b'<html>\n<title> - THE THREAT TO AMERICANS\' PERSONAL INFORMATION: A LOOK INTO THE SECURITY AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \nTHE THREAT TO AMERICANS\' PERSONAL INFORMATION: A LOOK INTO THE SECURITY \n            AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           SEPTEMBER 11, 2013\n\n                               __________\n\n                           Serial No. 113-33\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n               [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n86-247 PDF                       WASHINGTON : 2013 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O\'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                 Patrick Meehan, Pennsylvania, Chairman\nMike Rogers, Alabama                 Yvette D. Clarke, New York\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nJason Chaffetz, Utah                 Filemon Vela, Texas\nSteve Daines, Montana                Steven A. Horsford, Nevada\nScott Perry, Pennsylvania, Vice      Bennie G. Thompson, Mississippi \n    Chair                                (ex officio)\nMichael T. McCaul, Texas (ex \n    officio)\n               Alex Manning, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Patrick Meehan, a Representative in Congress From \n  the State of Pennsylvania, and Chairman, Subcommittee on \n  Emergency Preparedness, Response, and Communications...........     1\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Emergency Preparedness, Response, and Communications:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     6\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     7\n\n                               Witnesses\n\nMr. Michael J. Astrue, Former Social Security Commissioner, \n  Former U.S. Department of Health and Human Services General \n  Counsel:\n  Oral Statement.................................................     9\n  Prepared Statement.............................................    11\nMr. Stephen T. Parente, Ph.D., Minnesota Insurance Industry Chair \n  of Health Finance, Director, Medical Industry Leadership \n  Institute, Professor, Department of Finance, Carlson School of \n  Management, University of Minnesota:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    15\nMs. Kay Daly, Assistant Inspector General, Audit Services, U.S. \n  Department of Health and Human Services:\n  Oral Statement.................................................    16\n  Prepared Statement.............................................    17\nMr. Matt Salo, Executive Director, National Association of \n  Medicaid Directors:\n  Oral Statement.................................................    21\n  Prepared Statement.............................................    23\n\n                             For the Record\n\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Emergency Preparedness, Response, and Communications:\n  Letter.........................................................     5\n\n\nTHE THREAT TO AMERICANS\' PERSONAL INFORMATION: A LOOK INTO THE SECURITY \n            AND RELIABILITY OF THE HEALTH EXCHANGE DATA HUB\n\n                              ----------                              \n\n\n                     Wednesday, September 11, 2013\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:02 p.m., in \nRoom 311, Cannon House Office Building, Hon. Patrick Meehan \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Meehan, Rogers, Marino, Perry, \nClarke, Vela, and Horsford.\n    Also present: Representative Jackson Lee.\n    Mr. Meehan. The Committee on Homeland Security, \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will come to order.\n    The subcommittee is meeting today to examine the security \nand reliability of the Health Exchange Data Hub and the \nexistence of any threat to Americans\' personal information.\n    Before beginning my opening statement, I think it is only \nappropriate on a day like today that we take a moment and join \nin a moment of silence, remembrance of the victims of September \n11 as we recognize the twelfth anniversary of that terrible \ntragedy.\n    I thank you.\n    I now recognize myself for an opening statement.\n    Today\'s hearing, ``A Threat to Americans\' Personal \nInformation: A Look into the Security and Reliability of the \nHealth Exchange Data Hub\'\' is the second hearing on this issue \nin less than 2 months by this committee or associated with this \ncommittee.\n    The Federal Data Services Hub was established under the \nrulemaking for the Patient Protection and Affordable Care Act. \nIts purpose is to be the one-stop shop to connect applicants to \nthe Affordable Care Act exchanges.\n    The hub will connect to multiple Federal agencies including \nthe Social Security Administration to verify an applicant\'s \nSocial Security number, the IRS, to verify income and really \nnot just for an applicant, but for an applicant\'s spouse and \nchildren and others.\n    The Department of Homeland Security to verify citizenship \nand immigration status as well as other Federal agencies to \ndetermine an applicant\'s eligibility for Federal health \ninsurance subsidies, the key aspect of it to be the ability to \narticulate the qualification, not just for subsidies but amount \nof subsidies.\n    Personally identifiable information for any applicant and \ntheir families will pass through the data hub from these \nvarious agencies. In fact, over 20 million Americans are \nexpected to enter the exchange over the next 5 years, and I \nknow we will hear testimony about what the scope of this \nexchange is expected to be.\n    This information will include an applicant\'s name, address, \ndate of birth, Social Security number, household income, health \nstatus including whether an applicant is pregnant or has a \ndisability, and will be stored in the exchange system of \nrecords for up to 10 years, stored in the system for up to 10 \nyears.\n    The Government Accountability Office in a June 2, 2013 \nreport called the hub, ``a complex undertaking involving the \ncoordinated actions of multiple Federal, State, and private \nstakeholders.\'\' The report concluded that, ``a timely and \nsmooth implementation by October 13, 2013 cannot yet be \ndetermined.\'\'\n    In July, this subcommittee convened a joint hearing with \nthe House Oversight and Government Reform Subcommittee. We \nheard directly from Centers for Medicare and Medicaid Services, \nDirector Marilyn Tavenner, and acting commissioner of the IRS, \nDaniel Werfel, among others on the implementation of the hub.\n    My personal take-away from that hearing is that CMS was not \nready to embark on this giant responsibility. Since our \nhearing, the Health and Human Services inspector general \nconducted a report on the implementation of the hub from a \nsecurity perspective.\n    The IG report stated that the several critical tasks \nremained to be completed in a short period of time. That is why \nwe are here today, to examine CMS\' progress in securing \nAmerica\'s personal information.\n    I am thankful to the inspector general who sent a \nrepresentative to participate in today\'s hearing. As we sit \njust 20 days removed from the exchanges and the data hub, going \nlive on October 1, I have grave concerns from a cybersecurity \nstandpoint.\n    We have assembled a panel of witnesses uniquely qualified \nin commenting on the scope and readiness of the mounting task \nat hand. I thank them for participating, and I look forward to \nhearing their testimonies.\n    Let me conclude my comments by saying that this is not a \nhearing that goes into the policy implications behind the \nAffordable Care Act. It is not our purpose here today to try to \nraise that issue.\n    But we are a committee that is focused and focused \nimportantly on the security of American citizens, and one of \nthe highest issues we currently see is an appreciation for \npersonal privacy and private identifying information and what \nthe misuse of that information cannot just mean directly to a \nperson but to a person who then has to go about trying to fix \nthat in their lives.\n    In the best of times, we have seen dramatic growth in those \nwho have used and developed new and innovative ways to steal \nthat information to use it in the markets in a variety of \ndifferent capacities.\n    So as we have dealt with increasing sophistication in those \nwho would try to steal them and manipulate this information, we \nalso recognize that we are in a unique time as well.\n    A time in which cyber information is not just there to be \nmanipulated or used or stolen by those if it is not \nappropriately secure, but we face a time in which there are \nvery sophisticated actors, including state actors who may wish \nto do us harm.\n    A database that it is the core of one of the central \nexpenditures of American resources can certainly, foreseeably \nbe a target. The extent to which we are ready not just for the \nkinds of challenges that are facing security databases in the \nnormal course of business but the preparation readiness to \nstand up to what may be a sophisticated attack and one that \nseeks to do us damage are all relevant considerations for us at \nthis important point.\n    These are some of the issues I want to ask about the \nreadiness before we get ready to go, and I appreciate those of \nyou who are here today who are ready to testify on your \nopinions and knowledge with regard to the readiness of this \ndatabase.\n    Now the Chairman now recognizes the Ranking Minority Member \nof the subcommittee, the gentlelady from New York, Ms. Clarke, \nfor any statement that she may have.\n    Ms. Clarke. I thank you, Mr. Chairman, for holding a second \nhearing on one of the most important features of the Affordable \nCare Act, and I welcome our witnesses here today.\n    When President Obama signed the Affordable Care Act in the \nEast Room of the White House on March 23, 2010, the Federal \nGovernment started planning to operate health care insurance \nmarket places, also called exchanges, and assist States that \nopted to run their own marketplaces.\n    All of this involves developing a complex computer web-\nbased service that would allow millions of Americans access to \naffordable health care in the most efficient and safe way \npossible.\n    This is a large undertaking and involves a complicated \ninter-agency IT and web-based software effort commonly known as \nthe Federal Data Services Hub based at the Department of Health \nand Human Services Center for Medicare, Medicaid Services, or \nCMS.\n    What is important about this effort is that we must create, \ncollect, and use or disclose personal information of millions \nof our citizens in a responsible and confidential way.\n    The health care marketplaces must establish and implement \ncyber and personal information protection standards that are \nconsistent with specific principles outlined in our current \nhealth care law.\n    Those principles which are comparable to the ones upon \nwhich the HIPAA, the Health Insurance Portability and \nAccountability Act, provide and they include No. 1, providing a \nright of access to one\'s personally identifying information \ncommonly referred to as PII, a right to have erroneous \ninformation corrected, and No. 3, providing accountability \nthrough appropriate monitoring and reporting of information \nbreaches.\n    Exchanges must also establish and implement reasonable \noperational, technical, administrative, and physical safeguards \nto ensure the confidentiality, integrity, and availability of \nPII and to prevent unauthorized or inappropriate access, use, \nor disclosure of PII.\n    In addition, health exchanges must monitor, periodically \naccess, and update their security controls and must develop and \nuse secure electronic interfaces when sharing PII \nelectronically.\n    CMS has completed its technical design and build of Federal \nData Services Hub and has established an inter-agency security \nframework as well as the protocols for connectivity.\n    Importantly, in a letter to Ranking Member Thompson this \nmorning, HHS has revealed that as of Friday, September 6, they \nhad taken the necessary steps to obtain security authorization \nfor the data hub and the CMS chief information officer has \nassigned to the security authorization.\n    This is an important milestone and it shows that CMS will \nbe ready to operate the hub securely on October 1.\n    This will provide a common, secure connection for \nmarketplaces to seek information from Federal databases \nnecessary to verify eligibility, excuse me, for the millions of \nAmericans who can begin to shop for quality, affordable health \ncare coverage in just a few weeks.\n    The hub has several layers of protection to mitigate \ninformation security risks. For example, marketplace systems \nwill employ a continuous monitoring model that will utilize \nsensors and active event monitoring to quickly identify and \ntake action.\n    Let us remember, it is simple. The Data Services Hub will \ntransfer data and be used to verify applicant information data \nfor eligibility. The Data Services Hub is not a database. It \nwill not function as a database. It will not contain health \ncare records.\n    The hub will send queries and responses among given \nmarketplaces and data services to determine eligibility. The \nData Services Hub will not determine consumer eligibility nor \nwill it determine which health plans are available in the \nmarketplaces.\n    CMS and its vendors have told us and testified before this \nsubcommittee and Energy and Commerce subcommittees that \ndelivery milestones for the Data Services Hub completion are \nbeing met on time and they expect that the Data Services Hub \nwill be ready as planned by October 1.\n    I am looking forward to the testimony of the HHS Office of \nthe Inspector General to learn more about their important role \nin the implementation of the Federal data hub.\n    Also, we are going to hear testimony today from the \ndirector of the State Medicaid Directors Association whose \nmembers have been working on this effort from the ground up.\n    I am eager to learn about the massive efforts of that State \nand the Federal Centers for Medicaid and Medicaid Services have \nmade to stand up to this complex data hub. This is the kind of \ninformation we need to help us deliver health care to citizens \nwho really need it.\n    Mr. Chairman, I ask for unanimous consent to submit a copy \nof the letter received by Ranking Member Bennie Thompson.\n    Mr. Meehan. Without objection, so ordered.\n    [The information follows:]\n          Letter Submitted by Ranking Member Yvette D. Clarke\n                     Washington, DC, Sep. 10, 2013.\nThe Honorable Bennie Thompson,\nRanking Member, Committee on Homeland Security, U.S. House of \n        Representatives, Washington, DC 20515.\n    Dear Representative Thompson: Thank you for your inquiry related to \nprivacy and security protections associated with the Data Services Hub \n(hub) and the status of our work to protect people and programs from \ncyber-attacks in this area. At the Department of Health and Human \nServices (HHS), we take very seriously our responsibility to safeguard \npersonal information in all of our programs, including in the \nAffordable Care Act Marketplace. Collectively, the tools, methods, \npolicies, and procedures we have developed provide a safe and sound \nsecurity framework to safeguard consumer data, allowing eligible \nAmericans to confidently and securely enroll in quality affordable \nhealth coverage starting on October 1, 2013. This framework is \nconsistent with the framework that exists for all other HHS programs, \nsuch as Medicare, which Americans rely on every day.\n    HHS\'s Centers for Medicare & Medicaid Services (CMS) has a strong \ntrack record of preventing breaches involving the loss of personally \nidentifiable information from cyber-attacks. This is due in large part \nto the establishment of an information security program with consistent \nrisk management, security controls assessment, and security \nauthorization processes for all enterprise systems. Our system and \nsecurity protocols are grounded in statutes, guidelines and industry \nstandards that ensure the security, privacy, and integrity of our \nsystems and the data that flow through them. These protections include \na series of statutes and amendments to these laws, such as the Privacy \nAct of 1974, the Computer Security Act of 1987 and the Federal \nInformation Security Management Act (FISMA) of 2002, as well as various \nregulations and policies promulgated by HHS, the Office of Management \nand Budget, the Department of Homeland Security, and the National \nInstitute of Standards and Technology (NIST).\n    In accordance with these provisions, CMS has developed the hub, a \nrouting tool that helps Marketplaces provide accurate and timely \neligibility determinations. It is important to point out that the hub \nwill not retain or store Personally Identifiable Information. Rather, \nthe hub is a routing system that CMS is using to verify data against \ninformation contained in already existing, secure, and trusted Federal \nand State databases. CMS will have security and privacy agreements with \nall Federal agencies and States with which we are validating data. \nThese include the Social Security Administration, the Internal Revenue \nService, the Department of Homeland Security, the Department of \nVeterans Affairs, Medicare, TRICARE, the Peace Corps, and the Office of \nPersonnel Management.\n    The hub is designed to comply with the comprehensive information \nsecurity standards developed by NIST in support of FISMA. NIST has \nemerged as the gold standard for information security standards and \nguidelines that all Federal agencies follow. Several layers of \nprotection will be in place to help protect against potential damage \nfrom attackers and mitigate risks. For example, the hub will employ a \ncontinuous monitoring model that will utilize sensors and active event \nmonitoring to quickly identify and take action against irregular \nbehavior and unauthorized system changes that could indicate potential \nattacks. Automated methods will ensure that system administrators have \naccess to only the parts of the system that are necessary to perform \ntheir jobs. These protocols, combined with continuous monitoring, will \nalert system security personnel when any system administrator attempts \nto perform functions or access data for which they are not authorized \nor are inconsistent with their job functions.\n    Should security incidents occur, an Incident Response capability \nbuilt on the model developed by NIST would be activated. The Incident \nResponse function allows for the tracking, investigation, and reporting \nof incidents so that HHS may quickly identify security incidents and \nensure that the relevant law enforcement authorities, such as the HHS \nOffice of Inspector General Cyber Crimes Unit, are notified for \npurposes of possible criminal investigation.