaces, which are being established under the 
Affordable Care Act.
    The State-based exchanges will serve as the one-stop shop 
where individuals will get information about their health 
insurance options, be assessed for eligibility, and enroll in 
the health plan of their choice.
    The hub is intended to support those exchanges by providing 
a single point where exchanges can access data from different 
sources including Federal agencies and their State partners.
    It is important to note that the hub does not store data, 
rather, it simply acts as a conduit for the exchanges to access 
data from where they are stored.
    In a report issued on August 2, 2013, we assessed the 
information technology security controls that CMS was 
implementing for the hub and the coordination between CMS and 
Federal and State agencies during the development of the hub. 
We did not review the functionality of the hub or privacy 
issues associated with it.
    At the time of our reviews, CMS was addressing and testing 
security controls of the hub during the development process. 
Several critical tasks remained to be completed at the time, 
such as the final independent testing of the hub security 
controls, remediating the security vulnerabilities identified 
during testing, and obtaining the security authorization for 
the hub before opening the exchanges.
    CMS' schedule at that time was to complete all of these 
tasks by October 1 in time for the expected initial open 
enrollment date for the health insurance exchanges.
    Our report described the time lines that CMS provided us 
for its system security plan, its risk assessment, and its 
security control assessment and security authorization 
decisions.
    In our report, we noted that between March and July, some 
key dates had moved back. These were internal target dates set 
by CMS for these milestones and not mandated deadlines.
    Subsequent to issuing our report, CMS has reported to us 
that it has made additional progress on these key security 
milestones. For example, since our review, CMS has reported to 
us that the security authorization was completed on September 
6, 2013. We have not independently verified CMS' progress since 
completing our audit.
    Our review also observed that CMS was coordinating with its 
Federal and State partners during the development and testing 
of the hub in part to ensure that security measures were 
implemented by all stakeholders.
    CMS had developed a testing approach and test plans for the 
inter-agency testing aspect. At the time of our reviews, CMS 
was in the process of executing those test plans.
    In addition, CMS has developed security-related documents 
and security agreements regarding its Federal partners and 
information systems and networks.
    Federal policy does require agencies to develop 
interconnection security agreements for Federal information 
systems and networks that share or exchange information.
    Each of the Federal partners will provide information on 
their systems' environments and the overall approach for 
safeguarding the confidentiality, integrity, and availability 
of shared data in systems interfaces.
    Since our review, CMS has reported to us that all of these 
agreements are expected to be approved by September 27, 2013.
    In closing, I want to thank you for your interest in our 
work on this important subject and the opportunity to be part 
of this discussion. I would be very pleased to take any 
questions you might have.
    [The prepared statement of Ms. Daly follows:]
                     Prepared Statement of Kay Daly
                           September 11, 2013
                              introduction
    Good afternoon, Chairman Meehan, Ranking Member Clarke, and other 
distinguished Members of the subcommittee. Thank you for the 
opportunity to testify about the Office of Inspector General's (OIG) 
review of the Centers for Medicare & Medicaid Services' (CMS) 
implementation of the Data Services Hub (hub) from a security 
perspective, which we issued on August 2, 2013.\1\ My testimony today 
summarizes OIG's observations about CMS's progress in implementing 
security requirements of the hub during the period of our review.\2\ We 
assessed the information technology (IT) security controls that CMS was 
implementing for the hub, adequacy of the testing being performed 
during its development, and the coordination between CMS and Federal 
and State agencies during the development of the hub. We did not review 
the functionality of the hub or issues specific to the Privacy Act.
---------------------------------------------------------------------------
    \1\ Observations Noted During the OIG Review of CMS's 
Implementation of the Health Insurance Exchange--Data Services Hub, A-
18-13-30070, August 2013, available on-line at https://oig.hhs.gov/oas/
reports/region1/181330070.asp.
    \2\ We performed our fieldwork substantially from March through May 
2013. We continued to receive updates from CMS through July 1, 2013, 
and its comments on our draft report are included in the final report.
---------------------------------------------------------------------------
    At the time of our review, CMS was addressing and testing security 
controls for the hub during the development process. Several critical 
tasks remained to be completed, such as the final independent testing 
of the security controls, remediating security vulnerabilities 
identified during testing, and obtaining the security authorization 
decision for the hub before opening the exchanges. CMS's schedule at 
that time was to complete all of these tasks by October 1, 2013, in 
time for the expected initial open enrollment date for health insurance 
exchanges.
    Our report described the time lines that CMS provided us for its 
system security plan, risk assessment, security control assessment, and 
security authorization decisions. In our report, we noted that between 
March and July, some key targets had been shifted to later dates. These 
were internal target dates set by CMS for these milestones and not 
mandated deadlines. Since issuing our report, CMS has reported to us 
that it has made additional progress on these key milestones, including 
obtaining its security authorization for the hub on September 6, 2013. 
We have not independently verified CMS's progress since completing our 
audit.
    Following is a discussion of the hub's role within the health 
insurance exchanges, the results of our review, and concluding 
observations.
                               background
    States must establish health insurance exchanges by January 1, 
2014,\3\ and all health insurance exchanges must provide an initial 
open enrollment period beginning October 1, 2013 (45 CFR  155.410). 
Health insurance exchanges, also known as Marketplaces, are State-based 
competitive marketplaces where individuals and small businesses will be 
able to purchase private health insurance.\4\ Exchanges will serve as a 
one-stop shop where individuals will get information about their health 
insurance options, be assessed for eligibility (for, among other 
things, qualified health plans, premium tax credits, and cost-sharing 
reductions), and enroll in the health plan of their choice.
---------------------------------------------------------------------------
    \3\ The Patient Protection and Affordable Care Act  1311(b) (Pub. 
L. No. 111-148) and the Health Care Reconciliation Act of 2010 (Pub. L. 
No. 111-152), collectively known as the Affordable Care Act (ACA).
    \4\ A State may elect to operate its own State-based exchange or 
partner with the Federal Government to operate a State partnership 
exchange. If a State elects not to operate an exchange, the Department 
of Health and Human Services will operate a Federally Facilitated 
Exchange. For the purposes of this report, ``exchanges'' refers to all 
three types of health insurance exchanges.
---------------------------------------------------------------------------
    The hub is intended to support the exchanges by providing a single 
point where exchanges may access data from different sources, primarily 
Federal agencies. It is important to note that the hub does not store 
data. Rather, it acts as a conduit for exchanges to access the data 
from where they are originally stored. Hub functions will include 
facilitating the access to data by exchanges, enabling verification of 
coverage eligibility, providing a central point for the Internal 
Revenue Service (IRS) when it asks for coverage information, providing 
data for oversight of the exchanges, providing data for paying 
insurers, and providing data for use in web portals for consumers.
    Effective security controls are necessary to protect the 
confidentiality, integrity, and availability of a system and its 
information. The National Institute of Standards and Technology (NIST) 
developed information security standards and guidelines, including 
minimum requirements for Federal information systems. CMS is required 
to follow the NIST security standards and guidelines in securing the 
hub.\5\
---------------------------------------------------------------------------
    \5\ NIST's security standards assist Federal agencies in 
implementing the requirements under the Federal Information Security 
Management Act of 2002, 44 U.S.C.  3541, et seq.
---------------------------------------------------------------------------
    To determine CMS's progress in implementing security requirements 
for the hub, OIG reviewed documentation, project schedules, and time 
lines; interviewed CMS employees and contractors and personnel from key 
Federal agencies working with CMS during development of the hub; and 
reviewed CMS's security testing results.
                        results of oig's review
    At the time of our review, CMS and its contractors were continuing 
to develop the hub and work with its Federal and State partners in 
testing the hub to ensure its readiness in time for the initial open 
enrollment to begin on October 1, 2013. The following observations 
provided the status of CMS's implementation related to security 
controls, security testing, and coordination at the time of our 
fieldwork.
Security Authorization
    According to NIST security standards, every Federal information 
system must obtain a security authorization before the system goes into 
production. The security authorization is obtained from a senior 
management official or executive with the authority to formally assume 
responsibility for operating an information system at an acceptable 
level of risk to agency operations. At CMS, the authorizing official is 
the Chief Information Officer (CIO).
    The security authorization package must include a system security 
plan, information security risk assessment, and security control 
assessment report. The security authorization package provides 
important information about risks of the information system, security 
controls necessary to mitigate those risks, and results of security 
control testing to ensure that the risks have been properly mitigated. 
Therefore, these documents must be completed before the security 
authorization decision can be made by the authorizing official. Under 
the NIST guidelines, the authorizing official may grant the security 
authorization with the knowledge that there are still risks that have 
not been fully addressed at the time of the authorization.
    At the time of our review, the security authorization decision by 
the CMS CIO was expected by September 30, 2013. Since our review, CMS 
has reported that the security authorization was obtained on September 
6, 2013.
System Security Plan and Information Security Risk Assessment
    CMS incorporated the elements required for adequate security into 
the draft hub system security plan. The plan: (1) Provides an overview 
of the security requirements of the system, (2) describes the controls 
in place or planned (e.g., access controls, identification, and 
authentication) for meeting those requirements, and (3) delineates the 
responsibilities and behavior expected of all individuals who access 
the system.
    CMS was still drafting the information security risk assessment at 
the time of our review. For this reason, we could not assess CMS's 
efforts to identify security controls and system risks and implement 
safeguards and controls to mitigate identified risks. Key aspects of 
the assessment should identify risks to the operations (including 
mission, functions, image, or reputation), agency assets, and 
individuals by determining the probability of occurrence, the resulting 
impact, and additional security controls that would mitigate this 
impact.
    At the time of our review, the CMS contractor did not expect to be 
able to provide finalized security documents, including the system 
security plan and risk assessment, to CMS for its review until July 15, 
2013. Since our review, CMS reported to us that the documents were 
provided to CMS on July 16, 2013.
Security Control Assessment and Testing
    At the time of our review, CMS and its contractors were performing 
security testing throughout the hub's development, including 
vulnerability assessments of hub services. CMS was logging and tracking 
defects and vulnerabilities, as well as correcting and retesting hub 
services to ensure that vulnerabilities are remediated.
    A security control assessment of the hub must be performed by an 
independent testing organization before the security authorization is 
granted.\6\ The assessment determines the extent to which the controls 
are implemented correctly, operating as intended, and producing the 
desired outcome of meeting the security requirements for the 
information system. The goal of the security control assessment test 
plan is to explain clearly the information the testing organization 
expects to obtain prior to the assessment, the areas that will be 
examined, and the activities expected to be performed during the 
assessment.
---------------------------------------------------------------------------
    \6\ NIST Special Publication 800-37, Guide for Applying the Risk 
Management Framework to Federal Information Systems, Revision 1.
---------------------------------------------------------------------------
    According to CMS, the assessment was scheduled to be performed 
between August 5 and 16, 2013. Since the assessment was not completed 
at the time of our review, we could not determine whether 
vulnerabilities identified by the testing would be mitigated. Since our 
review, CMS has reported to us that the assessment was completed on 
August 23, 2013.
Adjustments to CMS Time Lines
    CMS provided us with time lines in March 2013 and May 2013 for its 
system security plan, risk assessment, security control assessment, and 
security authorization decisions. CMS also provided us additional 
information on timing of certain steps after the May time line. Some 
key targets had been moved to later dates as the development of the hub 
was continuing. It is important to note that these were internal target 
dates set by CMS for these milestones and not mandated deadlines.
    For example, in March, the security control assessment test plan 
was targeted to be provided to CMS on May 13, 2013, and this due date 
was subsequently moved to July 15, 2013, and the start date of the 
security control assessment was moved from June 3, 2013, to August 5, 
2013. CMS stated that the security control assessment time frame was 
moved so that performance stress testing of the hub could be finished 
before the assessment and any vulnerabilities identified during the 
stress testing could be remediated. Otherwise, CMS might need to 
perform an additional assessment after the remediation was complete.
    According to CMS's time line from May 2013, the security 
authorization decision by the CMS CIO was expected on September 30, 
2013. OIG noted in our report that if there were additional delays in 
completing the security authorization package, the CMS CIO may not have 
a full assessment of system risks and security controls needed for the 
security authorization decision by the initial open enrollment period 
set to begin on October 1, 2013. In its comments on our draft report, 
CMS stated that it was confident that the hub would be operationally 
secure and it would have a security authorization before October 1, 
2013.
    Since our review, CMS has reported to us that the security 
authorization was obtained on September 6, 2013.
Coordination Between CMS and Its Federal and State Partners
    Our review observed that CMS was coordinating with its Federal and 
State partners during the development and testing of the hub, in part 
to ensure that security measures are implemented by all stakeholders. 
CMS developed an approach for interagency testing and has developed 
test plans. At the time of our review, CMS was in the process of 
executing its test plans, which included testing for secure 
communications between CMS and its Federal and State partners and 
performance stress testing of the hub. In addition, CMS has developed 
security-related documents and security agreements regarding Federal 
information systems and networks. The Federal partners are the IRS, 
Social Security Administration (SSA), Department of Homeland Security 
(DHS), Veterans Health Administration (VHA), Department of Defense 
(DoD), Office of Personnel Management (OPM), and Peace Corps.
    CMS has developed security-related documents related to the hub and 
the exchanges. CMS developed Interface Control Documents (ICD) with all 
of its Federal partners. The ICDs provide a common, standard technical 
specification for transferring ACA-related information between CMS (the 
hub) and its Federal partners. The ICDs establish standard rules, 
requirements, and policies (including security-related policies) with 
which the development and implementation of the interfaces between CMS 
and its Federal partner must comply. CMS and its Federal partners 
collaborated in developing the ICDs and signed the ICDs in May 2013.
    Federal policy requires agencies to develop Interconnection 
Security Agreements (ISAs) for Federal information systems and networks 
that share or exchange information with external information systems 
and networks.\7\ The Master ISA describes the systems' environment; the 
network architecture; and the overall approach for safeguarding the 
confidentiality, integrity, and availability of shared data and system 
interfaces. In addition, the Master ISA contains information on CMS 
information security policy and the roles and responsibilities for 
maintaining the security of ACA systems.
---------------------------------------------------------------------------
    \7\ Specifically, Office of Management and Budget Circular A-130, 
Appendix III, requires agencies to obtain written management 
authorization before connecting their IT systems to other systems. The 
written authorization should define the rules of behavior and controls 
that must be maintained for the system interconnection.
---------------------------------------------------------------------------
    CMS completed a preliminary review of the Master ISA between CMS 
and the developer of the hub on April 2, 2013, and the Associate ISAs 
on May 15, 2013. Each of the Federal partners will provide similar 
information pertaining to the partner agency in the Associate ISAs, 
which will be signed by the Federal partner authorized official. Since 
our review, CMS has reported to us that all ISAs with its Federal 
partners are expected to be approved by September 27, 2013.
    A service-level agreement (SLA) is a negotiated agreement between a 
service provider and the customer that defines services, priorities, 
responsibilities, guarantees, and warranties by specifying levels of 
availability, serviceability, performance, operation, or other service 
attributes. A SLA is needed between CMS and each of its Federal 
partners to establish agreed-upon services and availability, including 
response time and days and hours of availability of the hub and the 
Federal partner's ACA systems. According to CMS's project schedule, the 
SLA with IRS was completed on March 15, 2013; the SLA with DHS was 
expected to be signed by July 26, 2013; and the SLA with SSA was 
expected to be signed by September 27, 2013. The SLAs with the 
remaining Federal partners (VHA, DoD, OPM, and Peace Corps) were 
expected to be signed by September 20, 2013. Since our review, CMS has 
reported to us that the SLAs with IRS, VHA, and DHS are expected to be 
signed before the end of September. CMS also reported that DoD-Tricare 
and CMS have agreed to allow transactions to occur and monitor the 
``response time metric'' to set a baseline for the interaction 
standards before they execute their SLA. They expect to execute their 
SLA by the end of December.
                        concluding observations
    CMS is taking steps to ensure that there are adequate security 
measures for the hub in compliance with NIST guidelines. At the time of 
our review, CMS was working with very tight deadlines to ensure that 
security measures for the hub were assessed, tested, and implemented by 
the expected initial open enrollment date of October 1, 2013.
    Our report provided the status of the implementation of key 
security requirements at a point in time. CMS has reported to us that 
it has completed all of the required steps and obtained its security 
authorization on September 6, 2013. We have not independently verified 
CMS's progress since completing our audit.
    Thank you for your interest in our work on this important issue and 
the opportunity to be a part of this discussion. I would be pleased to 
answer your questions.

    Mr. Meehan. Thank you, Ms. Daly.
    The Chairman now recognizes our last panelist, Mr. Salo.
    Mr. Salo----

     STATEMENT OF MATT SALO, EXECUTIVE DIRECTOR, NATIONAL 
               ASSOCIATION OF MEDICAID DIRECTORS

    Mr. Salo. Great. Thank you very much, Chairman Meehan, 
Ranking Member Clarke, other Members of the committee and 
subcommittee.
    My name is Matt Salo. I am the Executive Director of the 
National Association of Medicaid Directors. I appreciate the 
opportunity to testify on their behalf.
    It is important to talk a little bit about what Medicaid 
is; why is Medicaid here at this conversation about the hub? 
Medicaid itself does a lot more than most people think.
    We deal in numbers of that are astronomical. We are going 
to spend close to $500 billion this year covering 72 million 
Americans. It is a State and Federal program. Our members are 
the ones in every State and territory who actually administer 
the program.
    We are here in large part because again, not very well-
known, but Medicaid really is kind of the centerpiece of the 
ACA. The ACA spent about $1 trillion over 10 years, half of 
that goes into Medicaid, to the expansion, and for other 
changes to it.
    So obviously, the ACA or Obamacare is a highly politically-
charged issue. We know this, but what is also true is that the 
impacts of the law are very real and are very real for the 
citizens of this country, the citizens of each one of our 
States.
    For my members, as public servants, their primary job is to 
uphold the law but also to ensure the health and the well-being 
and yes, the security of their citizens.
    If things don't go well, we get the calls. So it is very, 
very important that we make sure that things do go as well as 
possible, and there is going to be a lot of aspects of that.
    I think the primary ones for this issue are that our 
citizens not only understand but are able to access, afford, 
and be safe in their security in terms of the new health 
options that are going to be available to them.
    So while there has been a lot of talk and a lot of 
attention to bigger picture issues like the expansion and State 
versus Federal exchanges, we welcome the opportunity to talk 
about some of these under-the-hood types of conversations and 
the work that is going on.
    Other panelists have talked about the Herculean nature of 
what we are building here, the unprecedented nature. We have 
bandied around terms like moonshot earlier.
    There really is no precedence in terms of what we are 
trying to build here, and I think it is important to keep all 
of that in mind especially when confronting the fact that I 
think at least at the onset, people were envisioning that this 
was going to be a Travelocity of health care.
    While I think we may get there someday, I do not think it 
will look like that on Day 1 because in many ways, what is 
happening is the creation of the system is kind of like 
building a bridge starting at opposite ends of a river and 
trusting that they meet in the center.
    The challenge for Medicaid is that in many ways it is 
building 56 different bridges and hoping and trusting that they 
will meet in the center. The challenges obviously are that 
there is never enough time, never enough money, never enough 
bandwidth to do all of these things.
    But having said all of that, again, this has been issue No. 
1 for our members for the past several years. While there are 
many aspects of this, security is a very, very important one as 
well.