\n    Before Marketplace systems are allowed to operate and begin serving \nconsumers across the country, they must comply with the rigorous \nstandards that we apply to all Federal operational systems and CMS\'s \nChief Information Officer must authorize the systems to begin \noperation. I am pleased to report that the hub completed its \nindependent Security Controls Assessment on August 23, 2013 and was \nauthorized to operate on September 6, 2013. The completion of this \ntesting confirms that the hub comports with the stringent standards \ndiscussed above and that HHS has implemented the appropriate procedures \nand safeguards necessary for the hub to operate securely on October 1.\n    The privacy and security of consumer data are a top priority for \nHHS and our Federal, State, and private partners. We understand that \nour responsibility to safeguard our systems is an on-going process, and \nthat we must remain vigilant throughout their operations to anticipate \nand protect against evolving data security threats. Accordingly, we \nhave implemented privacy and security measures for the Marketplace \nsystems that employ measures similar to those in the private sector and \nwe will continually validate through a variety of methods.\n    In closing, we have produced an extremely strong enterprise \ninformation security program by implementing state-of-the-art controls \nand business processes based on statutory requirements, agency and \norganizational commitments, best practices, and the experience and \nknowledge of our subject matter team members. This has resulted in the \ndevelopment, testing, and readiness of the hub to operate on October 1 \nto serve consumers across the country in a secure and efficient manner. \nWe hope this information is responsive to your inquiry. Thank you for \nyour interest in and leadership on this important issue.\n            Sincerely,\n                                          Marilyn Tavenner.\n\n    Ms. Clarke. Thank you, Mr. Chairman, and I yield back.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                           September 11, 2013\n    Thank you Mr. Chairman for holding a second hearing on one of the \nmost important features of the Affordable Care Act.\n    When President Obama signed the Affordable Care Act in the East \nRoom of the White House on March 23, 2010, the Federal Government \nstarted planning to operate health care insurance marketplaces, also \ncalled exchanges, and assist States that opted to run their own \nmarketplaces.\n    All of this involves developing a complex computer web-based \nservice that would allow millions of Americans access to affordable \nhealth care, in the most efficient and safe way possible.\n    This is a large undertaking, and involves a complicated inter-\nagency IT and web-based software effort, commonly known as a ``Federal \nData Services Hub\'\' based at The Department of Health and Human \nServices, Center for Medicare and Medicaid Services, or CMS.\n    What is important about this effort is that we must create, \ncollect, and use or disclose personal information of millions of our \ncitizens in a responsible and confidential way.\n    The health care marketplaces must establish and implement cyber and \npersonal information protection standards that are consistent with \nspecific principles outlined in our current health care law.\n    Those principles, which are comparable to the ones upon which the \nHIPAA, the Health Insurance Portability and Accountability Act provide, \nand they include:\n  <bullet> Providing a right of access to one\'s Personally Identifying \n        Information, commonly referred to as PII;\n  <bullet> A right to have erroneous information corrected;\n  <bullet> And providing accountability through appropriate monitoring \n        and reporting of information breaches.\n    Exchanges must also establish and implement reasonable operational, \ntechnical, administrative, and physical safeguards to ensure the \nconfidentiality, integrity, and availability of PII, and to prevent \nunauthorized or inappropriate access, use, or disclosure of PII.\n    In addition, Health Exchanges must monitor, periodically access, \nand update their security controls, and must develop and use secure \nelectronic interfaces when sharing PII electronically.\n    CMS has completed its technical design, and build of Federal Data \nServices Hub and has established an interagency security framework as \nwell as the protocols for connectivity.\n    Importantly, in a letter to Ranking Member Thompson this morning, \nHHS has revealed that as of Friday, September 6, they had taken the \nnecessary steps to obtain security authorization for the data hub, and \nthe CMS Chief Information Officer has signed the security \nauthorization. This is an important milestone, and it shows that CMS \nwill be ready to operate the hub securely on October 1.\n    This will provide a common, secure connection for Marketplaces to \nseek information from Federal databases necessary to verify eligibly \nfor the millions of Americans can begin to shop for quality, affordable \nhealth coverage in just a few weeks.\n    The hub has several layers of protection to mitigate information \nsecurity risk. For example, Marketplace systems will employ a \ncontinuous monitoring model that will utilize sensors and active event \nmonitoring to quickly identify and take action.\n    Let us remember, it\'s simple . . . the Data Services Hub will \ntransfer data and be used to verify applicant information data for \neligibility. The Data Services Hub is NOT a database, it will not \nfunction as a database, and it will not contain health care records.\n    The hub will send queries and responses among given marketplaces \nand data sources to determine eligibility. The Data Services Hub will \nnot determine consumer eligibility, nor will it determine which health \nplans are available in the marketplaces.\n    CMS and its vendors have told us, and testified before this \nsubcommittee and Energy and Commerce subcommittees, that delivery \nmilestones for the Data Services Hub completion are being met on time, \nand they expect the Data Services Hub will be ready as planned by \nOctober 1.\n    I am looking forward to the testimony of the HHS Office of \nInspector General to learn more about their important role in the \nimplementation of the Federal Data Hub.\n    Also, we are going to hear testimony today from the director of the \nState Medicaid Directors Association, whose members have been working \non this effort from the ground up.\n    I am eager to learn about the massive efforts that States, and the \nFederal Centers for Medicare and Medicaid Services, have made to stand \nup this complex data hub.\n    This is the kind of information we need to help us deliver health \ncare to citizens who really need it.\n    Mr. Chairman, I yield back.\n\n    Mr. Meehan. Okay. I thank the gentlelady.\n    Other Members of the committee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                           September 11, 2013\n    Thank you, Mr. Chairman, for holding a second hearing on one of the \nmost important features of the Affordable Care Act. I also want to \nthank the witnesses for appearing here today.\n    On March 23, 2010, President Obama signed the Affordable Care Act \ninto law. I should note that today, the Majority will bring their 41st \nvote to undermine and repeal the Affordable Care Act to the Floor of \nthe House. The ACA requires the development of a computer-based service \nthat will allow millions of Americans the ability to purchase \naffordable health care policies for their families, in the most \nefficient and safest way possible. This undertaking requires the \ndevelopment of a ``Federal Data Services Hub.\'\'\n    My colleagues on the other side of the aisle have used the \ndevelopment of this hub to promote uncertainty and fear about the \nability of these computer systems to keep the personal and health \ninformation of millions of Americans safe and secure. I appreciate \ntheir concern. It seems that last year, a poll conducted by the \nNational Foundation for Credit Counseling found that 64% of Americans \nfear identity theft. Given the widespread fear of identity theft, the \nAmerican public should have the facts on whether there is any danger in \npersonal and health information leaking out or being hacked from this \nsystem.\n    This kind of assurance is extremely important if we want millions \nof people who do not have health care to feel that they can trust this \nsystem and use it to get the care they need and the policies they can \nafford. We all know that sowing fear in a new system is one way to \ndiscourage participation and drive down enrollment figures. I am sure \nno one would want that outcome. So here are the facts that people need \nto know to have confidence in this system:\n    (1) The use of computers to obtain, verify, and transmit \n        information in Government programs is nothing new;\n    (2) The information contained on your driver\'s license and Social \n        Security card and any other piece of Government-issued \n        identification you have is housed somewhere on a Government \n        database;\n    (3) The Federal Government and the States already use and exchange \n        personal data to determine eligibility for various programs;\n    (4) Leaks involving personal data by State and local governments \n        are a rare occurrence. Information leaks involving personal \n        data held by private companies, such as banks, credit card \n        issuers, and retail stores, are common; and,\n    (5) As of Friday, September 6, 2013, HHS/CMS had taken the \n        necessary steps to obtain a security authorization for this \n        system.\n    Thus, while I appreciate the Majority\'s concern about the \nGovernment\'s ability to safeguard this information, it appears to be \nmisplaced.\n    Thank you, Mr. Chairman, and I yield back.\n\n    Mr. Meehan. I am going to take a moment to introduce the \ndistinguished panel that we have before us, and we are \nappreciating having such a distinguished panel on this topic.\n    First, let me introduce Mr. Michael Astrue who formally \nserved as the commissioner of Social Security from 2007 until \nJanuary 2013 as well as the general counsel for the Department \nof Health and Human Services from 1989 until 1992.\n    As commissioner of Social Security, he focused his efforts \non reducing the disability backlog and improving services to \nthe public particularly through electronic services.\n    He spearheaded highly-successful new systems for fast-\ntracking disability claims, created National hearing centers to \nreduce backlogs, and expanded and overhauled the agency\'s suite \nof electronic services to make them simpler, faster, and more \nuser-friendly.\n    Dr. Stephen Parente is the Minnesota Insurance Industry \nProfessor of Health Finance and Insurance in the Carlson School \nof Management at the University of Minnesota. He specializes in \nhealth economics, health insurance, medical technology \nevaluation in health information technology.\n    He is acknowledged as a National expert on using \nadministrative databases particularly Medicare and health \ninsurer data for health policy research and has served as a \nconsultant to several of the largest health care organizations \nin the country.\n    Ms. Kay Daly is the assistant inspector general for audit \nservices at the United States Department of Health and Human \nServices.\n    Ms. Daly\'s responsibilities include overseeing the chief \nfinancial officer financial statement audits at HHS, reporting \non compliance with improper payment acts, providing oversight \nof over 300 grant programs as ministered by HHS, and overseeing \naudits related to the implementation of health care reform.\n    Prior to joining HHS OIG, Ms. Daly worked at the Government \nAccountability Office for 23 years.\n    Finally, we are joined by Mr. Matt Salo. He is the \nexecutive director of the National Association of Medicaid \nDirectors since February 2011.\n    This is a newly-formed association. It represents all 56 of \nthe Nation\'s State and territorial Medicaid directors and \nprovides them with a strong unified voice in National \ndiscussions as well as a locus for technical assistance and \nbest practices.\n    Mr. Salo formally spent 12 years at the National Governors \nAssociation where he worked on the Governor\'s Health Care and \nHuman Services agendas and spent 5 years prior to that as a \nhealth policy analyst working for the State Medicaid directors.\n    There will be full written statements of the witnesses \nwhich will appear in the record.\n    Now I have got to sort of make a judgment, and I see that \nwe have a little less than 8 minutes to go on the existing vote \nresponsibilities that we have. Having teed this very, very \nimpressive panel up, I am sort of hesitant to see a rain delay.\n    So what I think I am going to recommend to our panel is \nthat we will vote as quickly as we can, and I will make the \nrepresentation that I will hustle back as quickly as I can, \ngavel in as soon as I get here, and I know my colleagues will \ndo their best as well after last vote.\n    I think it is probably better to allow the panelists to \ntestify in order than to start the process, break, and start \nagain.\n    So with your forgiveness, so to speak, we thank you for \nunderstanding the nature of the world in which we work and we \nlook forward upon our return to your testimony in engaging in, \nin, in our dialogue.\n    So, at the moment, the Chairman, the committee stands in \nrecess.\n    Thank you.\n    [Recess.]\n    Mr. Meehan. The Committee and the Homeland Security, \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will return to order.\n    I thank you once again for your indulgence. I know my \ncolleagues are working their way back as quickly as possible, \nbut we thank--we appreciate your indulgence, and now we would \nlike to create the opportunity for you to begin your testimony.\n    As I have had said before, the full written statements of \nthe witnesses will appear in the record. So I now look forward \nto the verbal testimony of each of our witnesses on the issue \nthat we are here to meet with today.\n    So the Chairman now recognizes Mr. Astrue for his \ntestimony. Thank you.\n    Mr. Astrue, yes, you may want to touch--thank you.\n\n    STATEMENT OF MICHAEL J. ASTRUE, FORMER SOCIAL SECURITY \n   COMMISSIONER, FORMER U.S. DEPARTMENT OF HEALTH AND HUMAN \n                    SERVICES GENERAL COUNSEL\n\n    Mr. Astrue. Out of practice, sorry.\n    Chairman Meehan, Ranking Member Clarke, and Members of the \nsubcommittee, no day is more fitting than 9/11 for us to \ncherish and safeguard our liberties as Americans. Thank you for \ninviting me here today.\n    I testify only as a former official. A quarter-century ago, \nI briefly was the White House\'s Privacy Act officer. I then \nserved as general counsel of the U.S. Department of Health & \nHuman Services and as commissioner of Social Security for \nPresidents Bush and Obama. As commissioner, I also served as a \ntrustee of the Medicare Trust Fund.\n    Some history helps us understand why we needed to have this \nhearing. Infighting and paralysis marked the first year of the \neffort to construct the Federal health exchanges, including \nwhat is called the ``data hub.\'\'\n    Administrator Berwick claimed that he could not find the \nmoney to build the system, and he criticized Congress for not \nspecifically appropriating money for it. He also criticized \nSecretary Sebelius for refusing to release money from the ACA \ndiscretionary fund.\n    Berwick pressed other agencies to pay for the exchanges, \neven though such payments would have violated appropriations \nrestrictions. When development started in earnest after \nBerwick\'s departure, CMS struggled to meet its deadlines.\n    CMS\' failures and delays have been common knowledge within \nthe administration, yet HHS was never candid with the States \nabout these problems as they were choosing either to build \ntheir own exchanges or to use the CMS exchanges.\n    From 2007-2013, I led the overhaul and expansion of the \nSocial Security\'s suite of electronic services. I personally \nreviewed every major system before beta testing, and extensive \nbeta testing often revealed the need for delays to make \nchanges. We involved not only random focus groups, but also \nadvocates for various people, such as victims of domestic \nviolence.\n    We need to be vigilant about the privacy of the data stored \nin these types of systems, which I believe are not being \nadequately protected by CMS.\n    The defense offered by the HHS inspector general, the \nCenter for Democracy & Technology, and others, that the CMS \nsystems are just a ``routing tool,\'\' not a repository, is \neither untrue or problematic.\n    CMS needs to store data to create forensic trails necessary \nto track security breaches. Failure to establish forensic \ntrails would create a serious issue under the Federal \nInformation Security Management Act of 2002 and would create a \nserious operational vulnerability.\n    We also need to know whether unauthorized changes of \ninsurance could leave Americans unexpectedly uninsured. We need \nto know how CMS will define and respond to breaches.\n    I know how important that is because I suffered through the \nOffice of Personal Mangement\'s inept response when my personal \nFederal financial records were breached 2 years ago. We need to \nknow why many of the people who will deal with the public are \njust being hired now and being hired without background checks.\n    A rigorous authentication process may result in as many as \n2 to 5 million people who will need to interact with CMS \ncontractors when they fail to access the system. Is CMS ready \nfor that workload or are they going to sacrifice service or \nauthentication?\n    Greater transparency about these issues would have improved \nthe quality of the exchanges and would have increased public \nconfidence in the system, which is sorely lacking today.\n    Both SSA and the IRS formally appealed to OMB that the \nexchanges would violate the Privacy Act, violations which \npotentially carry criminal penalties.\n    OMB eventually denied that appeal, but in my view HHS will \nbe violating the Privacy Act on a massive scale by allowing \npeople to make insurance decisions for other adults without \ntheir written consent. This feature of the system may also \nallow domestic abusers to track down their victims.\n    An August 2, 2013 inspector general report revealed that \nthe CMS schedule had slipped so badly that mandatory security \nfindings were scheduled for the day before implementation.\n    Despite HHS\' letter this morning, yesterday\'s testimony \nbefore the House Energy and Commerce Committee indicate that \nmany States will be unready for October 1, and that CMS may be \nunready given that the contractors were still citing October 1 \nas their date of readiness.\n    The main reason we have so little information about the \nstatus of the exchanges is the failure of the office of the HHS \ninspector general. Relying only on interviews and documents, \nits August 2, 2013 report on the exchanges contained less than \n5 pages of analysis; its total work product for this subject \nfor the year.\n    Moreover, the inspector general did not inspect the beta \nversion and meekly noted that CMS withheld security documents. \nHe ignored the vulnerabilities in the system that transmits, \nlargely through the so-called cloud, sensitive personal \ninformation to CMS contractors and private insurers.\n    He ignored the privacy issues, the security issues, and the \nissues associated with poorly screened and trained contractors. \nHe did not assess usability, performance measures, governance, \nor contingency plans. With HHS\' greatly expanded role in health \ncare, Americans need an inspector general who is a watchdog, \nnot a lapdog.\n    Congress is bitterly divided about the Affordable Care Act, \nbut the topics for my presentation should be common ground. \nWhether or not you support an individual mandate, you can \nembrace the principle that no one should be forced to sacrifice \nprivacy in order to comply with that mandate.\n    To the best of my knowledge, work on systems that would \ncomply with the Privacy Act ended in early 2013. A system \nrespecting the Privacy Act would probably take an additional 6 \nto 18 months to develop.\n    President Obama has delayed other parts of the Affordable \nCare Act. Vulnerable Americans without lobbyists deserve the \nsame respect and deference given to the business community.\n    You should support a moratorium on the exchanges until HHS \nsecrecy ends, and until we know whether uninsured Americans \nwill be forced to pay, along with their premiums, the high \nprice of their privacy, and the safety of their personal data.\n    Thank you.\n    [The prepared statement of Mr. Astrue follows:]\n                Prepared Statement of Michael J. Astrue\n                           September 11, 2013\n    Chairman Meehan, Ranking Member Clarke, and Members of the \nsubcommittee, no day is more fitting than 9/11 for us to cherish and \nsafeguard our liberties as Americans.\n    I testify today only as a former official. A quarter-century ago, I \nbriefly was the White House\'s Privacy Act officer. I then served as \ngeneral counsel of the U.S. Department of Health & Human Services and \nas commissioner of Social Security for Presidents Bush and Obama. As \ncommissioner, I also served as a trustee of the Medicare Trust Fund.\n    Some history helps us understand why we needed to have this \nhearing. Infighting and paralysis marked the first year of the effort \nto construct the Federal health exchanges, including what is called the \n``data hub.\'\' Administrator Berwick claimed that he could not find the \nmoney to build the system, and he criticized Congress for not \nspecifically appropriating money for it. He also criticized Secretary \nSebelius for refusing to release money from the ACA discretionary fund.\n    Berwick pressed other agencies to pay for the exchange, even though \nsuch payments would violate appropriations restrictions. When \ndevelopment started in earnest after Berwick\'s departure, CMS struggled \nto meet its deadline. CMS\'s failures and delays have been common \nknowledge within the administration, yet HHS was never candid with \nStates as they were choosing either to build their own exchanges or to \nuse the CMS exchanges.\n    From 2007-2013, I led the overhaul and expansion of Social \nSecurity\'s suite of electronic services. I personally reviewed every \nmajor system before beta testing, and extensive beta testing often \nrevealed the need for delays to make changes. We involved not only \nrandom focus groups, but also advocates for various people, such as \nvictims of domestic violence.\n    We need to be very concerned about protecting the privacy of the \ndata stored in these types of systems, which I believe are not \nadequately protected. The defense offered by the Center for Democracy & \nTechnology and others--that the CMS systems are just a ``routing \ntool,\'\' not a repository--is either untrue or problematic. CMS needs to \nstore data to create forensic trails necessary to track security \nbreaches; failure to establish forensic trails would create a serious \nissue under the Federal Information Security Management Act of 2002.\n    We need to know whether unauthorized changes of insurance could \nleave Americans unexpectedly uninsured. We need to know how CMS will \ndefine and respond to breaches--I know how important that is because I \nsuffered through OPM\'s inept response when my Federal financial records \nwere breached 2 years ago. We need to know why many of the people who \nwill deal with the public are just being hired now, and being hired \nwithout background checks. A rigorous authentication process may result \nin as many as 2 million people who will need to interact with CMS \ncontractors when they fail to access the system--is CMS ready for that \nworkload or are they going to sacrifice service or authentication? \nGreater transparency about these issues would improve the quality of \nthe exchanges--and increase public confidence in the system.\n    Both SSA and the IRS formally appealed to OMB that the exchanges \nwould violate the Privacy Act, violations which potentially carry \ncriminal penalties. OMB eventually denied that appeal, but in my view \nHHS will be violating the Privacy Act on a massive scale by allowing \npeople to make insurance decisions for other adult family members \nwithout their written consent. This feature of the system may well \nallow domestic abusers to track down their victims.\n    An August 2, 2013 inspector general report revealed that the CMS \nschedule has slipped so badly that mandatory security findings are \nscheduled for the day before implementation. With no room for adequate \nbeta testing and revisions, HHS\'s claim that it will be ready to make \nsecurity findings on its September 30 deadline is a fiction designed to \npreserve the larger fiction that the exchanges will be ready for \nuninsured Americans.\n    Before I conclude, I urge President Obama and Congress to \nscrutinize the performance of HHS Inspector General Levinson. Relying \nonly on interviews and documents, his August 2, 2013 report on the \nexchanges contained less than 5 pages of analysis. His staff did not \neven try to use the beta version of the system.\n    HHS cannot have it both ways. If the exchanges can function on \nOctober 1, by July of this year there must have been a beta version. \nHowever, the inspector general did not inspect the beta version, and \nmeekly noted that CMS withheld security documents. He ignored the \nvulnerabilities of a system that transmits, largely through the so-\ncalled ``cloud,\'\' sensitive personal information to CMS contractors and \nprivate insurers. He ignored the privacy issues, the security issues, \nand the issues associated with poorly screened and trained contractors. \nHe did not assess usability, performance measures, governance, or \ncontingency plans. With HHS\'s expanded role in health care, Americans \nneed an inspector general who is a watchdog, not a lapdog.\n    Congress is bitterly divided about the Affordable Care Act, but \nthere should be common ground. Whether or not you support an individual \nmandate, you can embrace the principle that no one should be forced to \nsacrifice privacy in order to comply with that mandate. To the best of \nmy knowledge, work on systems that would comply with the Privacy Act \nstopped in early 2013 after OMB brushed aside the Privacy Act appeals \nof SSA and the IRS. A system respecting the Privacy Act would probably \ntake an additional 6-18 months to develop.\n    President Obama has delayed other parts of the Affordable Care Act. \nVulnerable Americans without lobbyists deserve the same respect and \ndeference given to the business community. You should support a \nmoratorium on the exchanges until HHS secrecy ends, and until we know \nwhether uninsured Americans, will be forced to pay--along with their \npremiums--the high price of their privacy.\n    Thank you.\n\n    Mr. Meehan. Thank you, Mr. Astrue.\n    The Chairman now recognizes Dr. Parente for his testimony.\n\n  STATEMENT OF STEPHEN T. PARENTE, PH.D., MINNESOTA INSURANCE \n INDUSTRY CHAIR OF HEALTH FINANCE, DIRECTOR, MEDICAL INDUSTRY \nLEADERSHIP INSTITUTE, PROFESSOR, DEPARTMENT OF FINANCE, CARLSON \n         SCHOOL OF MANAGEMENT, UNIVERSITY OF MINNESOTA\n\n    Mr. Parente. Thank you, Chairman Meehan, Ranking Member \nClarke, and Members of the committee, for this opportunity to \nspeak to you today.\n    My name is Steve Parente. I hold the Minnesota Insurance \nIndustry Chair of Health Finance at the University of \nMinnesota. There, I serve as the professor in the Finance \nDepartment at the Carlson School and director of the Medical \nIndustry Leadership Institute growing MBA program.\n    As I just stated, my expertise are health insurance, health \ninformation technology, and a medical technology evaluation. I \nhave an appointment at Johns Hopkins University as a faculty \nmember.\n    In the summer of 2011, I and my colleague from the \nManhattan Institute, Paul Howard, wrote about implementation of \nthe Affordable Care Act and security concerns regarding the \nHealth Insurance Exchange Hub that is scheduled to be fully-\noperational in less than 20 days.\n    This essay received little attention at that time. On \nDecember 7, 2012, USA Today printed an op-ed written by Dr. \nHoward and myself that described the same issues as we did a \nyear before. The 2012 op-ed received far greater attention \nNationally and particularly from the administration.\n    The principal concern I sought to examine was the \nGovernment\'s capability to rapidly and securely combine \ninformation at a personal level from multiple Federal agencies \nin order to make eligibility determinations for Americans to \npurchase health insurance on a State or Federal insurance \nexchange.\n    I have stated and continue to posit that the combination of \nsuch data would be the largest personal data integration \nGovernment project in the history of this Republic with up to \n300 million American citizens\' records needing to be combined \nfrom several Federal agencies.\n    The Federal agencies involved in this integration are the \nDepartment of Health and Human Services to facilitate the data \nand operating parameters of the Federally-facilitated exchange \nand the State-based exchanges as well as insure that the \napplicants are not already eligible for Medicare benefits; the \nSocial Security Administration to verify Social Security \nnumbers, death indicator status, disability status under Title \nII of the Social Security Act, prisoner data or incarceration \nstatus, annual and monthly Social Security benefit information, \nand a confirmation to claim of citizenship is consistent with \nSocial Security records; the Department of Treasury to verify \nincome as well as transfer subsidies as necessary to purchase \nhealth insurance; the Office of Personnel Management, Peace \nCorps, and Department of Defense and Veterans Administration to \nmake sure that applicants don\'t have access to health care \ncoverage from other alternative sources; and finally, the \nDepartment of Homeland Security to verify whether the \nindividual is indeed legally present in the United States.\n    My expressed concern is that it is not clear how the data \nhub will operate. Ideally, the hub should function as a switch \nthat routes information but does not retain the personal \nidentifying information it is routing.\n    Major credit card purchases today operate this way where a \nretailer at the point of purchase uses your credit card to link \na variety of data sources about you to make sure you are not a \ncredit risk and then clears you to purchase for a large screen \nTV for the holidays.\n    This approach minimizes privacy risks and provides good \ndata security, and the Federal data hub should operate this \nway, coupled to either a State or Federal insurance exchange as \nwell as to the Social Security Administration, Treasury \nDepartment, Homeland Security, and Department of Justice, et \ncetera.\n    Operating this would create a fire-and-forget data system \nthat would instantaneously link to an abstract piece of \ninformation and then delete it to prevent it from becoming a \nprivacy concern.\n    Major financial services firms have been providing these \nservices for nearly 2 decades, and if there ever has been a \nprivacy breach, it is not from a pure data switch.\n    Now having said that about how one can provide reliable \ndata protection, no one has said how this hub will actually \noperate to ensure that every precaution possible has been taken \nto avert privacy breaches as well as safeguard against identity \nfraud.\n    Greater transparency is needed as well as frank \nacknowledgment that the ACA\'s posted deadlines should take \nsecond place to reasonable data privacy and security concerns. \nThis isn\'t a political point, it isn\'t meant to impinge on \nanyone\'s motives inside of HHS or the administration.\n    The fact that only a handful of individuals know truly how \nthis will operate may preserve some security but it is \noperating as--not operating as planned, it could also be viewed \nas a failure with the execution for full transparency and \nprovision of law that could--that had 3 years to implement but \ndid not get the job done.\n    HHS\'s job is to implement this law and as much as some \ncitizens may dislike an assortment of the law\'s underlying \nprovisions, HHS\' staff are doing exactly what they need to get \nit done under the constraints they can\'t control.\n    They are doing so in a politically-charged environment and \ncrashing headlong into constraints of scarce human capital, \ncomplex regulatory environments, and of a massive IT project \nwith literally no technical precedent.\n    I believe Congress has a legitimate oversight \nresponsibility to ensure that whatever your feelings about the \nACA, the final product is trusted, functional, and secure for \nall Americans. Congress should take that responsibility \nseriously and the administration should help them execute that \nresponsibility.\n    In closing, I hope my efforts to bring transparency to \noperational parameters of the hub only strengthen its \noperation. Failure to build a secure hub could bring \nsignificant damage to the privacy and security of Federal data \nsystems and cause irreparable harm to Americans whose personal \ninformation would be lost to fraud and identity theft. This \nmust not be allowed to occur.\n    Thank you for this opportunity to be heard today. I welcome \nyour questions.\n    [The prepared statement of Mr. Parente follows:]\n                Prepared Statement of Stephen T. Parente\n                           September 11, 2013\n    Thank you, Chairman Meehan, Ranking Member Clarke, and Members of \nthe committee, for this opportunity to speak to you today.\n    My name is Steve Parente. I hold the Minnesota Insurance Industry \nChair in Health Finance at the University of Minnesota. There, I serve \nas professor in the Finance Department at the Carlson School of \nManagement and director of the Medical Industry Leadership Institute, a \ngrowing MBA program. My areas of expertise are health insurance, health \ninformation technology, and medical technology evaluation. I also have \nan appointment at the Johns Hopkins University in Baltimore, Maryland.\n    In summer 2011, I and my colleague from the Manhattan Institute \nPaul Howard wrote about implementation of the Affordable Care Act (ACA) \nand security concerns regarding the Health Insurance Exchange Hub that \nis scheduled to be fully operational in less than 20 days. This essay \nreceived little attention at the time. On December 7, 2012 USA Today \nprinted an op-ed on written by Dr. Howard and myself that described the \nsame issues as we did a year before. The 2012 op-ed received far \ngreater attention Nationally and in particular from the administration.\n    The principal concern I sought to examine was the Government\'s \ncapability to rapidly and securely combine information at a personal \nlevel from five Federal agencies in order for someone to purchase \nhealth insurance on a State or Federal exchange. I have stated and \ncontinue to posit that the combination of such data would constitute \nthe largest personal data integration Government project in the history \nof the Republic, with up to 300 million American citizen records \nneeding to be combined from five Federal agencies.\n    The five agencies involved in this integration are: The Department \nof Health and Human Services, to facilitate the data and operating \nparameters of the exchanges; the Social Security Administration, to \nverify if the person to be insured is indeed living; the Department of \nTreasury, to verify income level, as well as transfer subsidies as \nnecessary to purchase health insurance; the Department of Justice, to \nverify that the insured is not incarcerated; and finally, the \nDepartment of Homeland Security, to verify the citizenship of the \nindividual.\n    My expressed concern is that it\'s not clear exactly how the data \nhub will operate. Ideally, the hub should function as a switch that \nroutes information but does not retain the person-identifying \ninformation it is routing. Major credit card purchases today operate \nthis way: Where a retail vendor, at the point of purchase, uses your \ncredit card to link a variety of data about you to make sure you are \nnot a credit risk and then clears you for purchase of your 70" LCD TV \nfor the holidays. This approach minimizes privacy risks and provides \ngood data security.\n    The Federal data hub should operate this way, coupled to either a \nState or Federal insurance exchange as well as to the Social Security \nAdministration, Treasury Department, Homeland Security, and Department \nof Justice, et al. Operating this would create a fire-and-forget data \nsystem that would instantaneously link to an abstract piece of \ninformation and then delete it to prevent it from becoming a privacy \nconcern. Major financial services firms have been providing these \nservices for nearly 2 decades, and if there ever has been a privacy \nbreach, it is not from a pure data switch.\n    Having said how you could provide reliable data privacy protection, \nno one has said how the data hub will actually operate to ensure no \nprivacy breaches as well as safeguard against identity fraud. Greater \ntransparency is needed, as well as a frank acknowledgement that the \nACA\'s posted deadlines should take second place to reasonable data \nconcerns. This isn\'t a political point, and isn\'t meant to impinge upon \nanyone\'s motives inside HHS. The fact that only a handful of \nindividuals know truly how this will operate may preserve some \nsecurity. Alternatively, if the hub does not operate as planned, it may \nalso be viewed as a failure to plan and execute with full transparency \na provision of the law the agencies had over 3 years to implement.\n    HHS\' job is to implement the law. As much as some citizens dislike \nan assortment of the law\'s underlying provisions HHS staff are doing \nexactly what they are supposed to do and facing constraints they can\'t \nalways control. They are doing so in a politically-charged \nenvironment--and crashing headlong into the constraints of scarce human \ncapital, complex regulatory requirements, and a massive IT project with \nliterally no technical precedent.