    It is important to know that from our perspective as we 
build the connectivity between Medicaid and the hub, the 
concepts of the security of the information are being baked in 
to that connectivity, and that the security and the privacy and 
the confidentiality of information is not something that is new 
to us.
    We served 72 million people last year and we did so in a 
way that bridged lots of different gaps. Medicaid was able to 
communicate with other programs like TANF for food stamps, 
SNAP.
    Medicaid was able to bridge the gap with Medicare to ensure 
care coordination for dual eligibles. Medicaid is able to 
bridge the gap with private insurance to do third-party 
liability, to look at citizenship documentation and that became 
part of the law a couple years ago, and in many of the aspects 
of program integrity that State and Medicaid programs take 
very, very seriously.
    This is a very, very important issue and it will be 
addressed and it will be one of the core functions of what we 
do.
    By all that, I do want to say though that when we are 
looking at October 1 or January 1, it is important to recognize 
that we are going to have a turbulent takeoff and we are going 
to have a bumpy road as we move forward because of the 
complexity of what we are doing, because of the nature of what 
we are doing.
    But I think it is also important to note that from our 
perspective, we do not believe that security is one of those 
things that is going to be sacrificed or jettisoned in order to 
get this done right on time.
    That in fact we think there will be a lot of Day 2, Day 3, 
Day 4 mitigation plans and work that is being done, work that 
is being planned as we speak to try to figure out how do we 
take what we know will break down and fix it.
    Again, not on the security side, but in terms of the 
consumer interface where we know that people's lives, people's 
situations are messier than rules engines can usually handle, 
but we are working on this. This is what we do.
    I would just close with an analogy, you know, in some 
sense, what we are doing here is analogous to rolling out the 
Medicare Part D program.
    Although that seemed relatively straightforward, on Day 1 
when we turned on all the lights, it was a bit of a mess, and 
we had a lot of seniors who were in pharmacies who didn't know 
what was going on, couldn't get their prescriptions, couldn't 
get anyone to give them clear answers.
    It was the States, the Feds, and the plans who worked 
together tirelessly for months to figure out, how do we fix 
this? Now, in many respects, this is like Part D on steroids, 
but that is the commitment we have, and that is the vision that 
we see moving forward.
    This will work. It will not work perfectly. We do not 
believe security is going to be a primary concern on Day 1, and 
we will fix what happens and what breaks as we move forward.
    Thank you, and I am happy to answer any questions.
    [The prepared statement of Mr. Salo follows:]
                    Prepared Statement of Matt Salo
                           September 11, 2013
    Good afternoon Chairman Meehan, Ranking Member Clarke, and 
distinguished Members of the subcommittee. My name is Matt Salo, and I 
am the executive director of the National Association of Medicaid 
Directors (NAMD). I appreciate the opportunity to testify before you 
today.
                                medicaid
    Medicaid is the Nation's health care safety net. Jointly financed 
by the States and the Federal Government, Medicaid spent more than $420 
billion last year to provide health care to more than 72 million 
Americans. The program is administered by the States within a broad 
Federal framework which leads to enormous variation across States in 
terms of who is covered, what services are provided, and how those 
services are paid for and delivered. Furthermore, within any given 
State, Medicaid's role is broad, varied, and complex. Medicaid funds 
close to 50 percent of all births, and the majority of all publicly-
financed long-term care in this country.
    It also provides most of the Nation's funding for HIV/AIDS-related 
treatments, mental health services, and others.
    It is therefore very difficult to talk simplistically about 
Medicaid (either Nationally, or within a State), despite its incredible 
importance in the U.S. health care system.
    NAMD was created with the sole purpose of providing a home for the 
Nation's Medicaid directors and we represent all 56 of the State, 
territorial, and DC agency heads. Our two broad objectives are to give 
the Medicaid directors a strong, unified voice on National and Federal 
matters as well as helping develop a robust body of technical 
assistance and best practices for them to improve their own programs. 
While no two programs look exactly alike, the directors are unified in 
their heartfelt desire to improve the health and health care of the 
growing number of Americans who rely on the program.
             implementing the affordable care act--overview
    No issue has been more polarizing in recent memory than the 
Affordable Care Act (ACA), often known as ``Obamacare.'' While the ACA 
may not be wildly politically popular, or even well-understood, it is 
the law of the land, and it will have far-reaching and fundamental 
impacts on the citizens of every State in the Nation.
    Politics aside, the key to the success or failure of this new law 
lies in how well it serves our citizens; and how well they are able to 
understand, access, and afford their new health insurance options. In 
many ways much of the foundation hinges on reforms to the Medicaid 
program. The States have been working as quickly and effectively as 
possible for months, even years, to put together the pieces of this 
complex health insurance overhaul.
    To fully understand the Herculean task the ACA presented to State 
Medicaid programs, we must acknowledge that States began this journey 
from very different starting points. Likewise, even several years after 
the official ACA launch we can still expect to see differences in the 
structure of Medicaid programs--and health care systems generally--as 
States determine how to best meet the diverse needs of their citizens.
    Regardless of their starting or ending points, there is a long list 
of changes that all States have to make to comply with the law. These 
include overhauling complex eligibility systems to conform to new 
standardized Federal rules. State Medicaid agencies also have been 
working to integrate with new health insurance marketplaces to ensure 
that individuals and families receive consistent, accurate information 
about their eligibility for public insurance programs. And they have 
endeavored to minimize the burden and confusion for individuals and 
families trying to navigate the rules for these new programs.
    Investments in this system overhaul are being made by States, and 
by the Federal Government--with everyone involved fully committed to 
ensuring that they work as well as possible. As envisioned, the new 
system would be able to process a few consumer data points (name, 
Social Security number) and determine the insurance program--Medicaid 
or the marketplace--for which each individual in a family would be 
eligible. It also would begin the actual process of enrolling and 
paying for that coverage.
    Achieving this vision requires real-time communication between 
States and the Federal Government and among multiple Federal 
departments that historically have never talked to one another. In many 
States, it requires a complete overhaul of decades-old Medicaid 
eligibility systems in order to interface with a new Federal ``hub.''
    In addition to these technical hurdles, there is another reality to 
contend with: No two State Medicaid programs are alike. These 
differences have developed over the nearly 50 years of the program's 
existence, and reflect the political and cultural dynamics of each 
State. These differences range from who is covered, which benefits are 
available and how care is both delivered and paid for, as well as the 
sophistication (or too often, lack thereof) of the State eligibility 
and information systems, many of which were built in the 1980s.
    In a sense, States are building 50+ bridges all at the same time, 
from different starting points and hoping that these efforts meet 
exactly in the middle. These bridges CAN be built and they are in fact 
being built now. But it is vitally important that we take heed of the 
lessons of complex policy implementations in the past as well as the 
expertise States have with program and system implementations.
           privacy, security, confidentiality of information
    Security, privacy, and confidentiality are among the highest 
priorities for State Medicaid Directors. They also hold their vendors 
to the same high expectations and work with them to ensure they too 
appropriately safeguard personal information.
    While there have been security breaches in Medicaid, there have 
also been security breaches in the banking and credit card industries, 
with internet service providers, and practically every other component 
of our increasingly interdependent economy. It is unrealistic to expect 
that these things can be prevented entirely, it is more important that 
we focus on how to minimize and mitigate the risks that are inherent in 
an interconnected society.
    States currently handle many of these types of information in a 
highly secure way as they make eligibility determinations for the more 
than 70 million Americans currently on the program. States routinely 
work with chief information officers, consumer protection agencies, the 
inspector general's offices in a variety of State and Federal agencies, 
and more in their efforts to protect consumer information.
    While the specifications of the systems being built to interface 
with the Federal data hub and the Insurance Marketplaces are new, 
States have decades of experience working across program platforms to 
ensure privacy, confidentiality, and security of patient information 
(medical and otherwise). Whether its communicating with private 
insurance companies to do third-party liability determinations, working 
with other programs such as TANF or SNAP to eliminate redundancies, 
working with a range of Federal agencies to implement citizenship 
documentation requirements, or working with Medicare to improve care 
coordination for individuals dually eligible for both programs, State 
Medicaid directors have significant experience and perspective.
    In each of these examples, it is important to note that the sharing 
of information across programs or payors is a vitally important 
function. In fact, the entire field of public health and program 
integrity would barely exist if data could not flow securely, quickly, 
and effectively.
    While I am not here to testify to the readiness schedule of the 
Federal data hub, we do know from experience of the high-level 
commitment to privacy and security. In fact, this commitment is one of 
the main drivers of our concern that the full range of operational 
capacity is not likely to be met by October 1. In fact, some of the 
earliest conversations with our Federal partners revealed a significant 
stance on behalf of IRS that it was more important to ensure that the 
exchange of data was done securely than it was to do it quickly.
                             the road ahead
    As we approach the open enrollment date of October 1, 2013, there 
is one lesson that clearly stands out: We must be prepared for a 
turbulent take-off.
    The magnitude of the changes and the many different pieces that 
have to be linked together mean everyone--consumers, policymakers, and 
other interested stakeholders--must have reasonable expectations of the 
systems and programs early on. In many instances, the consumer 
experience will not be immediately smooth. Real people are going to be 
frustrated when accessing the system. Whether it's a failure of 
computer algorithms to properly account for the startling complexity of 
real people's lives, or the difficulty in ensuring that these multiple 
State and Federal agencies are communicating in real time, it will be 
bumpy.
    However, it's also reasonable to expect that the experience can and 
will improve over time. As they do in advance of any major 
implementation, Medicaid agencies are trying to predict, plan for and 
set up procedures to resolve the problems that will inevitably arise. 
At the same time they will continue working towards the ultimate goal 
of compliance with the law's requirements and seizing other 
opportunities they've identified.
    The health and safety of Medicaid clients is the main concern of 
Medicaid directors, and they will continue their on-going commitment to 
provide the best possible service to beneficiaries, while protecting 
the integrity of the program, and being responsible stewards of 
taxpayer dollars.