\n    I believe Congress has a legitimate oversight responsibility to \nensure that--whatever your feelings about the ACA--the final product is \ntrusted, functional, and secure for all Americans. Congress should take \nthat responsibility seriously--and the administration should help them \nexecute that responsibility.\n    In closing, I hope my efforts to bring transparency to operational \nparameters of the hub only strengthen its operation. Failure to build a \nsecure hub could bring significant damage to the security of Federal \ndata systems. This must not be allowed to occur.\n    Thank for you this opportunity to be heard today. I welcome any \nquestions.\n\n    Mr. Meehan. Thank you, Dr. Parente.\n    The Chairman now recognizes that the gentlelady from the \nIG\'s office, Ms. Daly.\n\n   STATEMENT OF KAY DALY, ASSISTANT INSPECTOR GENERAL, AUDIT \n     SERVICES, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES\n\n    Ms. Daly. Thank you, Chairman Meehan.\n    Thank you, Chairman Meehan, Ranking Member Clarke, and \nother distinguished Members of the subcommittee. I appreciate \nthe opportunity to be here today to discuss the Office of \nInspector Generals\' review of the Centers for Medicare and \nMedicaid Services implementation of the Data Services Hub from \na security perspective.\n    My testimony today summarizes OIG\'s observations about CMS\' \nprogress in implementing security requirements of the hub \nincluding a recent update we received from CMS management on \nthe status of the project.\n    As you know, the hub plays a key role in providing \nimportant data for health insurance exchanges that are also \ncalled marketplaces, which are being established under the \nAffordable Care Act.\n    The State-based exchanges will serve as the one-stop shop \nwhere individuals will get information about their health \ninsurance options, be assessed for eligibility, and enroll in \nthe health plan of their choice.\n    The hub is intended to support those exchanges by providing \na single point where exchanges can access data from different \nsources including Federal agencies and their State partners.\n    It is important to note that the hub does not store data, \nrather, it simply acts as a conduit for the exchanges to access \ndata from where they are stored.\n    In a report issued on August 2, 2013, we assessed the \ninformation technology security controls that CMS was \nimplementing for the hub and the coordination between CMS and \nFederal and State agencies during the development of the hub. \nWe did not review the functionality of the hub or privacy \nissues associated with it.\n    At the time of our reviews, CMS was addressing and testing \nsecurity controls of the hub during the development process. \nSeveral critical tasks remained to be completed at the time, \nsuch as the final independent testing of the hub security \ncontrols, remediating the security vulnerabilities identified \nduring testing, and obtaining the security authorization for \nthe hub before opening the exchanges.\n    CMS\' schedule at that time was to complete all of these \ntasks by October 1 in time for the expected initial open \nenrollment date for the health insurance exchanges.\n    Our report described the time lines that CMS provided us \nfor its system security plan, its risk assessment, and its \nsecurity control assessment and security authorization \ndecisions.\n    In our report, we noted that between March and July, some \nkey dates had moved back. These were internal target dates set \nby CMS for these milestones and not mandated deadlines.\n    Subsequent to issuing our report, CMS has reported to us \nthat it has made additional progress on these key security \nmilestones. For example, since our review, CMS has reported to \nus that the security authorization was completed on September \n6, 2013. We have not independently verified CMS\' progress since \ncompleting our audit.\n    Our review also observed that CMS was coordinating with its \nFederal and State partners during the development and testing \nof the hub in part to ensure that security measures were \nimplemented by all stakeholders.\n    CMS had developed a testing approach and test plans for the \ninter-agency testing aspect. At the time of our reviews, CMS \nwas in the process of executing those test plans.\n    In addition, CMS has developed security-related documents \nand security agreements regarding its Federal partners and \ninformation systems and networks.\n    Federal policy does require agencies to develop \ninterconnection security agreements for Federal information \nsystems and networks that share or exchange information.\n    Each of the Federal partners will provide information on \ntheir systems\' environments and the overall approach for \nsafeguarding the confidentiality, integrity, and availability \nof shared data in systems interfaces.\n    Since our review, CMS has reported to us that all of these \nagreements are expected to be approved by September 27, 2013.\n    In closing, I want to thank you for your interest in our \nwork on this important subject and the opportunity to be part \nof this discussion. I would be very pleased to take any \nquestions you might have.\n    [The prepared statement of Ms. Daly follows:]\n                     Prepared Statement of Kay Daly\n                           September 11, 2013\n                              introduction\n    Good afternoon, Chairman Meehan, Ranking Member Clarke, and other \ndistinguished Members of the subcommittee. Thank you for the \nopportunity to testify about the Office of Inspector General\'s (OIG) \nreview of the Centers for Medicare & Medicaid Services\' (CMS) \nimplementation of the Data Services Hub (hub) from a security \nperspective, which we issued on August 2, 2013.\\1\\ My testimony today \nsummarizes OIG\'s observations about CMS\'s progress in implementing \nsecurity requirements of the hub during the period of our review.\\2\\ We \nassessed the information technology (IT) security controls that CMS was \nimplementing for the hub, adequacy of the testing being performed \nduring its development, and the coordination between CMS and Federal \nand State agencies during the development of the hub. We did not review \nthe functionality of the hub or issues specific to the Privacy Act.\n---------------------------------------------------------------------------\n    \\1\\ Observations Noted During the OIG Review of CMS\'s \nImplementation of the Health Insurance Exchange--Data Services Hub, A-\n18-13-30070, August 2013, available on-line at https://oig.hhs.gov/oas/\nreports/region1/181330070.asp.\n    \\2\\ We performed our fieldwork substantially from March through May \n2013. We continued to receive updates from CMS through July 1, 2013, \nand its comments on our draft report are included in the final report.\n---------------------------------------------------------------------------\n    At the time of our review, CMS was addressing and testing security \ncontrols for the hub during the development process. Several critical \ntasks remained to be completed, such as the final independent testing \nof the security controls, remediating security vulnerabilities \nidentified during testing, and obtaining the security authorization \ndecision for the hub before opening the exchanges. CMS\'s schedule at \nthat time was to complete all of these tasks by October 1, 2013, in \ntime for the expected initial open enrollment date for health insurance \nexchanges.\n    Our report described the time lines that CMS provided us for its \nsystem security plan, risk assessment, security control assessment, and \nsecurity authorization decisions. In our report, we noted that between \nMarch and July, some key targets had been shifted to later dates. These \nwere internal target dates set by CMS for these milestones and not \nmandated deadlines. Since issuing our report, CMS has reported to us \nthat it has made additional progress on these key milestones, including \nobtaining its security authorization for the hub on September 6, 2013. \nWe have not independently verified CMS\'s progress since completing our \naudit.\n    Following is a discussion of the hub\'s role within the health \ninsurance exchanges, the results of our review, and concluding \nobservations.\n                               background\n    States must establish health insurance exchanges by January 1, \n2014,\\3\\ and all health insurance exchanges must provide an initial \nopen enrollment period beginning October 1, 2013 (45 CFR \x06 155.410). \nHealth insurance exchanges, also known as Marketplaces, are State-based \ncompetitive marketplaces where individuals and small businesses will be \nable to purchase private health insurance.\\4\\ Exchanges will serve as a \none-stop shop where individuals will get information about their health \ninsurance options, be assessed for eligibility (for, among other \nthings, qualified health plans, premium tax credits, and cost-sharing \nreductions), and enroll in the health plan of their choice.\n---------------------------------------------------------------------------\n    \\3\\ The Patient Protection and Affordable Care Act \x06 1311(b) (Pub. \nL. No. 111-148) and the Health Care Reconciliation Act of 2010 (Pub. L. \nNo. 111-152), collectively known as the Affordable Care Act (ACA).\n    \\4\\ A State may elect to operate its own State-based exchange or \npartner with the Federal Government to operate a State partnership \nexchange. If a State elects not to operate an exchange, the Department \nof Health and Human Services will operate a Federally Facilitated \nExchange. For the purposes of this report, ``exchanges\'\' refers to all \nthree types of health insurance exchanges.\n---------------------------------------------------------------------------\n    The hub is intended to support the exchanges by providing a single \npoint where exchanges may access data from different sources, primarily \nFederal agencies. It is important to note that the hub does not store \ndata. Rather, it acts as a conduit for exchanges to access the data \nfrom where they are originally stored. Hub functions will include \nfacilitating the access to data by exchanges, enabling verification of \ncoverage eligibility, providing a central point for the Internal \nRevenue Service (IRS) when it asks for coverage information, providing \ndata for oversight of the exchanges, providing data for paying \ninsurers, and providing data for use in web portals for consumers.\n    Effective security controls are necessary to protect the \nconfidentiality, integrity, and availability of a system and its \ninformation. The National Institute of Standards and Technology (NIST) \ndeveloped information security standards and guidelines, including \nminimum requirements for Federal information systems. CMS is required \nto follow the NIST security standards and guidelines in securing the \nhub.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ NIST\'s security standards assist Federal agencies in \nimplementing the requirements under the Federal Information Security \nManagement Act of 2002, 44 U.S.C. \x06\x06 3541, et seq.\n---------------------------------------------------------------------------\n    To determine CMS\'s progress in implementing security requirements \nfor the hub, OIG reviewed documentation, project schedules, and time \nlines; interviewed CMS employees and contractors and personnel from key \nFederal agencies working with CMS during development of the hub; and \nreviewed CMS\'s security testing results.\n                        results of oig\'s review\n    At the time of our review, CMS and its contractors were continuing \nto develop the hub and work with its Federal and State partners in \ntesting the hub to ensure its readiness in time for the initial open \nenrollment to begin on October 1, 2013. The following observations \nprovided the status of CMS\'s implementation related to security \ncontrols, security testing, and coordination at the time of our \nfieldwork.\nSecurity Authorization\n    According to NIST security standards, every Federal information \nsystem must obtain a security authorization before the system goes into \nproduction. The security authorization is obtained from a senior \nmanagement official or executive with the authority to formally assume \nresponsibility for operating an information system at an acceptable \nlevel of risk to agency operations. At CMS, the authorizing official is \nthe Chief Information Officer (CIO).\n    The security authorization package must include a system security \nplan, information security risk assessment, and security control \nassessment report. The security authorization package provides \nimportant information about risks of the information system, security \ncontrols necessary to mitigate those risks, and results of security \ncontrol testing to ensure that the risks have been properly mitigated. \nTherefore, these documents must be completed before the security \nauthorization decision can be made by the authorizing official. Under \nthe NIST guidelines, the authorizing official may grant the security \nauthorization with the knowledge that there are still risks that have \nnot been fully addressed at the time of the authorization.\n    At the time of our review, the security authorization decision by \nthe CMS CIO was expected by September 30, 2013. Since our review, CMS \nhas reported that the security authorization was obtained on September \n6, 2013.\nSystem Security Plan and Information Security Risk Assessment\n    CMS incorporated the elements required for adequate security into \nthe draft hub system security plan. The plan: (1) Provides an overview \nof the security requirements of the system, (2) describes the controls \nin place or planned (e.g., access controls, identification, and \nauthentication) for meeting those requirements, and (3) delineates the \nresponsibilities and behavior expected of all individuals who access \nthe system.\n    CMS was still drafting the information security risk assessment at \nthe time of our review. For this reason, we could not assess CMS\'s \nefforts to identify security controls and system risks and implement \nsafeguards and controls to mitigate identified risks. Key aspects of \nthe assessment should identify risks to the operations (including \nmission, functions, image, or reputation), agency assets, and \nindividuals by determining the probability of occurrence, the resulting \nimpact, and additional security controls that would mitigate this \nimpact.\n    At the time of our review, the CMS contractor did not expect to be \nable to provide finalized security documents, including the system \nsecurity plan and risk assessment, to CMS for its review until July 15, \n2013. Since our review, CMS reported to us that the documents were \nprovided to CMS on July 16, 2013.\nSecurity Control Assessment and Testing\n    At the time of our review, CMS and its contractors were performing \nsecurity testing throughout the hub\'s development, including \nvulnerability assessments of hub services. CMS was logging and tracking \ndefects and vulnerabilities, as well as correcting and retesting hub \nservices to ensure that vulnerabilities are remediated.\n    A security control assessment of the hub must be performed by an \nindependent testing organization before the security authorization is \ngranted.\\6\\ The assessment determines the extent to which the controls \nare implemented correctly, operating as intended, and producing the \ndesired outcome of meeting the security requirements for the \ninformation system. The goal of the security control assessment test \nplan is to explain clearly the information the testing organization \nexpects to obtain prior to the assessment, the areas that will be \nexamined, and the activities expected to be performed during the \nassessment.\n---------------------------------------------------------------------------\n    \\6\\ NIST Special Publication 800-37, Guide for Applying the Risk \nManagement Framework to Federal Information Systems, Revision 1.\n---------------------------------------------------------------------------\n    According to CMS, the assessment was scheduled to be performed \nbetween August 5 and 16, 2013. Since the assessment was not completed \nat the time of our review, we could not determine whether \nvulnerabilities identified by the testing would be mitigated. Since our \nreview, CMS has reported to us that the assessment was completed on \nAugust 23, 2013.\nAdjustments to CMS Time Lines\n    CMS provided us with time lines in March 2013 and May 2013 for its \nsystem security plan, risk assessment, security control assessment, and \nsecurity authorization decisions. CMS also provided us additional \ninformation on timing of certain steps after the May time line. Some \nkey targets had been moved to later dates as the development of the hub \nwas continuing. It is important to note that these were internal target \ndates set by CMS for these milestones and not mandated deadlines.\n    For example, in March, the security control assessment test plan \nwas targeted to be provided to CMS on May 13, 2013, and this due date \nwas subsequently moved to July 15, 2013, and the start date of the \nsecurity control assessment was moved from June 3, 2013, to August 5, \n2013. CMS stated that the security control assessment time frame was \nmoved so that performance stress testing of the hub could be finished \nbefore the assessment and any vulnerabilities identified during the \nstress testing could be remediated. Otherwise, CMS might need to \nperform an additional assessment after the remediation was complete.\n    According to CMS\'s time line from May 2013, the security \nauthorization decision by the CMS CIO was expected on September 30, \n2013. OIG noted in our report that if there were additional delays in \ncompleting the security authorization package, the CMS CIO may not have \na full assessment of system risks and security controls needed for the \nsecurity authorization decision by the initial open enrollment period \nset to begin on October 1, 2013. In its comments on our draft report, \nCMS stated that it was confident that the hub would be operationally \nsecure and it would have a security authorization before October 1, \n2013.\n    Since our review, CMS has reported to us that the security \nauthorization was obtained on September 6, 2013.\nCoordination Between CMS and Its Federal and State Partners\n    Our review observed that CMS was coordinating with its Federal and \nState partners during the development and testing of the hub, in part \nto ensure that security measures are implemented by all stakeholders. \nCMS developed an approach for interagency testing and has developed \ntest plans. At the time of our review, CMS was in the process of \nexecuting its test plans, which included testing for secure \ncommunications between CMS and its Federal and State partners and \nperformance stress testing of the hub. In addition, CMS has developed \nsecurity-related documents and security agreements regarding Federal \ninformation systems and networks. The Federal partners are the IRS, \nSocial Security Administration (SSA), Department of Homeland Security \n(DHS), Veterans Health Administration (VHA), Department of Defense \n(DoD), Office of Personnel Management (OPM), and Peace Corps.