    Mr. Meehan. Well, thank you Mr. Salo.
    I thank all of the panelists for their testimony.
    Let me begin, Mr. Salo, you made an observation and I think 
it was really important to recognize that some of the people 
that are at the most risk here are those in Medicaid, the 
poorest, those in the least capacity to be able to recover or 
help themselves in situations where they may be taken advantage 
of.
    You used the word ``no precedence in its size.'' Dr. 
Parente called it I think the greatest--the ``largest personal 
data Government integration project in the history of the 
Republic.''
    Ms. Daly, let's get the elephant out of the room. You know, 
we are talking here about representations that have been made 
by an agency and findings that you made about their readiness 
to meet these deadlines.
    But we had the IG before us just a few weeks ago, the HHS 
itself said, and your reports confirmed they would not be ready 
until the 30th at the end of this month.
    That is in the course of the normal business. We know the 
challenges. I am already suggesting this is the largest 
database in the history of the Republic.
    Now, we received a report which you just said that lo and 
behold it was done on the 6th. They are ready to go.
    Now this is an agency who for 3 years failed to meet a 
single deadline, and in your own IG's report and virtue of 
every single deadline that was articulated as much as 3 months 
before there was not a single deadline met.
    Now you have stated yourself that this has not been done 
with any independent verification and the word continues to be 
just ``trust us.''
    Ms. Daly, you are the Inspector General. Do you trust them?
    Ms. Daly. Chairman Meehan, I appreciate the opportunity to 
respond to that. In our report, we did point out that they 
had--some of the dates had moved from their original plan date.
    In fact, the date for the security authorization that was 
recently provided on September 6, in our report, we pointed out 
that it was--that is on September 30--so that is what gave us 
pause and wanted to get that--the early information out to the 
Members of this oversight body so that steps could be at taken 
and pressure to bear where appropriate.
    So with that, we have recently been provided the assurance 
from the CIO at CMS through that security authorization 
decision, that is part of the normal NIST standards that are 
used and NIST, as you know, sir, it is the National Institute--
--
    Mr. Meehan. I know those----
    Ms. Daly. Yes, sir, very good. So with that, you know, we 
are just providing that information to you. We have not had a 
chance to go in and do a thorough assessment of it at this time 
given the short time span.
    Mr. Meehan. So you have passed this on, but let's go 
through. Now what are the three steps? We understand that there 
are three steps in a NIST process.
    There is the identification of the program that we have. 
There is beta testing of that program. Once that is beta 
tested, you identify the flaws in that program, you then fix 
that program, you then test it again to assure--and it is at 
that point in time that there is the certification.
    They were not even ready at that point in time, which was 
only 2 or 3 weeks ago to certify to us that they had even done 
the appropriate beta testing.
    Now you tell me how it is; we need your help. You are the 
person who is the independent verification, not just ``trust 
us.'' So how can we believe that what was originally scheduled 
not to be done 'til the 30th on a massive project in which they 
have failed to meet a single deadline has been done on the 6th 
and they have failed to give you any information as we said, 
did you get, when you asked for information about the 
documents--Mr. Astrue identified them specifically--you were 
not given those documents. They were held back from you. You 
are an Inspector General. Why wasn't a demand made for those 
documents?
    Ms. Daly. Well, sir, actually, to be clear, in our report, 
we discuss a number of documents that weren't available at the 
time----
    Mr. Meehan. Well, if they are not available then, what 
makes you think that they were? Because that is part of the 
legal obligations. This isn't something that they just get to 
decide. They are going to determine how this process takes 
place. That is the NIST standards.
    Do you believe that they made up all of that ground in that 
short period of time?
    Ms. Daly. Well, sir, I can't speak to that at this time.
    Mr. Meehan. What does your gut tell you?
    Ms. Daly. I don't have a reaction. I generally, you know, 
being an auditor, I base our work on, you know, the generally 
accepted auditing standards and that is how we go about and do 
our work and I would have to go in and do a number of 
procedures in order to report back to----
    Mr. Meehan. One of them might be real beta testing. Do you 
intend in light of what they--they have just made 
representations to you, we still have a period, do you intend 
to have the inspector general's office use all of its resources 
to do the actual beta testing of certain parts of the facility 
before October 1?
    Ms. Daly. Well, sir, let me clarify for you that the beta 
testing is generally focused on the functionality of the system 
and with the functionality of the system, that is really more 
about how the user experiences that system and so forth.
    Mr. Meehan. But not security----
    Ms. Daly. It is not really security.
    Mr. Meehan. So we haven't even tested for security.
    Ms. Daly. Well, sir, to be--one of the key elements that 
the CIO should be considering as part of his security 
authorization decision is the independent security testing of 
its being done, and I want to highlight that it is independent, 
being done by a contractor, so that that provides that 
independent assurance to the CIO in performing that. But again, 
we have not seen the results of that.
    Mr. Meehan. Okay. My time has expired.
    I now recognize the Ranking Member, the gentlelady from New 
York, Ms. Clarke.
    Ms. Clarke. Thank you, Mr. Chairman.
    Ms. Daly, I just want to get some fundamental facts from 
you. If you can just give us a definition of the OIG's role in 
the marketplace and exchange and the Federal data hub, what 
exactly is OIG's role there?
    Ms. Daly. Well, with regard to that, the OIG, as you know 
under the Inspector General Act, has certain responsibilities 
for fighting waste, fraud, and abuse, and protecting the health 
and safety of the you know, people and beneficiaries--the U.S. 
taxpayers basically--and all of our citizens.
    That is where we emphasize. We don't have a role in the 
operation whatsoever. So it is very important that we maintain 
our independence in order to provide such an independent 
assessment when it is appropriate to do so.
    Ms. Clarke. So would you state that your role has not been 
fully activated yet just in light of the fact that No. 1, the 
data hub is just coming on-line, and the marketplaces are 
beginning to emerge now?
    Or are you giving oversight to this process and looking or 
scrutinizing the process to see whether in fact it is efficient 
or effective? Where do you see yourselves right now? What is 
the office doing at this particular point in time?
    Ms. Daly. Well, at this particular point in time, we have 
been, as you know, monitoring the situation because it is 
unfolding daily, you know, trying to stay abreast of some of 
the prior work that had been done, looking forward and doing 
risk assessments on what is the appropriate use of our 
resources because our resources are stretched pretty thin.
    We have also been and I want to highlight this for the 
Members today, you know, coordinating with GAO, with State 
auditors, and with other inspector generals because we see that 
as critical because this, is as everyone has noted, a huge 
enterprise.
    Ms. Clarke. So can you tell us about how you have performed 
your audit of the hub preparations and testing?
    Ms. Daly. Certainly. Our work really followed the generally 
accepted Government auditing standards, and to do so, what we 
did is we were coordinating with GAO. GAO was in there 
reviewing the data hub and certain aspects of the exchanges 
through a, you know, a request that they had received.
    So we coordinated with them--I am sorry--to ensure that we 
didn't duplicate any effort. You know, we have got a lot of the 
ground to cover, so we want to make sure that our work is 
complementary, not duplicative.
    So in that regard, they were doing certain aspects. They 
advised that they were not looking at the security over the 
hub, so we said, all right, we will look at the security over 
the hub.
    So we designed a program to ensure that the agents--to be 
able to assess whether the agency was in fact following the 
NIST standards in that regard.
    Ms. Clarke. So why did you, as some suggest, just briefly 
note in the audit that you did not have access to the CMS 
security documents?
    Ms. Daly. Well, Ranking Member Clarke, in our report we 
indicated that the agency had not provided us certain documents 
at that time. I think one of them specifically was a security 
test plan because it wasn't available at that point in time.
    Then, you know, of course subsequently, it may have become 
available. It wasn't that they refused, it just wasn't 
available.
    Ms. Clarke. Okay. Is it available now?
    Ms. Daly. It could be. I think if we requested--I am pretty 
comfortable it has been available now. They have provided us 
some updates of data that you know, has subsequently been done 
and some of the dates it was done on.
    Ms. Clarke. Can you, again, just give us a sense of why you 
didn't engage the beta testing on the hub?
    Ms. Daly. Well, we didn't engage that part because No. 1, 
that is usually towards the end of the project and our work 
primarily wrapped up really by the end of June.
    We got, you know, a quick update of certain dates before we 
published the report, but most of the work was done a bit 
earlier and some of that information and certainly any sort of 
beta version wasn't available.
    The other part would be that that would cover more 
functionality issues too, and that was really beyond our scope 
because we were, as we understood it, GAO would have been 
looking more at the functionality over the hub. We were focused 
on the security over the hub.
    Ms. Clarke. So is it that to a certain degree, there are 
some theoretical aspects to I guess standing up the hub that 
makes it somewhat exercise of futility for us to begin the 
testing?
    Or is it that you are waiting for a certain level of the 
operation to be complete before the testing becomes applicable? 
I am not clear on that.
    Ms. Daly. I appreciate that. The issue is there are certain 
aspects of testing that cannot be done until the process is far 
enough along; until enough has been built in order to do any 
testing.
    Now to be clear, part of our audit approach was to look at 
the testing that was on-going by the agency as it was being 
built because the agency employed a--actually, it is a system 
development process called Agile, and it is very popular right 
now because you can build things out fairly quickly.
    With that though, they are doing continuous testing as it 
goes on, but this is by, if you will, development personnel. So 
what happens later on then is all independently confirmed, in 
accordance with what NIST calls for, and an independent 
security assessment that is done after all of the internal 
testing is done.
    So with that, you know, we said there wasn't any time for 
us to go in and do it, and we didn't want to duplicate any 
effort that was on-going. Instead, we reviewed the documents 
that they had available.
    For example, as part of their on-going testing, we looked 
at whether they had identified any issues, whether they had 
logged those issues in as they should, whether they had 
corrective action plans in place, and saw the process that they 
were following. So that is the answer to that.