\n    CMS has developed security-related documents related to the hub and \nthe exchanges. CMS developed Interface Control Documents (ICD) with all \nof its Federal partners. The ICDs provide a common, standard technical \nspecification for transferring ACA-related information between CMS (the \nhub) and its Federal partners. The ICDs establish standard rules, \nrequirements, and policies (including security-related policies) with \nwhich the development and implementation of the interfaces between CMS \nand its Federal partner must comply. CMS and its Federal partners \ncollaborated in developing the ICDs and signed the ICDs in May 2013.\n    Federal policy requires agencies to develop Interconnection \nSecurity Agreements (ISAs) for Federal information systems and networks \nthat share or exchange information with external information systems \nand networks.\\7\\ The Master ISA describes the systems\' environment; the \nnetwork architecture; and the overall approach for safeguarding the \nconfidentiality, integrity, and availability of shared data and system \ninterfaces. In addition, the Master ISA contains information on CMS \ninformation security policy and the roles and responsibilities for \nmaintaining the security of ACA systems.\n---------------------------------------------------------------------------\n    \\7\\ Specifically, Office of Management and Budget Circular A-130, \nAppendix III, requires agencies to obtain written management \nauthorization before connecting their IT systems to other systems. The \nwritten authorization should define the rules of behavior and controls \nthat must be maintained for the system interconnection.\n---------------------------------------------------------------------------\n    CMS completed a preliminary review of the Master ISA between CMS \nand the developer of the hub on April 2, 2013, and the Associate ISAs \non May 15, 2013. Each of the Federal partners will provide similar \ninformation pertaining to the partner agency in the Associate ISAs, \nwhich will be signed by the Federal partner authorized official. Since \nour review, CMS has reported to us that all ISAs with its Federal \npartners are expected to be approved by September 27, 2013.\n    A service-level agreement (SLA) is a negotiated agreement between a \nservice provider and the customer that defines services, priorities, \nresponsibilities, guarantees, and warranties by specifying levels of \navailability, serviceability, performance, operation, or other service \nattributes. A SLA is needed between CMS and each of its Federal \npartners to establish agreed-upon services and availability, including \nresponse time and days and hours of availability of the hub and the \nFederal partner\'s ACA systems. According to CMS\'s project schedule, the \nSLA with IRS was completed on March 15, 2013; the SLA with DHS was \nexpected to be signed by July 26, 2013; and the SLA with SSA was \nexpected to be signed by September 27, 2013. The SLAs with the \nremaining Federal partners (VHA, DoD, OPM, and Peace Corps) were \nexpected to be signed by September 20, 2013. Since our review, CMS has \nreported to us that the SLAs with IRS, VHA, and DHS are expected to be \nsigned before the end of September. CMS also reported that DoD-Tricare \nand CMS have agreed to allow transactions to occur and monitor the \n``response time metric\'\' to set a baseline for the interaction \nstandards before they execute their SLA. They expect to execute their \nSLA by the end of December.\n                        concluding observations\n    CMS is taking steps to ensure that there are adequate security \nmeasures for the hub in compliance with NIST guidelines. At the time of \nour review, CMS was working with very tight deadlines to ensure that \nsecurity measures for the hub were assessed, tested, and implemented by \nthe expected initial open enrollment date of October 1, 2013.\n    Our report provided the status of the implementation of key \nsecurity requirements at a point in time. CMS has reported to us that \nit has completed all of the required steps and obtained its security \nauthorization on September 6, 2013. We have not independently verified \nCMS\'s progress since completing our audit.\n    Thank you for your interest in our work on this important issue and \nthe opportunity to be a part of this discussion. I would be pleased to \nanswer your questions.\n\n    Mr. Meehan. Thank you, Ms. Daly.\n    The Chairman now recognizes our last panelist, Mr. Salo.\n    Mr. Salo----\n\n     STATEMENT OF MATT SALO, EXECUTIVE DIRECTOR, NATIONAL \n               ASSOCIATION OF MEDICAID DIRECTORS\n\n    Mr. Salo. Great. Thank you very much, Chairman Meehan, \nRanking Member Clarke, other Members of the committee and \nsubcommittee.\n    My name is Matt Salo. I am the Executive Director of the \nNational Association of Medicaid Directors. I appreciate the \nopportunity to testify on their behalf.\n    It is important to talk a little bit about what Medicaid \nis; why is Medicaid here at this conversation about the hub? \nMedicaid itself does a lot more than most people think.\n    We deal in numbers of that are astronomical. We are going \nto spend close to $500 billion this year covering 72 million \nAmericans. It is a State and Federal program. Our members are \nthe ones in every State and territory who actually administer \nthe program.\n    We are here in large part because again, not very well-\nknown, but Medicaid really is kind of the centerpiece of the \nACA. The ACA spent about $1 trillion over 10 years, half of \nthat goes into Medicaid, to the expansion, and for other \nchanges to it.\n    So obviously, the ACA or Obamacare is a highly politically-\ncharged issue. We know this, but what is also true is that the \nimpacts of the law are very real and are very real for the \ncitizens of this country, the citizens of each one of our \nStates.\n    For my members, as public servants, their primary job is to \nuphold the law but also to ensure the health and the well-being \nand yes, the security of their citizens.\n    If things don\'t go well, we get the calls. So it is very, \nvery important that we make sure that things do go as well as \npossible, and there is going to be a lot of aspects of that.\n    I think the primary ones for this issue are that our \ncitizens not only understand but are able to access, afford, \nand be safe in their security in terms of the new health \noptions that are going to be available to them.\n    So while there has been a lot of talk and a lot of \nattention to bigger picture issues like the expansion and State \nversus Federal exchanges, we welcome the opportunity to talk \nabout some of these under-the-hood types of conversations and \nthe work that is going on.\n    Other panelists have talked about the Herculean nature of \nwhat we are building here, the unprecedented nature. We have \nbandied around terms like moonshot earlier.\n    There really is no precedence in terms of what we are \ntrying to build here, and I think it is important to keep all \nof that in mind especially when confronting the fact that I \nthink at least at the onset, people were envisioning that this \nwas going to be a Travelocity of health care.\n    While I think we may get there someday, I do not think it \nwill look like that on Day 1 because in many ways, what is \nhappening is the creation of the system is kind of like \nbuilding a bridge starting at opposite ends of a river and \ntrusting that they meet in the center.\n    The challenge for Medicaid is that in many ways it is \nbuilding 56 different bridges and hoping and trusting that they \nwill meet in the center. The challenges obviously are that \nthere is never enough time, never enough money, never enough \nbandwidth to do all of these things.\n    But having said all of that, again, this has been issue No. \n1 for our members for the past several years. While there are \nmany aspects of this, security is a very, very important one as \nwell.\n    It is important to know that from our perspective as we \nbuild the connectivity between Medicaid and the hub, the \nconcepts of the security of the information are being baked in \nto that connectivity, and that the security and the privacy and \nthe confidentiality of information is not something that is new \nto us.\n    We served 72 million people last year and we did so in a \nway that bridged lots of different gaps. Medicaid was able to \ncommunicate with other programs like TANF for food stamps, \nSNAP.\n    Medicaid was able to bridge the gap with Medicare to ensure \ncare coordination for dual eligibles. Medicaid is able to \nbridge the gap with private insurance to do third-party \nliability, to look at citizenship documentation and that became \npart of the law a couple years ago, and in many of the aspects \nof program integrity that State and Medicaid programs take \nvery, very seriously.\n    This is a very, very important issue and it will be \naddressed and it will be one of the core functions of what we \ndo.\n    By all that, I do want to say though that when we are \nlooking at October 1 or January 1, it is important to recognize \nthat we are going to have a turbulent takeoff and we are going \nto have a bumpy road as we move forward because of the \ncomplexity of what we are doing, because of the nature of what \nwe are doing.\n    But I think it is also important to note that from our \nperspective, we do not believe that security is one of those \nthings that is going to be sacrificed or jettisoned in order to \nget this done right on time.\n    That in fact we think there will be a lot of Day 2, Day 3, \nDay 4 mitigation plans and work that is being done, work that \nis being planned as we speak to try to figure out how do we \ntake what we know will break down and fix it.\n    Again, not on the security side, but in terms of the \nconsumer interface where we know that people\'s lives, people\'s \nsituations are messier than rules engines can usually handle, \nbut we are working on this. This is what we do.\n    I would just close with an analogy, you know, in some \nsense, what we are doing here is analogous to rolling out the \nMedicare Part D program.\n    Although that seemed relatively straightforward, on Day 1 \nwhen we turned on all the lights, it was a bit of a mess, and \nwe had a lot of seniors who were in pharmacies who didn\'t know \nwhat was going on, couldn\'t get their prescriptions, couldn\'t \nget anyone to give them clear answers.\n    It was the States, the Feds, and the plans who worked \ntogether tirelessly for months to figure out, how do we fix \nthis? Now, in many respects, this is like Part D on steroids, \nbut that is the commitment we have, and that is the vision that \nwe see moving forward.\n    This will work. It will not work perfectly. We do not \nbelieve security is going to be a primary concern on Day 1, and \nwe will fix what happens and what breaks as we move forward.\n    Thank you, and I am happy to answer any questions.\n    [The prepared statement of Mr. Salo follows:]\n                    Prepared Statement of Matt Salo\n                           September 11, 2013\n    Good afternoon Chairman Meehan, Ranking Member Clarke, and \ndistinguished Members of the subcommittee. My name is Matt Salo, and I \nam the executive director of the National Association of Medicaid \nDirectors (NAMD). I appreciate the opportunity to testify before you \ntoday.\n                                medicaid\n    Medicaid is the Nation\'s health care safety net. Jointly financed \nby the States and the Federal Government, Medicaid spent more than $420 \nbillion last year to provide health care to more than 72 million \nAmericans. The program is administered by the States within a broad \nFederal framework which leads to enormous variation across States in \nterms of who is covered, what services are provided, and how those \nservices are paid for and delivered. Furthermore, within any given \nState, Medicaid\'s role is broad, varied, and complex. Medicaid funds \nclose to 50 percent of all births, and the majority of all publicly-\nfinanced long-term care in this country.\n    It also provides most of the Nation\'s funding for HIV/AIDS-related \ntreatments, mental health services, and others.\n    It is therefore very difficult to talk simplistically about \nMedicaid (either Nationally, or within a State), despite its incredible \nimportance in the U.S. health care system.\n    NAMD was created with the sole purpose of providing a home for the \nNation\'s Medicaid directors and we represent all 56 of the State, \nterritorial, and DC agency heads. Our two broad objectives are to give \nthe Medicaid directors a strong, unified voice on National and Federal \nmatters as well as helping develop a robust body of technical \nassistance and best practices for them to improve their own programs. \nWhile no two programs look exactly alike, the directors are unified in \ntheir heartfelt desire to improve the health and health care of the \ngrowing number of Americans who rely on the program.\n             implementing the affordable care act--overview\n    No issue has been more polarizing in recent memory than the \nAffordable Care Act (ACA), often known as ``Obamacare.\'\' While the ACA \nmay not be wildly politically popular, or even well-understood, it is \nthe law of the land, and it will have far-reaching and fundamental \nimpacts on the citizens of every State in the Nation.\n    Politics aside, the key to the success or failure of this new law \nlies in how well it serves our citizens; and how well they are able to \nunderstand, access, and afford their new health insurance options. In \nmany ways much of the foundation hinges on reforms to the Medicaid \nprogram. The States have been working as quickly and effectively as \npossible for months, even years, to put together the pieces of this \ncomplex health insurance overhaul.\n    To fully understand the Herculean task the ACA presented to State \nMedicaid programs, we must acknowledge that States began this journey \nfrom very different starting points. Likewise, even several years after \nthe official ACA launch we can still expect to see differences in the \nstructure of Medicaid programs--and health care systems generally--as \nStates determine how to best meet the diverse needs of their citizens.\n    Regardless of their starting or ending points, there is a long list \nof changes that all States have to make to comply with the law. These \ninclude overhauling complex eligibility systems to conform to new \nstandardized Federal rules. State Medicaid agencies also have been \nworking to integrate with new health insurance marketplaces to ensure \nthat individuals and families receive consistent, accurate information \nabout their eligibility for public insurance programs. And they have \nendeavored to minimize the burden and confusion for individuals and \nfamilies trying to navigate the rules for these new programs.\n    Investments in this system overhaul are being made by States, and \nby the Federal Government--with everyone involved fully committed to \nensuring that they work as well as possible. As envisioned, the new \nsystem would be able to process a few consumer data points (name, \nSocial Security number) and determine the insurance program--Medicaid \nor the marketplace--for which each individual in a family would be \neligible. It also would begin the actual process of enrolling and \npaying for that coverage.\n    Achieving this vision requires real-time communication between \nStates and the Federal Government and among multiple Federal \ndepartments that historically have never talked to one another. In many \nStates, it requires a complete overhaul of decades-old Medicaid \neligibility systems in order to interface with a new Federal ``hub.\'\'\n    In addition to these technical hurdles, there is another reality to \ncontend with: No two State Medicaid programs are alike. These \ndifferences have developed over the nearly 50 years of the program\'s \nexistence, and reflect the political and cultural dynamics of each \nState. These differences range from who is covered, which benefits are \navailable and how care is both delivered and paid for, as well as the \nsophistication (or too often, lack thereof) of the State eligibility \nand information systems, many of which were built in the 1980s.\n    In a sense, States are building 50+ bridges all at the same time, \nfrom different starting points and hoping that these efforts meet \nexactly in the middle. These bridges CAN be built and they are in fact \nbeing built now. But it is vitally important that we take heed of the \nlessons of complex policy implementations in the past as well as the \nexpertise States have with program and system implementations.\n           privacy, security, confidentiality of information\n    Security, privacy, and confidentiality are among the highest \npriorities for State Medicaid Directors. They also hold their vendors \nto the same high expectations and work with them to ensure they too \nappropriately safeguard personal information.\n    While there have been security breaches in Medicaid, there have \nalso been security breaches in the banking and credit card industries, \nwith internet service providers, and practically every other component \nof our increasingly interdependent economy. It is unrealistic to expect \nthat these things can be prevented entirely, it is more important that \nwe focus on how to minimize and mitigate the risks that are inherent in \nan interconnected society.\n    States currently handle many of these types of information in a \nhighly secure way as they make eligibility determinations for the more \nthan 70 million Americans currently on the program. States routinely \nwork with chief information officers, consumer protection agencies, the \ninspector general\'s offices in a variety of State and Federal agencies, \nand more in their efforts to protect consumer information.\n    While the specifications of the systems being built to interface \nwith the Federal data hub and the Insurance Marketplaces are new, \nStates have decades of experience working across program platforms to \nensure privacy, confidentiality, and security of patient information \n(medical and otherwise). Whether its communicating with private \ninsurance companies to do third-party liability determinations, working \nwith other programs such as TANF or SNAP to eliminate redundancies, \nworking with a range of Federal agencies to implement citizenship \ndocumentation requirements, or working with Medicare to improve care \ncoordination for individuals dually eligible for both programs, State \nMedicaid directors have significant experience and perspective.\n    In each of these examples, it is important to note that the sharing \nof information across programs or payors is a vitally important \nfunction. In fact, the entire field of public health and program \nintegrity would barely exist if data could not flow securely, quickly, \nand effectively.\n    While I am not here to testify to the readiness schedule of the \nFederal data hub, we do know from experience of the high-level \ncommitment to privacy and security. In fact, this commitment is one of \nthe main drivers of our concern that the full range of operational \ncapacity is not likely to be met by October 1. In fact, some of the \nearliest conversations with our Federal partners revealed a significant \nstance on behalf of IRS that it was more important to ensure that the \nexchange of data was done securely than it was to do it quickly.