    Ms. Clarke. Okay. I am going to yield back, Mr. Chairman.
    Thank you for your testimony.
    Ms. Daly. Thank you.
    Mr. Meehan. I thank the gentlelady.
    The Chairman now--we will recognize as we do under the 
rules of the committee those Members in order of their 
appearance at the time of the gaveling down, and so 
appropriately, the Chairman now recognizes Mr. Perry, from 
Pennsylvania.
    Mr. Perry. Thank you, Mr. Chairman.
    Thank you folks for coming to testify. I must tell you that 
every single one of you with all due candor, your testimony is 
breathtaking in concern for me, and I think most Americans, and 
I imagine other Members of the panel.
    That having been said, I am not even sure. Maybe Mr. Salo, 
you can, I will direct my question to you, but just, I am not 
sure who should field this, but, you know, I think Americans 
and Members of Congress are concerned about the navigators.
    This is a new position for most people and we don't know 
exactly what it is going to be like going to a navigator, but 
we have heard about some of their training.
    It is my understanding that they will receive 20 hours of 
training. I just think about that in the context of the 
information that these--folks they will be helping us as 
consumers decide what insurance is best and how to enroll and 
while right now Members of Congress in our offices cannot 
advise the public on questions.
    We can't do that right now but these folks are going to do 
that with 20 hours of training and I just want to alert you to 
the fact that in Pennsylvania--I don't know about other 
States--but in Pennsylvania, it takes 1,250 hours to become a 
barber.
    All right, it takes a massage therapist 500 hours, and if 
you want to get a driver's license in Pennsylvania, you have to 
have 65 hours on the road.
    But to navigate insurance for which has been--this thing 
has been on-going for a couple of years now and Members of 
Congress and the whole Federal Government can't seem to get 
information out, these folks are going to be advising us with 
20 hours.
    So with that, I am wondering, why--it was my understanding 
first of all, that it was originally 30 hours. Can you verify, 
can anybody verify that, and if so, why was it cut?
    Okay, nobody can verify that.
    These folks are, I guess, in that 20 hours--can anybody 
tell me what training these folks, navigators are going to 
perceive regarding the security of personal information?
    Okay, so--not that--necessarily that you should be able to 
answer those questions. You know, this is going to range from 
Social Security numbers to if a woman is pregnant or not. 
Various organizations which include these individuals are going 
to be contracted to do this.
    Let's just pick one. I know it is somewhat inflammatory, 
but one would be Planned Parenthood. With the issue of 
pregnancy being one of the questions being asked, is there some 
safeguard? Is there some safeguard which offers consumers some 
kind of recourse?
    Let's say that you know, in the information that is 
gleaned, the woman is pregnant and then this organization, any 
organization uses that information to advertise to this person 
their services. Is that appropriate? Is that allowed? What is 
the recourse? Can anybody provide any information? Okay.
    Let me ask you this. With regard to--and this is to Ms. 
Daly. Thank you very much. According to your testimony, you did 
not review the functionality of the hub or issues specific to 
the Privacy Act, but there is an independent--is it my 
understanding, there is an independent contractor that is going 
to be doing that or that is doing that currently?
    Ms. Daly. That is correct, Congressman. An independent 
contractor was supposed to be doing this security assessment 
that would cover over all issues related to security.
    With that though, that is supposed to have already been 
done because it is supposed to be a critical part of the 
systems authorization that was just recently provided on 
September 6.
    Mr. Perry. So if that is done, is that information 
available? The outcomes so to speak or the report on that?
    Ms. Daly. I don't believe that is generally available to 
the public, sir, just because of the sensitivity surrounding 
that because it would show what was tested, how the system is 
configured, things of that nature.
    Mr. Perry. Well, would it--is there some report that will 
inform the public and Congress, Members of Congress, the 
Federal Government, regarding the efficacy of that testing and 
the results? Is this system ready? Is it not?
    If it is not, because it is my understanding that the final 
testing for some of this stuff happens at the end of this month 
and it is supposed to go live the first of the next month, so 
we are 20 days away or thereabout, what is the plan or do you 
know of a plan if it fails?
    Ms. Daly. Well, sir, that is a very good point, and I just 
want to clarify that the testing I've been talking about 
focused on security aspects of the system, not on the 
functionality or efficacy of the system.
    So that was beyond our scope, so we didn't focus on that 
because as I mentioned earlier, we were coordinating with GAO 
and we understood that GAO was going to cover those aspects.
    Mr. Perry. But it is my understanding that the private 
contractor will be assessing those other milestones so to speak 
or efficacy. Is that your understanding or don't you know?
    Ms. Daly. I honestly can't speak to that, sir. I am sorry.
    Mr. Perry. Can anybody else? One of my--go ahead, Mr. 
Astrue.
    Mr. Astrue. I will say one thing. Speaking for myself, I 
never relied on a contractor to give complete assurance on 
these things because I mean, no disrespect to this particular 
contractor, but they are in business to keep the Federal 
Government contractors happy.
    They are not necessarily going to rock the boat. This is 
why an independent--this is exactly what Offices of Inspector 
General are set up to do is to make independent assessments 
about, you know, violations of legal rights, openness to fraud, 
these types of things.
    I am outraged that you would rely on any--I mean, MITRE is 
a terrific corporation, but I would never rely on MITRE, and I 
didn't when I was going through dozens of these kinds of 
programs at SSA.
    Mr. Perry. I have a lot more questions, but I see my time 
has expired.
    I yield back. Thank you.
    Thank you, folks.
    Mr. Meehan. I thank the gentleman.
    The Chairman now recognizes the gentleman from Nevada, Mr. 
Horsford.
    Mr. Horsford. Thank you, Mr. Chairman. I thank you for this 
session.
    I want to start by first asking: There is in fact a private 
contractor who is doing this software system development on 
income and eligibility verification? Is that correct? Whoever 
can answer the question?
    Mr. Salo. At both the State and the Federal levels, yes. I 
am not the expert at the Federal level; I believe there is one 
contractor who is doing it at the Federal level.
    At the State, generally, it is one contractor, but there 
are a variety of different private entities that have all bid 
out with the respective States to do this and to do various 
components of it ranging from eligibility and enrollment to 
identity-proofing to conductivity with the hub, et cetera.
    But yes, these are generally private contractors. To be 
honest, I wish that the State experience with IT systems 
vendors was as rosy as Mr. Astrue said that they are all in the 
business of making them happy. That is not always true for us.
    Mr. Parente. But there is only one contractor that has 
responsibility for building the Federal data hub.
    Mr. Horsford. Now under at least the Health and Human 
Services Department, the collection of this type of income and 
eligibility data occurs across many programs currently, today, 
correct?
    Mr. Salo. Yes, that is correct at least with respect to 
Medicaid. As I referenced earlier, there are a number of 
different crosswalks that Medicaid has to do every single day 
for many of the 72 million people who walk in and out of the 
door whether that is other Federal or State programs they may 
be eligible for; TANF, food stamps. You can sometimes work on a 
joint application to make sure that the shared information 
works there.
    For individuals who are dually-eligible for Medicare and 
Medicaid, you are cross-walking information across those two 
programs both from a claims system, from a care coordination 
perspective, from a program integrity perspective.
    You know, Medicaid is the payer of last resort, so we tend 
to look for you know, does an individual have coverage from 
some other third-party insurance, or even some sort of 
settlement from a car crash or something?
    So we interface with those systems. Like I said in terms of 
citizenship documentation, we do all of that. We do all of that 
every day. The program couldn't run if you didn't do all of 
those things.
    You wouldn't want the program to run if you weren't 
accessing across programs to get that kind of information 
because if you are doing that without that kind of information, 
then you are working blind and that is not the way to go.
    Mr. Horsford. So Mr. Salo, you said in your testimony that 
it is important that we focus on how to minimize and mitigate 
the risks that are inherent in the interconnected parts of 
these systems and how they work.
    So my question and the question I hear from the majority of 
my constituents including the insurance companies, agents, 
businesses, they just want this to work, and they want Congress 
to stop playing games and to figure out ways to make the law 
work better.
    This is the same problem that there was under Medicare and 
Social Security when they were implemented. It is not going to 
be perfect on Day 1. So my question is: What are some specific 
recommendations where we can identify the potential risks and 
mitigate those risks and what are the steps that we need as 
Members of Congress to do to ensure that we are putting those 
steps in place?
    Mr. Salo. Well, I am sure you will get a lot of input from 
other members of the panel, but, you know, I would just say 
that I agree, you know, from our members' perspective, we just 
want this to work because at the end of the day, it is the 
citizen, U.S. citizens, citizens of the State who are impacted 
and they don't care whose fault it is. If it goes wrong, they 
are going to blame us.
    You know, in terms of trying to make it work well for them, 
again, I think this type of conversation is and can be very 
useful as we raise potential issues. You know, are there, you 
know, contingencies that perhaps we haven't thought of, whether 
they are security-related or what have you. I think it is 
important to get those out in the open so we can think about 
those and plan for those.
    In terms of concrete recommendations, you know, the 
challenge really is, you know, again, we have got States coming 
at this from 50 different places and, you know, there has been 
a challenge--there is a challenge in trying to build a system 
up in terms of time, in terms of money, in terms of bandwidth.
    There is a challenge when it comes to the timeliness of 
Federal guidance, in terms of, you know, what States can 
expect, what States have to go, because this is all being done 
with private contractors, you know, you need time to build into 
a proposal, into a contract, what exactly they are trying to 
build, and if you don't know until the last minute, it is 
really hard to sort-of build that out quickly.
    So, you know, the extent to which transparency of 
information from the Federal perspective comes out in a 
quicker, more clear way, that would be helpful. I could go on, 
but I don't want to take up too much time.
    Mr. Astrue. If I could add for just a few moments. 