\n                             the road ahead\n    As we approach the open enrollment date of October 1, 2013, there \nis one lesson that clearly stands out: We must be prepared for a \nturbulent take-off.\n    The magnitude of the changes and the many different pieces that \nhave to be linked together mean everyone--consumers, policymakers, and \nother interested stakeholders--must have reasonable expectations of the \nsystems and programs early on. In many instances, the consumer \nexperience will not be immediately smooth. Real people are going to be \nfrustrated when accessing the system. Whether it\'s a failure of \ncomputer algorithms to properly account for the startling complexity of \nreal people\'s lives, or the difficulty in ensuring that these multiple \nState and Federal agencies are communicating in real time, it will be \nbumpy.\n    However, it\'s also reasonable to expect that the experience can and \nwill improve over time. As they do in advance of any major \nimplementation, Medicaid agencies are trying to predict, plan for and \nset up procedures to resolve the problems that will inevitably arise. \nAt the same time they will continue working towards the ultimate goal \nof compliance with the law\'s requirements and seizing other \nopportunities they\'ve identified.\n    The health and safety of Medicaid clients is the main concern of \nMedicaid directors, and they will continue their on-going commitment to \nprovide the best possible service to beneficiaries, while protecting \nthe integrity of the program, and being responsible stewards of \ntaxpayer dollars.\n\n    Mr. Meehan. Well, thank you Mr. Salo.\n    I thank all of the panelists for their testimony.\n    Let me begin, Mr. Salo, you made an observation and I think \nit was really important to recognize that some of the people \nthat are at the most risk here are those in Medicaid, the \npoorest, those in the least capacity to be able to recover or \nhelp themselves in situations where they may be taken advantage \nof.\n    You used the word ``no precedence in its size.\'\' Dr. \nParente called it I think the greatest--the ``largest personal \ndata Government integration project in the history of the \nRepublic.\'\'\n    Ms. Daly, let\'s get the elephant out of the room. You know, \nwe are talking here about representations that have been made \nby an agency and findings that you made about their readiness \nto meet these deadlines.\n    But we had the IG before us just a few weeks ago, the HHS \nitself said, and your reports confirmed they would not be ready \nuntil the 30th at the end of this month.\n    That is in the course of the normal business. We know the \nchallenges. I am already suggesting this is the largest \ndatabase in the history of the Republic.\n    Now, we received a report which you just said that lo and \nbehold it was done on the 6th. They are ready to go.\n    Now this is an agency who for 3 years failed to meet a \nsingle deadline, and in your own IG\'s report and virtue of \nevery single deadline that was articulated as much as 3 months \nbefore there was not a single deadline met.\n    Now you have stated yourself that this has not been done \nwith any independent verification and the word continues to be \njust ``trust us.\'\'\n    Ms. Daly, you are the Inspector General. Do you trust them?\n    Ms. Daly. Chairman Meehan, I appreciate the opportunity to \nrespond to that. In our report, we did point out that they \nhad--some of the dates had moved from their original plan date.\n    In fact, the date for the security authorization that was \nrecently provided on September 6, in our report, we pointed out \nthat it was--that is on September 30--so that is what gave us \npause and wanted to get that--the early information out to the \nMembers of this oversight body so that steps could be at taken \nand pressure to bear where appropriate.\n    So with that, we have recently been provided the assurance \nfrom the CIO at CMS through that security authorization \ndecision, that is part of the normal NIST standards that are \nused and NIST, as you know, sir, it is the National Institute--\n--\n    Mr. Meehan. I know those----\n    Ms. Daly. Yes, sir, very good. So with that, you know, we \nare just providing that information to you. We have not had a \nchance to go in and do a thorough assessment of it at this time \ngiven the short time span.\n    Mr. Meehan. So you have passed this on, but let\'s go \nthrough. Now what are the three steps? We understand that there \nare three steps in a NIST process.\n    There is the identification of the program that we have. \nThere is beta testing of that program. Once that is beta \ntested, you identify the flaws in that program, you then fix \nthat program, you then test it again to assure--and it is at \nthat point in time that there is the certification.\n    They were not even ready at that point in time, which was \nonly 2 or 3 weeks ago to certify to us that they had even done \nthe appropriate beta testing.\n    Now you tell me how it is; we need your help. You are the \nperson who is the independent verification, not just ``trust \nus.\'\' So how can we believe that what was originally scheduled \nnot to be done \'til the 30th on a massive project in which they \nhave failed to meet a single deadline has been done on the 6th \nand they have failed to give you any information as we said, \ndid you get, when you asked for information about the \ndocuments--Mr. Astrue identified them specifically--you were \nnot given those documents. They were held back from you. You \nare an Inspector General. Why wasn\'t a demand made for those \ndocuments?\n    Ms. Daly. Well, sir, actually, to be clear, in our report, \nwe discuss a number of documents that weren\'t available at the \ntime----\n    Mr. Meehan. Well, if they are not available then, what \nmakes you think that they were? Because that is part of the \nlegal obligations. This isn\'t something that they just get to \ndecide. They are going to determine how this process takes \nplace. That is the NIST standards.\n    Do you believe that they made up all of that ground in that \nshort period of time?\n    Ms. Daly. Well, sir, I can\'t speak to that at this time.\n    Mr. Meehan. What does your gut tell you?\n    Ms. Daly. I don\'t have a reaction. I generally, you know, \nbeing an auditor, I base our work on, you know, the generally \naccepted auditing standards and that is how we go about and do \nour work and I would have to go in and do a number of \nprocedures in order to report back to----\n    Mr. Meehan. One of them might be real beta testing. Do you \nintend in light of what they--they have just made \nrepresentations to you, we still have a period, do you intend \nto have the inspector general\'s office use all of its resources \nto do the actual beta testing of certain parts of the facility \nbefore October 1?\n    Ms. Daly. Well, sir, let me clarify for you that the beta \ntesting is generally focused on the functionality of the system \nand with the functionality of the system, that is really more \nabout how the user experiences that system and so forth.\n    Mr. Meehan. But not security----\n    Ms. Daly. It is not really security.\n    Mr. Meehan. So we haven\'t even tested for security.\n    Ms. Daly. Well, sir, to be--one of the key elements that \nthe CIO should be considering as part of his security \nauthorization decision is the independent security testing of \nits being done, and I want to highlight that it is independent, \nbeing done by a contractor, so that that provides that \nindependent assurance to the CIO in performing that. But again, \nwe have not seen the results of that.\n    Mr. Meehan. Okay. My time has expired.\n    I now recognize the Ranking Member, the gentlelady from New \nYork, Ms. Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Ms. Daly, I just want to get some fundamental facts from \nyou. If you can just give us a definition of the OIG\'s role in \nthe marketplace and exchange and the Federal data hub, what \nexactly is OIG\'s role there?\n    Ms. Daly. Well, with regard to that, the OIG, as you know \nunder the Inspector General Act, has certain responsibilities \nfor fighting waste, fraud, and abuse, and protecting the health \nand safety of the you know, people and beneficiaries--the U.S. \ntaxpayers basically--and all of our citizens.\n    That is where we emphasize. We don\'t have a role in the \noperation whatsoever. So it is very important that we maintain \nour independence in order to provide such an independent \nassessment when it is appropriate to do so.\n    Ms. Clarke. So would you state that your role has not been \nfully activated yet just in light of the fact that No. 1, the \ndata hub is just coming on-line, and the marketplaces are \nbeginning to emerge now?\n    Or are you giving oversight to this process and looking or \nscrutinizing the process to see whether in fact it is efficient \nor effective? Where do you see yourselves right now? What is \nthe office doing at this particular point in time?\n    Ms. Daly. Well, at this particular point in time, we have \nbeen, as you know, monitoring the situation because it is \nunfolding daily, you know, trying to stay abreast of some of \nthe prior work that had been done, looking forward and doing \nrisk assessments on what is the appropriate use of our \nresources because our resources are stretched pretty thin.\n    We have also been and I want to highlight this for the \nMembers today, you know, coordinating with GAO, with State \nauditors, and with other inspector generals because we see that \nas critical because this, is as everyone has noted, a huge \nenterprise.\n    Ms. Clarke. So can you tell us about how you have performed \nyour audit of the hub preparations and testing?\n    Ms. Daly. Certainly. Our work really followed the generally \naccepted Government auditing standards, and to do so, what we \ndid is we were coordinating with GAO. GAO was in there \nreviewing the data hub and certain aspects of the exchanges \nthrough a, you know, a request that they had received.\n    So we coordinated with them--I am sorry--to ensure that we \ndidn\'t duplicate any effort. You know, we have got a lot of the \nground to cover, so we want to make sure that our work is \ncomplementary, not duplicative.\n    So in that regard, they were doing certain aspects. They \nadvised that they were not looking at the security over the \nhub, so we said, all right, we will look at the security over \nthe hub.\n    So we designed a program to ensure that the agents--to be \nable to assess whether the agency was in fact following the \nNIST standards in that regard.\n    Ms. Clarke. So why did you, as some suggest, just briefly \nnote in the audit that you did not have access to the CMS \nsecurity documents?\n    Ms. Daly. Well, Ranking Member Clarke, in our report we \nindicated that the agency had not provided us certain documents \nat that time. I think one of them specifically was a security \ntest plan because it wasn\'t available at that point in time.\n    Then, you know, of course subsequently, it may have become \navailable. It wasn\'t that they refused, it just wasn\'t \navailable.\n    Ms. Clarke. Okay. Is it available now?\n    Ms. Daly. It could be. I think if we requested--I am pretty \ncomfortable it has been available now. They have provided us \nsome updates of data that you know, has subsequently been done \nand some of the dates it was done on.\n    Ms. Clarke. Can you, again, just give us a sense of why you \ndidn\'t engage the beta testing on the hub?\n    Ms. Daly. Well, we didn\'t engage that part because No. 1, \nthat is usually towards the end of the project and our work \nprimarily wrapped up really by the end of June.\n    We got, you know, a quick update of certain dates before we \npublished the report, but most of the work was done a bit \nearlier and some of that information and certainly any sort of \nbeta version wasn\'t available.\n    The other part would be that that would cover more \nfunctionality issues too, and that was really beyond our scope \nbecause we were, as we understood it, GAO would have been \nlooking more at the functionality over the hub. We were focused \non the security over the hub.\n    Ms. Clarke. So is it that to a certain degree, there are \nsome theoretical aspects to I guess standing up the hub that \nmakes it somewhat exercise of futility for us to begin the \ntesting?\n    Or is it that you are waiting for a certain level of the \noperation to be complete before the testing becomes applicable? \nI am not clear on that.\n    Ms. Daly. I appreciate that. The issue is there are certain \naspects of testing that cannot be done until the process is far \nenough along; until enough has been built in order to do any \ntesting.\n    Now to be clear, part of our audit approach was to look at \nthe testing that was on-going by the agency as it was being \nbuilt because the agency employed a--actually, it is a system \ndevelopment process called Agile, and it is very popular right \nnow because you can build things out fairly quickly.\n    With that though, they are doing continuous testing as it \ngoes on, but this is by, if you will, development personnel. So \nwhat happens later on then is all independently confirmed, in \naccordance with what NIST calls for, and an independent \nsecurity assessment that is done after all of the internal \ntesting is done.\n    So with that, you know, we said there wasn\'t any time for \nus to go in and do it, and we didn\'t want to duplicate any \neffort that was on-going. Instead, we reviewed the documents \nthat they had available.\n    For example, as part of their on-going testing, we looked \nat whether they had identified any issues, whether they had \nlogged those issues in as they should, whether they had \ncorrective action plans in place, and saw the process that they \nwere following. So that is the answer to that.\n    Ms. Clarke. Okay. I am going to yield back, Mr. Chairman.\n    Thank you for your testimony.\n    Ms. Daly. Thank you.\n    Mr. Meehan. I thank the gentlelady.\n    The Chairman now--we will recognize as we do under the \nrules of the committee those Members in order of their \nappearance at the time of the gaveling down, and so \nappropriately, the Chairman now recognizes Mr. Perry, from \nPennsylvania.\n    Mr. Perry. Thank you, Mr. Chairman.\n    Thank you folks for coming to testify. I must tell you that \nevery single one of you with all due candor, your testimony is \nbreathtaking in concern for me, and I think most Americans, and \nI imagine other Members of the panel.\n    That having been said, I am not even sure. Maybe Mr. Salo, \nyou can, I will direct my question to you, but just, I am not \nsure who should field this, but, you know, I think Americans \nand Members of Congress are concerned about the navigators.\n    This is a new position for most people and we don\'t know \nexactly what it is going to be like going to a navigator, but \nwe have heard about some of their training.\n    It is my understanding that they will receive 20 hours of \ntraining. I just think about that in the context of the \ninformation that these--folks they will be helping us as \nconsumers decide what insurance is best and how to enroll and \nwhile right now Members of Congress in our offices cannot \nadvise the public on questions.\n    We can\'t do that right now but these folks are going to do \nthat with 20 hours of training and I just want to alert you to \nthe fact that in Pennsylvania--I don\'t know about other \nStates--but in Pennsylvania, it takes 1,250 hours to become a \nbarber.\n    All right, it takes a massage therapist 500 hours, and if \nyou want to get a driver\'s license in Pennsylvania, you have to \nhave 65 hours on the road.\n    But to navigate insurance for which has been--this thing \nhas been on-going for a couple of years now and Members of \nCongress and the whole Federal Government can\'t seem to get \ninformation out, these folks are going to be advising us with \n20 hours.\n    So with that, I am wondering, why--it was my understanding \nfirst of all, that it was originally 30 hours. Can you verify, \ncan anybody verify that, and if so, why was it cut?\n    Okay, nobody can verify that.\n    These folks are, I guess, in that 20 hours--can anybody \ntell me what training these folks, navigators are going to \nperceive regarding the security of personal information?\n    Okay, so--not that--necessarily that you should be able to \nanswer those questions. You know, this is going to range from \nSocial Security numbers to if a woman is pregnant or not. \nVarious organizations which include these individuals are going \nto be contracted to do this.\n    Let\'s just pick one. I know it is somewhat inflammatory, \nbut one would be Planned Parenthood. With the issue of \npregnancy being one of the questions being asked, is there some \nsafeguard? Is there some safeguard which offers consumers some \nkind of recourse?\n    Let\'s say that you know, in the information that is \ngleaned, the woman is pregnant and then this organization, any \norganization uses that information to advertise to this person \ntheir services. Is that appropriate? Is that allowed? What is \nthe recourse? Can anybody provide any information? Okay.\n    Let me ask you this. With regard to--and this is to Ms. \nDaly. Thank you very much. According to your testimony, you did \nnot review the functionality of the hub or issues specific to \nthe Privacy Act, but there is an independent--is it my \nunderstanding, there is an independent contractor that is going \nto be doing that or that is doing that currently?\n    Ms. Daly. That is correct, Congressman. An independent \ncontractor was supposed to be doing this security assessment \nthat would cover over all issues related to security.\n    With that though, that is supposed to have already been \ndone because it is supposed to be a critical part of the \nsystems authorization that was just recently provided on \nSeptember 6.\n    Mr. Perry. So if that is done, is that information \navailable? The outcomes so to speak or the report on that?\n    Ms. Daly. I don\'t believe that is generally available to \nthe public, sir, just because of the sensitivity surrounding \nthat because it would show what was tested, how the system is \nconfigured, things of that nature.\n    Mr. Perry. Well, would it--is there some report that will \ninform the public and Congress, Members of Congress, the \nFederal Government, regarding the efficacy of that testing and \nthe results? Is this system ready? Is it not?\n    If it is not, because it is my understanding that the final \ntesting for some of this stuff happens at the end of this month \nand it is supposed to go live the first of the next month, so \nwe are 20 days away or thereabout, what is the plan or do you \nknow of a plan if it fails?\n    Ms. Daly. Well, sir, that is a very good point, and I just \nwant to clarify that the testing I\'ve been talking about \nfocused on security aspects of the system, not on the \nfunctionality or efficacy of the system.