Transparency, as my colleague has pointed out, is important and 
it is also important as the OIG said that these security 
documents not be fully public.
    I agree with that, but there is a difference in terms of 
transparency with you and you need to know whether the system 
is secure, whether it is violating privacy, whether it is doing 
its job, and you don't know that right now.
    If the inspector general defines its job so that those 
things aren't relevant areas, you need to go to GAO and you 
need to say to them, ``You need to fill the gap where the 
inspector general is not fulfilling its responsibilities.'' I 
believe that the Senate has started to do that.
    Mr. Horsford. Thank you, Mr. Chairman.
    Mr. Meehan. Does the gentleman yield back? Oh, okay. I 
don't want to assume anything. I am just--okay, thank you.
    At this point in time, the Chairman now recognizes the 
gentleman, Mr. Rogers.
    Mr. Rogers. Thank you, Mr. Chairman.
    Ms. Daly, based on your testimony, it seems to me that the 
issue isn't when, or if, but when we are going to have a breach 
of the data hub or it is going to be leaked or some other 
problem.
    My question is: Has the IG's office developed standards by 
which a breach such as that would have to be reported to you?
    Ms. Daly. Well, Congressman Rogers, the NIST also guides 
this area in which breaches are reported. There are, you know, 
certain ways that information needs to be reported, it has to 
be reported within a certain----
    Mr. Rogers. So you don't have to come in afterwards and 
audit to find out about it, they have to notify you when they 
realize there has been a breach or a leak?
    Ms. Daly. That is exactly right. They don't notify our 
office actually, they notify the CIO's office. That is who is 
responsible for managing that.
    Mr. Rogers. Are they also required to notify the individual 
whose information was leaked or breached?
    Ms. Daly. Well, it depends on if a true breach occurs. 
First, there is an assessment that is done of it determining 
the amount of encryption that might have been over the data, 
and if it is a high enough level of encryption, the individual 
does not need to be notified.
    If there is a certain amount of, you know, risk involved 
with it and that is a determination that is made in the CIO's 
office, then the individual of course is notified.
    Mr. Rogers. What about consequences for the navigators, the 
workers or navigators? If we find one of them has intentionally 
leaked or breached the security, are there criminal penalties 
of that you are aware of built into the law or regulations?
    Ms. Daly. Well, unfortunately, sir, I am not in a position 
to answer that today.
    Mr. Rogers. Anybody else on the panel?
    Mr. Astrue. Yes, there should be an array of--it depends on 
the nature of the offense, but there should be an array of 
Federal and State penalties.
    Mr. Rogers. That would already be in existence regardless?
    Mr. Astrue. It wouldn't--not to say that it might not help 
for Congress to clarify on that, but there would be existing 
tools for enforcement if HHS chose to use them.
    Mr. Rogers. Great. This question would be for Mr. Salo or 
Mr. Astrue.
    I have got here a letter signed by 10 State attorneys 
general, Alabama as being one of them, to Kathleen Sebelius 
last month and among the questions--they asked several 
questions they would like clarification on, but among the 
questions they ask is--and this, I think about Medicaid when I 
think about this since the State is so heavily involved in it 
is what is the State's legal liability in this new endeavor if 
there is a breach? Do either one of you know?
    Mr. Astrue. Well, with the qualification that I gave up my 
law license a few years ago, I think generally on these 
matters----
    Mr. Rogers. Voluntarily?
    Mr. Astrue. Yes, I did. I did.
    Mr. Rogers. Just joking.
    [Laughter.]
    Mr. Astrue. No, actually, I was afraid as a head of a 
Government agency I was going to get sued individually, people 
would go after my bar license, and I decided to give it up.
    Mr. Rogers. I am a recovering attorney myself.
    Mr. Astrue. Yes. I think as a general matter, this statute, 
whatever else you might say about it is a classic example of a 
statute that preempts a lot of State laws. In fact, that has 
been part of the challenge to the validity of the statute in 
the first place.
    So I think while I would not want to say that there might 
not be some liabilities for States depending on how much 
discretion they were using implementing the act, my personal 
view would be that most of the activities because they are 
being required by the Federal Government would give the State 
some immunity from suit.
    Mr. Rogers. Well, it just concerns me that 10 State 
attorneys general collectively, legally can't discern whether 
or not they have that liability and one of the things they ask 
in the letter is do they have or do their respective States 
have the legal capacity or obligation to add to or supplement 
the criteria by which this system is operated to make sure they 
don't have legal liability. Do you know if the States will have 
that latitude to supplement the security criteria?
    Mr. Astrue. I think certainly for some features of the act 
they will have ability to do add-ons. I believe it was designed 
with, I mean, it is tough to tell from the statute, but it does 
appear that to me, that it was designed with that intent, and 
certainly to the extent that you are going beyond the Federal 
mandate in a discretionary way, it does seem to me that you 
would be running some risk of losing the protection of the 
Federal preemption.
    Mr. Rogers. Great. My time is expired.
    Thank you very much, Mr. Chairman, I yield back.
    Mr. Meehan. Does the Ranking Member have a request?
    Ms. Clarke. Yes, Mr. Chairman. I have a request that the 
committee--a request for unanimous consent to have 
Congresswoman Sheila Jackson Lee of Texas sit in and make a 
comment during our proceedings today.
    Mr. Meehan. Without objection, so ordered.
    Consistent with the rules of the committee, those Members 
of the committee who are present will take precedence over 
those who join us.
    So I know the gentlelady will yield while we turn to the 
former U.S. attorney from Pennsylvania, Mr. Marino, for his 
questioning.
    Mr. Marino. Thank you, Chairman.
    Good afternoon, and thank you, folks, for being here today.
    Ms. Daly, you have some tough questions that you answered 
and you are between the devil and the deep blue sea here 
because of what the AIG technically is supposed to do but based 
on the lack of information that you may have.
    So my question to you is: How can security authorization be 
made without assurances to you as the IG, that the system 
itself is secure? Could you explain that to me please?
    Ms. Daly. Well, thank you for the question, Congressman 
Marino.
    As part of the NIST guidelines for developing systems, 
rolling them out, what are the best practices agencies should 
be following, that is what we have looked at with regards to 
security for the data hub.
    As part of that process, the agencies are supposed to be 
doing some, you know, continuous testing as it is developed 
that looks at security and other things too, but our focus was 
on security, and then at the end, once they get everything 
developed, they are supposed to have an independent security 
assessment. That is critical.
    Mr. Marino. But your assessment then is based on the 
information that you are provided. Correct?
    Ms. Daly. That is correct, sir.
    Mr. Marino. You are not making any leaps of faith or 
conjectures beyond at that point? You are not determining any 
what-if's?
    Ms. Daly. That is correct, sir. Yes, we basically are 
reporting out facts in this case. If we had seen something that 
was a significant violation in any way, we certainly would have 
reported that and made a recommendation that things be fixed.
    Mr. Marino. Based on what you received.
    Ms. Daly. Exactly.
    Mr. Marino. It is like a computer, whatever you put in is 
the only thing you are going to get out of it. So the only 
information you get, you based your assessment on what you are 
given?
    Ms. Daly. That is correct, sir. We compared what the 
testing and the system development documents showed compared to 
the standards that were in place at that time for that purpose.
    Mr. Marino. This is interesting. I got a phone call from a 
constituent who works for the State and that person has an 
insurance health program paid for in part by the State. So that 
person went to the Social Security Office and because he wanted 
to get information about Medicare because of the age; 64, 65.
    That person asked why I needed to sign up. As that person 
explained, ``I already have insurance, I don't need it. It is 
being paid for. Why put the taxpayers to an extra cost of now 
the Federal Government paying and my employer coming in 
second?''
    The answer the clerk gave him was that, ``We need this to 
track you and to garner information about you.''
    Okay, now, I found that kind of odd. He said, ``Well, I 
only want to sign up for Part A of this,'' and he again told 
her that he had insurance and she told him that he would be 
charged the penalty if he signed up later but the Government 
needed a system whereby--needed information whereby to track 
him so they could have information on him to see if he is 
paying for insurance or has insurance.
    Can anyone address this for me? Because I am at quandary as 
to why.
    Mr. Astrue. Mr. Marino, with all due respect to my former 
employee, I don't think that that is an accurate description. 
My recollection, which is a little soft on the edges is that 
there was a policy decision made in the late 1960s to link the 
two together in this way.
    It has been litigated. I don't think the rationale of HEW 
at that time is 100 percent clear. It was litigated fairly 
recently and I remember being consulted on that litigation a 
couple of times within the administration in 2007, 2008.
    I don't remember when the case was decided. I think it was 
about 2010, but the decision was that the agency had 
appropriately linked those two programs together.
    But again, I don't think the rationale for why was ever 
particularly--I think it was lost in the midst of time by the 
time it got litigated, but I don't think that my former 
employee's description is probably accurate.
    Mr. Marino. Okay. Mr. Astrue, since we are talking here, 
can you give me--I know you can go on for a while here, but I 
only actually have--no, actually, I am over my time, but if you 
could give us a little synopsis of your opinion of the IG 
report; pro and con.
    Mr. Astrue. Yes, I am extremely negative. I think that 
essentially what happened here is this is not according to GAAP 
principles.
    Essentially, they went in, said, ``How are you doing?'' And 
they said, ``Well, we are running behind, but we are doing 
great.'' And they said, ``Can we see all of the relevant 
documents?'' And they said, ``No.''
    If you go and read through the report carefully, you will 
see that the security plan was due on July 15 and there is 
nothing in the report that says that it wasn't done on July 15, 
and this is an August 2 report.
    There must have been a draft at that point and I am just 
not used to the idea that the inspector general comes in and 
asks for things and you say no. I logged years in the agency 
and I can't remember that happening.
    So this is a new IG. This is a new IG that is failing in 
its duty to the American people to dig into what is happening 
and give answers to the Congress and the American people. I 
think it is really sad.