\n    So that was beyond our scope, so we didn\'t focus on that \nbecause as I mentioned earlier, we were coordinating with GAO \nand we understood that GAO was going to cover those aspects.\n    Mr. Perry. But it is my understanding that the private \ncontractor will be assessing those other milestones so to speak \nor efficacy. Is that your understanding or don\'t you know?\n    Ms. Daly. I honestly can\'t speak to that, sir. I am sorry.\n    Mr. Perry. Can anybody else? One of my--go ahead, Mr. \nAstrue.\n    Mr. Astrue. I will say one thing. Speaking for myself, I \nnever relied on a contractor to give complete assurance on \nthese things because I mean, no disrespect to this particular \ncontractor, but they are in business to keep the Federal \nGovernment contractors happy.\n    They are not necessarily going to rock the boat. This is \nwhy an independent--this is exactly what Offices of Inspector \nGeneral are set up to do is to make independent assessments \nabout, you know, violations of legal rights, openness to fraud, \nthese types of things.\n    I am outraged that you would rely on any--I mean, MITRE is \na terrific corporation, but I would never rely on MITRE, and I \ndidn\'t when I was going through dozens of these kinds of \nprograms at SSA.\n    Mr. Perry. I have a lot more questions, but I see my time \nhas expired.\n    I yield back. Thank you.\n    Thank you, folks.\n    Mr. Meehan. I thank the gentleman.\n    The Chairman now recognizes the gentleman from Nevada, Mr. \nHorsford.\n    Mr. Horsford. Thank you, Mr. Chairman. I thank you for this \nsession.\n    I want to start by first asking: There is in fact a private \ncontractor who is doing this software system development on \nincome and eligibility verification? Is that correct? Whoever \ncan answer the question?\n    Mr. Salo. At both the State and the Federal levels, yes. I \nam not the expert at the Federal level; I believe there is one \ncontractor who is doing it at the Federal level.\n    At the State, generally, it is one contractor, but there \nare a variety of different private entities that have all bid \nout with the respective States to do this and to do various \ncomponents of it ranging from eligibility and enrollment to \nidentity-proofing to conductivity with the hub, et cetera.\n    But yes, these are generally private contractors. To be \nhonest, I wish that the State experience with IT systems \nvendors was as rosy as Mr. Astrue said that they are all in the \nbusiness of making them happy. That is not always true for us.\n    Mr. Parente. But there is only one contractor that has \nresponsibility for building the Federal data hub.\n    Mr. Horsford. Now under at least the Health and Human \nServices Department, the collection of this type of income and \neligibility data occurs across many programs currently, today, \ncorrect?\n    Mr. Salo. Yes, that is correct at least with respect to \nMedicaid. As I referenced earlier, there are a number of \ndifferent crosswalks that Medicaid has to do every single day \nfor many of the 72 million people who walk in and out of the \ndoor whether that is other Federal or State programs they may \nbe eligible for; TANF, food stamps. You can sometimes work on a \njoint application to make sure that the shared information \nworks there.\n    For individuals who are dually-eligible for Medicare and \nMedicaid, you are cross-walking information across those two \nprograms both from a claims system, from a care coordination \nperspective, from a program integrity perspective.\n    You know, Medicaid is the payer of last resort, so we tend \nto look for you know, does an individual have coverage from \nsome other third-party insurance, or even some sort of \nsettlement from a car crash or something?\n    So we interface with those systems. Like I said in terms of \ncitizenship documentation, we do all of that. We do all of that \nevery day. The program couldn\'t run if you didn\'t do all of \nthose things.\n    You wouldn\'t want the program to run if you weren\'t \naccessing across programs to get that kind of information \nbecause if you are doing that without that kind of information, \nthen you are working blind and that is not the way to go.\n    Mr. Horsford. So Mr. Salo, you said in your testimony that \nit is important that we focus on how to minimize and mitigate \nthe risks that are inherent in the interconnected parts of \nthese systems and how they work.\n    So my question and the question I hear from the majority of \nmy constituents including the insurance companies, agents, \nbusinesses, they just want this to work, and they want Congress \nto stop playing games and to figure out ways to make the law \nwork better.\n    This is the same problem that there was under Medicare and \nSocial Security when they were implemented. It is not going to \nbe perfect on Day 1. So my question is: What are some specific \nrecommendations where we can identify the potential risks and \nmitigate those risks and what are the steps that we need as \nMembers of Congress to do to ensure that we are putting those \nsteps in place?\n    Mr. Salo. Well, I am sure you will get a lot of input from \nother members of the panel, but, you know, I would just say \nthat I agree, you know, from our members\' perspective, we just \nwant this to work because at the end of the day, it is the \ncitizen, U.S. citizens, citizens of the State who are impacted \nand they don\'t care whose fault it is. If it goes wrong, they \nare going to blame us.\n    You know, in terms of trying to make it work well for them, \nagain, I think this type of conversation is and can be very \nuseful as we raise potential issues. You know, are there, you \nknow, contingencies that perhaps we haven\'t thought of, whether \nthey are security-related or what have you. I think it is \nimportant to get those out in the open so we can think about \nthose and plan for those.\n    In terms of concrete recommendations, you know, the \nchallenge really is, you know, again, we have got States coming \nat this from 50 different places and, you know, there has been \na challenge--there is a challenge in trying to build a system \nup in terms of time, in terms of money, in terms of bandwidth.\n    There is a challenge when it comes to the timeliness of \nFederal guidance, in terms of, you know, what States can \nexpect, what States have to go, because this is all being done \nwith private contractors, you know, you need time to build into \na proposal, into a contract, what exactly they are trying to \nbuild, and if you don\'t know until the last minute, it is \nreally hard to sort-of build that out quickly.\n    So, you know, the extent to which transparency of \ninformation from the Federal perspective comes out in a \nquicker, more clear way, that would be helpful. I could go on, \nbut I don\'t want to take up too much time.\n    Mr. Astrue. If I could add for just a few moments. \nTransparency, as my colleague has pointed out, is important and \nit is also important as the OIG said that these security \ndocuments not be fully public.\n    I agree with that, but there is a difference in terms of \ntransparency with you and you need to know whether the system \nis secure, whether it is violating privacy, whether it is doing \nits job, and you don\'t know that right now.\n    If the inspector general defines its job so that those \nthings aren\'t relevant areas, you need to go to GAO and you \nneed to say to them, ``You need to fill the gap where the \ninspector general is not fulfilling its responsibilities.\'\' I \nbelieve that the Senate has started to do that.\n    Mr. Horsford. Thank you, Mr. Chairman.\n    Mr. Meehan. Does the gentleman yield back? Oh, okay. I \ndon\'t want to assume anything. I am just--okay, thank you.\n    At this point in time, the Chairman now recognizes the \ngentleman, Mr. Rogers.\n    Mr. Rogers. Thank you, Mr. Chairman.\n    Ms. Daly, based on your testimony, it seems to me that the \nissue isn\'t when, or if, but when we are going to have a breach \nof the data hub or it is going to be leaked or some other \nproblem.\n    My question is: Has the IG\'s office developed standards by \nwhich a breach such as that would have to be reported to you?\n    Ms. Daly. Well, Congressman Rogers, the NIST also guides \nthis area in which breaches are reported. There are, you know, \ncertain ways that information needs to be reported, it has to \nbe reported within a certain----\n    Mr. Rogers. So you don\'t have to come in afterwards and \naudit to find out about it, they have to notify you when they \nrealize there has been a breach or a leak?\n    Ms. Daly. That is exactly right. They don\'t notify our \noffice actually, they notify the CIO\'s office. That is who is \nresponsible for managing that.\n    Mr. Rogers. Are they also required to notify the individual \nwhose information was leaked or breached?\n    Ms. Daly. Well, it depends on if a true breach occurs. \nFirst, there is an assessment that is done of it determining \nthe amount of encryption that might have been over the data, \nand if it is a high enough level of encryption, the individual \ndoes not need to be notified.\n    If there is a certain amount of, you know, risk involved \nwith it and that is a determination that is made in the CIO\'s \noffice, then the individual of course is notified.\n    Mr. Rogers. What about consequences for the navigators, the \nworkers or navigators? If we find one of them has intentionally \nleaked or breached the security, are there criminal penalties \nof that you are aware of built into the law or regulations?\n    Ms. Daly. Well, unfortunately, sir, I am not in a position \nto answer that today.\n    Mr. Rogers. Anybody else on the panel?\n    Mr. Astrue. Yes, there should be an array of--it depends on \nthe nature of the offense, but there should be an array of \nFederal and State penalties.\n    Mr. Rogers. That would already be in existence regardless?\n    Mr. Astrue. It wouldn\'t--not to say that it might not help \nfor Congress to clarify on that, but there would be existing \ntools for enforcement if HHS chose to use them.\n    Mr. Rogers. Great. This question would be for Mr. Salo or \nMr. Astrue.\n    I have got here a letter signed by 10 State attorneys \ngeneral, Alabama as being one of them, to Kathleen Sebelius \nlast month and among the questions--they asked several \nquestions they would like clarification on, but among the \nquestions they ask is--and this, I think about Medicaid when I \nthink about this since the State is so heavily involved in it \nis what is the State\'s legal liability in this new endeavor if \nthere is a breach? Do either one of you know?\n    Mr. Astrue. Well, with the qualification that I gave up my \nlaw license a few years ago, I think generally on these \nmatters----\n    Mr. Rogers. Voluntarily?\n    Mr. Astrue. Yes, I did. I did.\n    Mr. Rogers. Just joking.\n    [Laughter.]\n    Mr. Astrue. No, actually, I was afraid as a head of a \nGovernment agency I was going to get sued individually, people \nwould go after my bar license, and I decided to give it up.\n    Mr. Rogers. I am a recovering attorney myself.\n    Mr. Astrue. Yes. I think as a general matter, this statute, \nwhatever else you might say about it is a classic example of a \nstatute that preempts a lot of State laws. In fact, that has \nbeen part of the challenge to the validity of the statute in \nthe first place.\n    So I think while I would not want to say that there might \nnot be some liabilities for States depending on how much \ndiscretion they were using implementing the act, my personal \nview would be that most of the activities because they are \nbeing required by the Federal Government would give the State \nsome immunity from suit.\n    Mr. Rogers. Well, it just concerns me that 10 State \nattorneys general collectively, legally can\'t discern whether \nor not they have that liability and one of the things they ask \nin the letter is do they have or do their respective States \nhave the legal capacity or obligation to add to or supplement \nthe criteria by which this system is operated to make sure they \ndon\'t have legal liability. Do you know if the States will have \nthat latitude to supplement the security criteria?\n    Mr. Astrue. I think certainly for some features of the act \nthey will have ability to do add-ons. I believe it was designed \nwith, I mean, it is tough to tell from the statute, but it does \nappear that to me, that it was designed with that intent, and \ncertainly to the extent that you are going beyond the Federal \nmandate in a discretionary way, it does seem to me that you \nwould be running some risk of losing the protection of the \nFederal preemption.\n    Mr. Rogers. Great. My time is expired.\n    Thank you very much, Mr. Chairman, I yield back.\n    Mr. Meehan. Does the Ranking Member have a request?\n    Ms. Clarke. Yes, Mr. Chairman. I have a request that the \ncommittee--a request for unanimous consent to have \nCongresswoman Sheila Jackson Lee of Texas sit in and make a \ncomment during our proceedings today.\n    Mr. Meehan. Without objection, so ordered.\n    Consistent with the rules of the committee, those Members \nof the committee who are present will take precedence over \nthose who join us.\n    So I know the gentlelady will yield while we turn to the \nformer U.S. attorney from Pennsylvania, Mr. Marino, for his \nquestioning.\n    Mr. Marino. Thank you, Chairman.\n    Good afternoon, and thank you, folks, for being here today.\n    Ms. Daly, you have some tough questions that you answered \nand you are between the devil and the deep blue sea here \nbecause of what the AIG technically is supposed to do but based \non the lack of information that you may have.\n    So my question to you is: How can security authorization be \nmade without assurances to you as the IG, that the system \nitself is secure? Could you explain that to me please?\n    Ms. Daly. Well, thank you for the question, Congressman \nMarino.\n    As part of the NIST guidelines for developing systems, \nrolling them out, what are the best practices agencies should \nbe following, that is what we have looked at with regards to \nsecurity for the data hub.\n    As part of that process, the agencies are supposed to be \ndoing some, you know, continuous testing as it is developed \nthat looks at security and other things too, but our focus was \non security, and then at the end, once they get everything \ndeveloped, they are supposed to have an independent security \nassessment. That is critical.\n    Mr. Marino. But your assessment then is based on the \ninformation that you are provided. Correct?\n    Ms. Daly. That is correct, sir.\n    Mr. Marino. You are not making any leaps of faith or \nconjectures beyond at that point? You are not determining any \nwhat-if\'s?\n    Ms. Daly. That is correct, sir. Yes, we basically are \nreporting out facts in this case. If we had seen something that \nwas a significant violation in any way, we certainly would have \nreported that and made a recommendation that things be fixed.\n    Mr. Marino. Based on what you received.\n    Ms. Daly. Exactly.\n    Mr. Marino. It is like a computer, whatever you put in is \nthe only thing you are going to get out of it. So the only \ninformation you get, you based your assessment on what you are \ngiven?\n    Ms. Daly. That is correct, sir. We compared what the \ntesting and the system development documents showed compared to \nthe standards that were in place at that time for that purpose.\n    Mr. Marino. This is interesting. I got a phone call from a \nconstituent who works for the State and that person has an \ninsurance health program paid for in part by the State. So that \nperson went to the Social Security Office and because he wanted \nto get information about Medicare because of the age; 64, 65.\n    That person asked why I needed to sign up. As that person \nexplained, ``I already have insurance, I don\'t need it. It is \nbeing paid for. Why put the taxpayers to an extra cost of now \nthe Federal Government paying and my employer coming in \nsecond?\'\'\n    The answer the clerk gave him was that, ``We need this to \ntrack you and to garner information about you.\'\'\n    Okay, now, I found that kind of odd. He said, ``Well, I \nonly want to sign up for Part A of this,\'\' and he again told \nher that he had insurance and she told him that he would be \ncharged the penalty if he signed up later but the Government \nneeded a system whereby--needed information whereby to track \nhim so they could have information on him to see if he is \npaying for insurance or has insurance.\n    Can anyone address this for me? Because I am at quandary as \nto why.\n    Mr. Astrue. Mr. Marino, with all due respect to my former \nemployee, I don\'t think that that is an accurate description. \nMy recollection, which is a little soft on the edges is that \nthere was a policy decision made in the late 1960s to link the \ntwo together in this way.\n    It has been litigated. I don\'t think the rationale of HEW \nat that time is 100 percent clear. It was litigated fairly \nrecently and I remember being consulted on that litigation a \ncouple of times within the administration in 2007, 2008.\n    I don\'t remember when the case was decided. I think it was \nabout 2010, but the decision was that the agency had \nappropriately linked those two programs together.\n    But again, I don\'t think the rationale for why was ever \nparticularly--I think it was lost in the midst of time by the \ntime it got litigated, but I don\'t think that my former \nemployee\'s description is probably accurate.\n    Mr. Marino. Okay. Mr. Astrue, since we are talking here, \ncan you give me--I know you can go on for a while here, but I \nonly actually have--no, actually, I am over my time, but if you \ncould give us a little synopsis of your opinion of the IG \nreport; pro and con.\n    Mr. Astrue. Yes, I am extremely negative. I think that \nessentially what happened here is this is not according to GAAP \nprinciples.\n    Essentially, they went in, said, ``How are you doing?\'\' And \nthey said, ``Well, we are running behind, but we are doing \ngreat.\'\' And they said, ``Can we see all of the relevant \ndocuments?\'\' And they said, ``No.\'\'\n    If you go and read through the report carefully, you will \nsee that the security plan was due on July 15 and there is \nnothing in the report that says that it wasn\'t done on July 15, \nand this is an August 2 report.\n    There must have been a draft at that point and I am just \nnot used to the idea that the inspector general comes in and \nasks for things and you say no. I logged years in the agency \nand I can\'t remember that happening.\n    So this is a new IG. This is a new IG that is failing in \nits duty to the American people to dig into what is happening \nand give answers to the Congress and the American people. I \nthink it is really sad.\n    Mr. Marino. Thank you. I yield back my over-spent time.\n    Mr. Meehan. I thank the gentleman, and the Chairman now \nrecognizes the gentlelady from Texas who we are happy to have \njoined us on the panel today for 5 minutes.\n    Ms. Jackson Lee. I thank the gentleman and the Ranking \nMember for their courtesies, and I think I have some pointed 2 \nor 3 questions and then a brief comment.