    Mr. Marino. Thank you. I yield back my over-spent time.
    Mr. Meehan. I thank the gentleman, and the Chairman now 
recognizes the gentlelady from Texas who we are happy to have 
joined us on the panel today for 5 minutes.
    Ms. Jackson Lee. I thank the gentleman and the Ranking 
Member for their courtesies, and I think I have some pointed 2 
or 3 questions and then a brief comment.
    I just always believe the importance of oversight and fact-
finding, and I wanted to ask Mr. Astrue, has he engaged our 
present inspector general in a one-on-one conversation or 
viewed his documents before your testimony was prepared?
    Mr. Astrue. No, I have not.
    Ms. Jackson Lee. Then I guess the follow-up is you have 
first-hand knowledge of what might be some fractures in the 
structure of exchanges presently being constructed.
    Mr. Astrue. I had first-hand knowledge through, to some 
extent, through February of this year, yes.
    Ms. Jackson Lee. In what capacity?
    Mr. Astrue. As commissioner of Social Security.
    Ms. Jackson Lee. Had the infrastructure of the exchanges 
begun and to what extent?
    Mr. Astrue. They had begun since at that point in time, but 
there was a still a great deal of fluidity in it which for me 
was the source of considerable concern because the time at that 
point was really, in my opinion, already too short to do the 
job properly.
    Ms. Jackson Lee. But that was an opinion? Wasn't it?
    Mr. Astrue. Yes, indeed.
    Ms. Jackson Lee. It was February 2013?
    Mr. Astrue. I left office on February 13, 2013.
    Ms. Jackson Lee. But of this year or last year?
    Mr. Astrue. This year.
    Ms. Jackson Lee. Yes. So we are now in September.
    Mr. Astrue. That is right.
    Ms. Jackson Lee. So you are reflecting on the first-hand 
knowledge that took you up to February and not much further 
than that.
    Let's--I thank you for that.
    Let me just go to Mr. Salo. National Association of 
Medicaid Directors, and I am sorry that I missed the 
explanation of that, but let me go right to the crux of where 
we are. We all should be concerned about personal information.
    However, I think the magnitude of the Affordable Care Act 
and its overall impact on health care in America is an enormous 
a step forward for saving lives in America.
    What would be--do you think we are in the mouth of a whale? 
Are we about to be swallowed or are we moving forward with the 
appreciation and respect for personal data as you can see it 
from your perspective?
    Mr. Salo. Oh, I think there has been a very, very long-
standing and very, very serious commitment to personal data on 
behalf of Medicaid, on behalf of the Medicaid directors. They 
know full well what happens if there is a security breach, and 
it something that nobody wants.
    There are contingency plans. There is constant work being 
done with chief information officers, with the State IGs, with 
security experts all the time in Medicaid.
    I think the thing to keep in mind about the big picture 
here, you know, whether we are talking about being swallowed by 
whales or not, is that security and privacy of data is always a 
concern, but the thing that has changed is the increasingly 
interconnected nature of not just our health care system but 
our overall lives in general.
    You know, I am not an expert in banking or credit cards or 
internet service providers. There are challenges there. The 
challenges in health care have changed.
    You know, we used to store information in unlocked file 
cabinets in the back of somebody's office. Was that secure? No, 
it wasn't. So you had to put in place procedures. We have 
decided as a society, I think rightfully so, that that is not 
where we want to be and what we need for a variety of reasons 
is to have much more fluid interconnection of data 
electronically; whether it is claims or insurance information 
or what have you.
    This is a good thing. It does bring with it different 
challenges to secure privacy. Not insurmountable ones, 
different ones. So we adapt accordingly. So I would just see 
what we are looking at here, whether it is dealing with the 
Federal hub or what have you, is an outgrowth of that natural 
progression of how do we figure out how best to secure this 
information in this inevitable changing world.
    Ms. Jackson Lee. My time is ending, I just want one simple 
question. Is this any reason to stop moving forward on the 
Affordable Care Act processes that have been put in place by 
the Congress and by Health and Human Services?
    Mr. Salo. To the best of my knowledge, we will not have 
security breaches----
    Ms. Jackson Lee. But this is no reason not to go forward?
    Mr. Salo. That is correct.
    Ms. Jackson Lee. Thank you.
    Let me thank my colleagues and to say that this is an 
important hearing, and I also think the issue of affordable 
care is crucial and I think that we are where we need to be, we 
just need to be particularly more cautious, and I think we can 
all work together to do that.
    Let me yield back. Thank you so very much.
    Mr. Meehan. I thank the gentlelady for taking the time to 
join us here today. Let me--I have a few follow-up questions 
that I would like to pursue. So I recognize myself again for 5 
minutes.
    Let me just--Dr. Parente, you made some observations in 
your testimony and I don't want to just leave them hanging out 
there. You are an expert in dealing with health care databases, 
you worked intimately in these in the past. You opined in your 
testimony about concerns of not understanding how the system 
would work and the potential for fraud. Would you please 
elaborate on that?
    Mr. Parente. I will even go further and say most of what I 
have heard today has not reassured me for several reasons. The 
first is I have worked, myself, as an independent verification 
and validation contractor for some Federal databases, actually 
one in the State of Maryland when Maryland took a step in the 
1990s to put together an all-payer database, one of the first 
in the Nation.
    I worked at the time with the Delmarva Medical Foundation 
and where I worked at Project Hope to essentially be that 
independent verification and validation contractor and there 
was a public report and because the Maryland State legislature 
required it.
    I personally find it unconscionable that this contractor, 
whoever it is, is not at least going to have an executive 
summary that actually talks about by efficacy the performance 
standards that would be essentially the safeguards that have 
been put in for vulnerability tests for the white-hat types of 
operations that are supposed to be put into place to make sure 
that all potential compromises have been taken into 
consideration.
    Mr. Meehan. Those would be the kinds of things that the 
certifying officer would have to not only look at but review 
and rely on. Isn't that right?
    Mr. Parente. Absolutely, and when I took that roll-on for 
the State of Maryland, it was a 1-year contract. When I entered 
and went to look at those databases, worked with other 
contractors to look at them at different State sites because 
there were several different vendors involved, and that is one 
small State, let alone the scale and enormity of what we are 
discussing today.
    Mr. Meehan. Well, in light of that, and that is one of the 
concerns because we talked about the scope and scale of this--
Mr. Astrue, you as well, and again, I know that we are asking 
only for your opinion and not the kinds of asking statements of 
fact, but I do appreciate once again your testimony touched on 
something rather significant and you discussed that there was a 
period of time in which you believed that the HHS may have 
backed away from its obligations under the Privacy Act and 
potentially even in violation of the law. Can you articulate? 
Did I get that correctly and would you say what you mean?
    Mr. Astrue. Yes, no, and there is a process for this in 
both--and the IRS came to the same conclusion at about the same 
time--so we both filed. OMB is the arbiter on those cases and 
they stalled for a very long time because HHS really didn't 
have very much to say on the Privacy Act issues.
    So it sat for months and months and months. It was not 
resolved at the time that I left and at some point subsequently 
I understand they decided that all these issues were under the 
routine-use exception, but I think that is a real abuse of 
routine use.
    You know, whether you believe in the Affordable Care Act or 
not, you in the Congress wrote the Privacy Act. You imposed 
criminal penalties for violations of the Privacy Act and so 
those of us who are in the Executive branch or were in the 
Executive branch, we are supposed to be respecting that. I 
found the HHS disregard for the Privacy Act to be really 
shocking.
    Mr. Meehan. Let's pursue that for a second. Again, as a 
former prosecutor, I am concerned about this issue of routine 
use and, for the record, routine use is, ``a disclosure of a 
record, the use of such record for a purpose which is 
compatible with the purpose for which it was collected.''
    So anything beyond that would be a violation of routine 
use. So we are already beginning to collect information that 
relies to some database and then there is a broad, broad 
expansion of how information originally collected is going to 
be utilized. Is that not accurate?
    Mr. Astrue. Yes, that is correct.
    Mr. Meehan. Okay, so even if there is an interpretation 
with regard to that within routine use because it is all part 
of a hub and it is used as verification, one of the great 
concerns I have has been the derivative use of information that 
is being gathered by navigators.
    So where we have navigators who are going to be asking 
personally identifying information, do we have any checks on 
whether or not they will have any other kind of use except for 
the sole purpose, the entire sole purpose of facilitating 
activities on the exchange?
    Mr. Astrue. No, I think that is a fine point. You, Mr. 
Chairman, and other Members of the committee earlier pointed 
out that these are not even typical Americans. These are 
disproportionately disadvantaged Americans in some of our most 
vulnerable populations.
    To send navigators out with a minimum of training, no 
background checks in many instances, that is an invitation for 
fraud. I have spent--I have been working on fraud against the 
elderly since 1979 off and on in my career, and I just shudder 
at the thought of untrained people, unsupervised by, in any 
substantial way by HHS, going out with no real monitoring or 
accountability systems saying, ``Hi, I am here from the Federal 
Government. Let's talk about some of the most intimate choices 
you need to do, and you need to apply for this, and by the way, 
what is your Social Security number?''
    I mean, that is exactly the thing that the inspector 
general should be screaming bloody murder about because if that 
is not an invitation to widespread fraud against our most 
vulnerable people in this country, I don't know what is.
    Mr. Meehan. Are you aware of whether or not there is, 
within this, the requirement that there be background checks 
for any individual who is going to serve as a navigator?
    Mr. Astrue. My understanding is that many of these people 
are being hired without background checks.
    Mr. Meehan. So somebody could be actually convicted of 
identity theft and then become a navigator?
    Mr. Astrue. I think you need to ask----
    Mr. Meehan. Mr. Salo, is that accurate? Are you doing 
background checks on anybody that you are familiar with?
    Mr. Salo. Navigators aren't actually a Medicaid function so 
we are not directly involved in the hiring of them so I can't 
speak to whether or not there are adequate background checks or 
other securities there.
    Mr. Meehan. Mr. Astrue, let me just ask one other question 
again because I am trying to create a record because I want to 
see what is going to happen at some future time, and the bottom 
line is again because we can foresee the potential for 
utilization of information that is beyond the scope of even an 
interpretation of what would routine use be and we have now 
identified.
    Now those people who have certified the stability of this 
system in light of the recognition that those are potential 
things here, willful acts of the privacy, the Federal 
Government itself, and I have the case law that supports it.
    It is a willful--it is the--imposes liability on the agency 
when they violate the Privacy Act by willful or an intentional 
matter either by committing the act without grounds for 
believing it to be lawful or flagrantly disregarding other's 
rights under the Act.
    Mr. Astrue. That is exactly right and the issue first came 
to my attention, and I know I talked to a Washington Post 
reporter last night who was quite sure that everything I said 
was horribly political and ideological, but this issue first 
came to my attention because my own civil servants who would be 
doing this came to me and said, ``I am afraid I am going to be 
prosecuted for doing this.''
    Mr. Meehan. Wouldn't it be prudent and do you believe that 
the standard of responsibility is such that before certifying 
it there would be checks to assure that people with criminal 
records would not have access to personally identifying 
information of individuals who were going to be signed on to 
the exchange?
    Mr. Astrue. Absolutely. They are going to be asking for 
extraordinarily sensitive information in many cases including--
it is just a Social Security number. You know, people can run 
wild and destroy someone's life, you know, taking a Social 
Security number. It is a big problem in our society.
    Mr. Meehan. My time has expired.
    I now ask the Ranking Member if she has follow-up 
questions.
    Ms. Clarke. I do, Mr. Chairman.
    I would like to follow up with Mr. Salo. Your testimony 
mentions all of the ways in which States and State Medicaid 
programs already work with a variety of public and private data 
systems. State Medicaid programs already communicate with 
Federal agencies to verify citizenship. Isn't that correct?
    Mr. Salo. That is correct.
    Ms. Clarke. They may communicate with other programs like 
TANF and SNAP as well?
    Mr. Salo. Correct.
    Ms. Clarke. They also communicate with private entities 
like private insurance companies, right?
    Mr. Salo. Correct.
    Ms. Clarke. Is it correct for me to assume that data that 
is transmitted is personally identifiable?
    Mr. Salo. In many cases, yes it is. Not always, but if it 
needs to be, it is.
    Ms. Clarke. So State Medicaid programs across the country 
have for years exchanged personally identifiable data with 
Federal and private data systems. We know that any data system 
can be susceptible to a breach, but have State Medicaid 
programs experienced any program beyond of those we see in the 
data systems of private industry?
    Mr. Salo. No.
    Ms. Clarke. So could State Medicaid programs function 
without this ability to share and retrieve data from other 
systems?
    Mr. Salo. No, and I don't think we would want it to.
    Ms. Clarke. You have described a heavy lift for States, but 
also a good partnership with the Federal Government to get this 
accomplished. It is my understanding that HHS has made a 90:10 
matching rate available for upgrades to States' eligibility and 
enrollment systems regardless of whether a State chooses to 
expand.
    Can you comment on the number of States that have availed 
themselves of this funding?
    Mr. Salo. Yes, my understanding is that literally every 
State has availed itself of that funding. There were certainly 
some examples of States that had turned back other specific 
funding for, call it early innovator grants, but in terms of 
the money that it took and that it is taking to update, to 
upgrade, to transform the current Medicaid eligibility systems, 
many of which are legacy systems that go back unfortunately to 
the 1980s, every State has availed itself of the 90:10 funding.
    The question then actually is: Is 90:10 enough? The 
question is: Even with that, even if there were enough funding, 
is there enough time to make those changes? Is there the 
bandwidth within the IT systems vendor community?
    You know, I often used to joke that when we look at the 
history of Medicaid and systems changes, the number of times 
that you got a contract in on time, on budget, and to spec was, 
well three times in the history of Medicaid.
    [Laughter.]
    Mr. Salo. So, a lot of people, I think myself included 
would argue you just need to do something very, very different 
here. But having said that, in the run-up to October 1, and in 
the time soon thereafter, the States and the Feds and the IT 
systems vendors have worked double, triple, quadruple overtime 
to make this work.
    So we do believe the system will be up and running come 
October 1. As I said, it will be bumpy. The consumer experience 
will not be a smooth and seamless Travelocity, but it will be a 
system in place that with workarounds, with, you know, having 
contingency plans going back to using paper, going into the 
Medicaid office, what have you, insurance and subsidies, and 
that will be available, and it is our goal, it is our plan over 
the next couple of months to make sure that we improve that as 
we go.
    Ms. Clarke. I would agree with you. So much of our 
information is in the public and private domain that, you know, 
I think we need to take a step back and give this an 
opportunity to rollout and work with it to make sure that the 
American people get the very best access to health insurance 
that they possibly can.
    I mean, just about every American has had an opportunity to 
go on-line and to provide information and you know, we don't 
have the most secure, unbreachable IT operations in our own 
homes and families.
    So to sort of prejudge just how secure this process will 
be, will be pretty relative to the security of our IT systems, 
Nation-wide, the ones that we use each and every day whether it 
is to pay a phone bill, whether it is to purchase something on-
line.
    I am concerned that we not create a panic around the 
situation but that we give it our best efforts in terms of 
providing an opportunity to make this thing work and to work 
out the kinks as we go along.
    There are going to be kinks. We all know that. There is not 
one system that I know of that has been perfect. People have 
bought iPhones and they have been, you know, breachable right 
out of the box. So, you know, let's not sit here and act as 
though we have perfection on our side.
    Personal information is critical and its security is 
critical to all of us, but at the same time we have managed 
given the massive use of IT systems around this Nation to keep 
breaches to a minimum given the number of people and 
transactions that take place each and every day.
    With that, Mr. Chairman, I yield back.
    Mr. Meehan. Well I want to thank the gentlelady for 
yielding back.
    I want to thank each of the witnesses for your testimony 
here today. I am grateful and I appreciate, with the exception 
of Ms. Daly, each and every one of you effectively don't have 
to be here, that you were responsive to our inquiries, and I am 
grateful for your taking the time using your professional 
expertise to help us better understand a situation in which it 
is still my considered opinion that this hearing has 
demonstrated by virtue of testimony even more questions about 
the readiness.
    There has been testimony as said it is not a question that 
this needs to be a stepping-off point to prevent a system from 
being put in place, but is it ready to go today?
    At a certain point, is it so clear that it is not ready 
that the requirements that are continuing to push this forward 
at a certain point start to become perhaps not even just 
negligent, but otherwise. Great concern to me.
    Once again, I want to thank each of the panelists for their 
valuable testimony.
    Well, I am not getting ready to close because the Member 
from Pennsylvania has one final question.
    Mr. Marino. Thank you. I refer to my prosecutorial 
background as the Chairman does. We were U.S. attorneys 
together, but I want to bring up two points if I may.
    Mr. Astrue, you were questioned about when you left the 
agency, and I think it was pointed out that you hadn't been 
there in, what would it be now, 9 months or 8 months. How long 
were you with the agency before that?
    Mr. Astrue. Six years and a day.
    Mr. Marino. You based your opinion on your experience over 
that 6-year period and what you had gleaned even before that in 
your career.
    Mr. Astrue. Sure, and since that time, I have tried to keep 
up on the issue. I don't call into the agency, but people 
retire, you talk to people----
    Mr. Marino. Well, we do call into the agency and ask 
because we get calls from our constituents, ``What do I do 
about this?'' ``What do I do about that?''
    Since last year up until September, and I get the same 
answers now in September that I did last year and in January 
and February of this year is ``We don't know.'' So given the 
fact that there have been waivers, delays, I don't think much 
has changed over the last 1.5 to 2 years.
    In conclusion, ma'am, could you please tell me, did you 
ever have a point when you were doing these investigations 
concerning security that you thought maybe a statement should 
have been made to HHS, Health and Human Services, HHS 
concerning I don't have enough data to form an opinion as to 
what the security is going to be or not be?
    Ms. Daly. Well, Congressman, I want to focus--initially, on 
the scope of our work, the scope of our work really wasn't to 
provide an opinion. We were actually going out there to do just 
an audit over that. We were provided the data that we had 
requested if it was, even had been created.
    That is one of the challenges. I have done a number of 
system development jobs over my career of a variety of systems 
and it is always a challenge when you are doing this because 
you are doing something that doesn't exist yet and so that 
makes it more challenging to get all of the information----
    Mr. Marino. Good point. I mean, did you ever raise that? 
These things do not exist yet, so how can we form a conclusion, 
a factual conclusion?
    Ms. Daly. Well, that is exactly right. So in those cases, 
that is why we reported that the information wasn't available 
and when they expected to have it available. That is clearly 
what was in our report.
    If you could beg me an indulgence, I would like to say that 
I think our office of inspector general is one of the most 
highly-respected in the accountability community and that we do 
a tremendous job for the American citizen and taxpayer.
    Our office returned $6.9 billion in expected recoveries 
last year along with over 1,100 civil and criminal actions, and 
I think our record speaks for itself. Thank you.
    Mr. Marino. We rely on you.
    Ms. Daly. Thank you. Thank you.
    Mr. Marino. We rely on you.
    Again, thank you so much.
    Chairman, thank you so much for indulging me.
    Mr. Meehan. Thank you.
    Ms. Daly, I do thank you for your service.
    I thank each of the panelists. The Members of the committee 
may have some additional questions for the witnesses, and if 
they are directed to you I would ask that if you can, you would 
respond in writing.
    So without objection, the committee, the subcommittee now 
stands adjourned.
    [Whereupon, at 4:32 p.m., the subcommittee was adjourned.]

                                 