\n    I just always believe the importance of oversight and fact-\nfinding, and I wanted to ask Mr. Astrue, has he engaged our \npresent inspector general in a one-on-one conversation or \nviewed his documents before your testimony was prepared?\n    Mr. Astrue. No, I have not.\n    Ms. Jackson Lee. Then I guess the follow-up is you have \nfirst-hand knowledge of what might be some fractures in the \nstructure of exchanges presently being constructed.\n    Mr. Astrue. I had first-hand knowledge through, to some \nextent, through February of this year, yes.\n    Ms. Jackson Lee. In what capacity?\n    Mr. Astrue. As commissioner of Social Security.\n    Ms. Jackson Lee. Had the infrastructure of the exchanges \nbegun and to what extent?\n    Mr. Astrue. They had begun since at that point in time, but \nthere was a still a great deal of fluidity in it which for me \nwas the source of considerable concern because the time at that \npoint was really, in my opinion, already too short to do the \njob properly.\n    Ms. Jackson Lee. But that was an opinion? Wasn\'t it?\n    Mr. Astrue. Yes, indeed.\n    Ms. Jackson Lee. It was February 2013?\n    Mr. Astrue. I left office on February 13, 2013.\n    Ms. Jackson Lee. But of this year or last year?\n    Mr. Astrue. This year.\n    Ms. Jackson Lee. Yes. So we are now in September.\n    Mr. Astrue. That is right.\n    Ms. Jackson Lee. So you are reflecting on the first-hand \nknowledge that took you up to February and not much further \nthan that.\n    Let\'s--I thank you for that.\n    Let me just go to Mr. Salo. National Association of \nMedicaid Directors, and I am sorry that I missed the \nexplanation of that, but let me go right to the crux of where \nwe are. We all should be concerned about personal information.\n    However, I think the magnitude of the Affordable Care Act \nand its overall impact on health care in America is an enormous \na step forward for saving lives in America.\n    What would be--do you think we are in the mouth of a whale? \nAre we about to be swallowed or are we moving forward with the \nappreciation and respect for personal data as you can see it \nfrom your perspective?\n    Mr. Salo. Oh, I think there has been a very, very long-\nstanding and very, very serious commitment to personal data on \nbehalf of Medicaid, on behalf of the Medicaid directors. They \nknow full well what happens if there is a security breach, and \nit something that nobody wants.\n    There are contingency plans. There is constant work being \ndone with chief information officers, with the State IGs, with \nsecurity experts all the time in Medicaid.\n    I think the thing to keep in mind about the big picture \nhere, you know, whether we are talking about being swallowed by \nwhales or not, is that security and privacy of data is always a \nconcern, but the thing that has changed is the increasingly \ninterconnected nature of not just our health care system but \nour overall lives in general.\n    You know, I am not an expert in banking or credit cards or \ninternet service providers. There are challenges there. The \nchallenges in health care have changed.\n    You know, we used to store information in unlocked file \ncabinets in the back of somebody\'s office. Was that secure? No, \nit wasn\'t. So you had to put in place procedures. We have \ndecided as a society, I think rightfully so, that that is not \nwhere we want to be and what we need for a variety of reasons \nis to have much more fluid interconnection of data \nelectronically; whether it is claims or insurance information \nor what have you.\n    This is a good thing. It does bring with it different \nchallenges to secure privacy. Not insurmountable ones, \ndifferent ones. So we adapt accordingly. So I would just see \nwhat we are looking at here, whether it is dealing with the \nFederal hub or what have you, is an outgrowth of that natural \nprogression of how do we figure out how best to secure this \ninformation in this inevitable changing world.\n    Ms. Jackson Lee. My time is ending, I just want one simple \nquestion. Is this any reason to stop moving forward on the \nAffordable Care Act processes that have been put in place by \nthe Congress and by Health and Human Services?\n    Mr. Salo. To the best of my knowledge, we will not have \nsecurity breaches----\n    Ms. Jackson Lee. But this is no reason not to go forward?\n    Mr. Salo. That is correct.\n    Ms. Jackson Lee. Thank you.\n    Let me thank my colleagues and to say that this is an \nimportant hearing, and I also think the issue of affordable \ncare is crucial and I think that we are where we need to be, we \njust need to be particularly more cautious, and I think we can \nall work together to do that.\n    Let me yield back. Thank you so very much.\n    Mr. Meehan. I thank the gentlelady for taking the time to \njoin us here today. Let me--I have a few follow-up questions \nthat I would like to pursue. So I recognize myself again for 5 \nminutes.\n    Let me just--Dr. Parente, you made some observations in \nyour testimony and I don\'t want to just leave them hanging out \nthere. You are an expert in dealing with health care databases, \nyou worked intimately in these in the past. You opined in your \ntestimony about concerns of not understanding how the system \nwould work and the potential for fraud. Would you please \nelaborate on that?\n    Mr. Parente. I will even go further and say most of what I \nhave heard today has not reassured me for several reasons. The \nfirst is I have worked, myself, as an independent verification \nand validation contractor for some Federal databases, actually \none in the State of Maryland when Maryland took a step in the \n1990s to put together an all-payer database, one of the first \nin the Nation.\n    I worked at the time with the Delmarva Medical Foundation \nand where I worked at Project Hope to essentially be that \nindependent verification and validation contractor and there \nwas a public report and because the Maryland State legislature \nrequired it.\n    I personally find it unconscionable that this contractor, \nwhoever it is, is not at least going to have an executive \nsummary that actually talks about by efficacy the performance \nstandards that would be essentially the safeguards that have \nbeen put in for vulnerability tests for the white-hat types of \noperations that are supposed to be put into place to make sure \nthat all potential compromises have been taken into \nconsideration.\n    Mr. Meehan. Those would be the kinds of things that the \ncertifying officer would have to not only look at but review \nand rely on. Isn\'t that right?\n    Mr. Parente. Absolutely, and when I took that roll-on for \nthe State of Maryland, it was a 1-year contract. When I entered \nand went to look at those databases, worked with other \ncontractors to look at them at different State sites because \nthere were several different vendors involved, and that is one \nsmall State, let alone the scale and enormity of what we are \ndiscussing today.\n    Mr. Meehan. Well, in light of that, and that is one of the \nconcerns because we talked about the scope and scale of this--\nMr. Astrue, you as well, and again, I know that we are asking \nonly for your opinion and not the kinds of asking statements of \nfact, but I do appreciate once again your testimony touched on \nsomething rather significant and you discussed that there was a \nperiod of time in which you believed that the HHS may have \nbacked away from its obligations under the Privacy Act and \npotentially even in violation of the law. Can you articulate? \nDid I get that correctly and would you say what you mean?\n    Mr. Astrue. Yes, no, and there is a process for this in \nboth--and the IRS came to the same conclusion at about the same \ntime--so we both filed. OMB is the arbiter on those cases and \nthey stalled for a very long time because HHS really didn\'t \nhave very much to say on the Privacy Act issues.\n    So it sat for months and months and months. It was not \nresolved at the time that I left and at some point subsequently \nI understand they decided that all these issues were under the \nroutine-use exception, but I think that is a real abuse of \nroutine use.\n    You know, whether you believe in the Affordable Care Act or \nnot, you in the Congress wrote the Privacy Act. You imposed \ncriminal penalties for violations of the Privacy Act and so \nthose of us who are in the Executive branch or were in the \nExecutive branch, we are supposed to be respecting that. I \nfound the HHS disregard for the Privacy Act to be really \nshocking.\n    Mr. Meehan. Let\'s pursue that for a second. Again, as a \nformer prosecutor, I am concerned about this issue of routine \nuse and, for the record, routine use is, ``a disclosure of a \nrecord, the use of such record for a purpose which is \ncompatible with the purpose for which it was collected.\'\'\n    So anything beyond that would be a violation of routine \nuse. So we are already beginning to collect information that \nrelies to some database and then there is a broad, broad \nexpansion of how information originally collected is going to \nbe utilized. Is that not accurate?\n    Mr. Astrue. Yes, that is correct.\n    Mr. Meehan. Okay, so even if there is an interpretation \nwith regard to that within routine use because it is all part \nof a hub and it is used as verification, one of the great \nconcerns I have has been the derivative use of information that \nis being gathered by navigators.\n    So where we have navigators who are going to be asking \npersonally identifying information, do we have any checks on \nwhether or not they will have any other kind of use except for \nthe sole purpose, the entire sole purpose of facilitating \nactivities on the exchange?\n    Mr. Astrue. No, I think that is a fine point. You, Mr. \nChairman, and other Members of the committee earlier pointed \nout that these are not even typical Americans. These are \ndisproportionately disadvantaged Americans in some of our most \nvulnerable populations.\n    To send navigators out with a minimum of training, no \nbackground checks in many instances, that is an invitation for \nfraud. I have spent--I have been working on fraud against the \nelderly since 1979 off and on in my career, and I just shudder \nat the thought of untrained people, unsupervised by, in any \nsubstantial way by HHS, going out with no real monitoring or \naccountability systems saying, ``Hi, I am here from the Federal \nGovernment. Let\'s talk about some of the most intimate choices \nyou need to do, and you need to apply for this, and by the way, \nwhat is your Social Security number?\'\'\n    I mean, that is exactly the thing that the inspector \ngeneral should be screaming bloody murder about because if that \nis not an invitation to widespread fraud against our most \nvulnerable people in this country, I don\'t know what is.\n    Mr. Meehan. Are you aware of whether or not there is, \nwithin this, the requirement that there be background checks \nfor any individual who is going to serve as a navigator?\n    Mr. Astrue. My understanding is that many of these people \nare being hired without background checks.\n    Mr. Meehan. So somebody could be actually convicted of \nidentity theft and then become a navigator?\n    Mr. Astrue. I think you need to ask----\n    Mr. Meehan. Mr. Salo, is that accurate? Are you doing \nbackground checks on anybody that you are familiar with?\n    Mr. Salo. Navigators aren\'t actually a Medicaid function so \nwe are not directly involved in the hiring of them so I can\'t \nspeak to whether or not there are adequate background checks or \nother securities there.\n    Mr. Meehan. Mr. Astrue, let me just ask one other question \nagain because I am trying to create a record because I want to \nsee what is going to happen at some future time, and the bottom \nline is again because we can foresee the potential for \nutilization of information that is beyond the scope of even an \ninterpretation of what would routine use be and we have now \nidentified.\n    Now those people who have certified the stability of this \nsystem in light of the recognition that those are potential \nthings here, willful acts of the privacy, the Federal \nGovernment itself, and I have the case law that supports it.\n    It is a willful--it is the--imposes liability on the agency \nwhen they violate the Privacy Act by willful or an intentional \nmatter either by committing the act without grounds for \nbelieving it to be lawful or flagrantly disregarding other\'s \nrights under the Act.\n    Mr. Astrue. That is exactly right and the issue first came \nto my attention, and I know I talked to a Washington Post \nreporter last night who was quite sure that everything I said \nwas horribly political and ideological, but this issue first \ncame to my attention because my own civil servants who would be \ndoing this came to me and said, ``I am afraid I am going to be \nprosecuted for doing this.\'\'\n    Mr. Meehan. Wouldn\'t it be prudent and do you believe that \nthe standard of responsibility is such that before certifying \nit there would be checks to assure that people with criminal \nrecords would not have access to personally identifying \ninformation of individuals who were going to be signed on to \nthe exchange?\n    Mr. Astrue. Absolutely. They are going to be asking for \nextraordinarily sensitive information in many cases including--\nit is just a Social Security number. You know, people can run \nwild and destroy someone\'s life, you know, taking a Social \nSecurity number. It is a big problem in our society.\n    Mr. Meehan. My time has expired.\n    I now ask the Ranking Member if she has follow-up \nquestions.\n    Ms. Clarke. I do, Mr. Chairman.\n    I would like to follow up with Mr. Salo. Your testimony \nmentions all of the ways in which States and State Medicaid \nprograms already work with a variety of public and private data \nsystems. State Medicaid programs already communicate with \nFederal agencies to verify citizenship. Isn\'t that correct?\n    Mr. Salo. That is correct.\n    Ms. Clarke. They may communicate with other programs like \nTANF and SNAP as well?\n    Mr. Salo. Correct.\n    Ms. Clarke. They also communicate with private entities \nlike private insurance companies, right?\n    Mr. Salo. Correct.\n    Ms. Clarke. Is it correct for me to assume that data that \nis transmitted is personally identifiable?\n    Mr. Salo. In many cases, yes it is. Not always, but if it \nneeds to be, it is.\n    Ms. Clarke. So State Medicaid programs across the country \nhave for years exchanged personally identifiable data with \nFederal and private data systems. We know that any data system \ncan be susceptible to a breach, but have State Medicaid \nprograms experienced any program beyond of those we see in the \ndata systems of private industry?\n    Mr. Salo. No.\n    Ms. Clarke. So could State Medicaid programs function \nwithout this ability to share and retrieve data from other \nsystems?\n    Mr. Salo. No, and I don\'t think we would want it to.\n    Ms. Clarke. You have described a heavy lift for States, but \nalso a good partnership with the Federal Government to get this \naccomplished. It is my understanding that HHS has made a 90:10 \nmatching rate available for upgrades to States\' eligibility and \nenrollment systems regardless of whether a State chooses to \nexpand.\n    Can you comment on the number of States that have availed \nthemselves of this funding?\n    Mr. Salo. Yes, my understanding is that literally every \nState has availed itself of that funding. There were certainly \nsome examples of States that had turned back other specific \nfunding for, call it early innovator grants, but in terms of \nthe money that it took and that it is taking to update, to \nupgrade, to transform the current Medicaid eligibility systems, \nmany of which are legacy systems that go back unfortunately to \nthe 1980s, every State has availed itself of the 90:10 funding.\n    The question then actually is: Is 90:10 enough? The \nquestion is: Even with that, even if there were enough funding, \nis there enough time to make those changes? Is there the \nbandwidth within the IT systems vendor community?\n    You know, I often used to joke that when we look at the \nhistory of Medicaid and systems changes, the number of times \nthat you got a contract in on time, on budget, and to spec was, \nwell three times in the history of Medicaid.\n    [Laughter.]\n    Mr. Salo. So, a lot of people, I think myself included \nwould argue you just need to do something very, very different \nhere. But having said that, in the run-up to October 1, and in \nthe time soon thereafter, the States and the Feds and the IT \nsystems vendors have worked double, triple, quadruple overtime \nto make this work.\n    So we do believe the system will be up and running come \nOctober 1. As I said, it will be bumpy. The consumer experience \nwill not be a smooth and seamless Travelocity, but it will be a \nsystem in place that with workarounds, with, you know, having \ncontingency plans going back to using paper, going into the \nMedicaid office, what have you, insurance and subsidies, and \nthat will be available, and it is our goal, it is our plan over \nthe next couple of months to make sure that we improve that as \nwe go.\n    Ms. Clarke. I would agree with you. So much of our \ninformation is in the public and private domain that, you know, \nI think we need to take a step back and give this an \nopportunity to rollout and work with it to make sure that the \nAmerican people get the very best access to health insurance \nthat they possibly can.\n    I mean, just about every American has had an opportunity to \ngo on-line and to provide information and you know, we don\'t \nhave the most secure, unbreachable IT operations in our own \nhomes and families.\n    So to sort of prejudge just how secure this process will \nbe, will be pretty relative to the security of our IT systems, \nNation-wide, the ones that we use each and every day whether it \nis to pay a phone bill, whether it is to purchase something on-\nline.\n    I am concerned that we not create a panic around the \nsituation but that we give it our best efforts in terms of \nproviding an opportunity to make this thing work and to work \nout the kinks as we go along.\n    There are going to be kinks. We all know that. There is not \none system that I know of that has been perfect. People have \nbought iPhones and they have been, you know, breachable right \nout of the box. So, you know, let\'s not sit here and act as \nthough we have perfection on our side.\n    Personal information is critical and its security is \ncritical to all of us, but at the same time we have managed \ngiven the massive use of IT systems around this Nation to keep \nbreaches to a minimum given the number of people and \ntransactions that take place each and every day.\n    With that, Mr. Chairman, I yield back.\n    Mr. Meehan. Well I want to thank the gentlelady for \nyielding back.\n    I want to thank each of the witnesses for your testimony \nhere today. I am grateful and I appreciate, with the exception \nof Ms. Daly, each and every one of you effectively don\'t have \nto be here, that you were responsive to our inquiries, and I am \ngrateful for your taking the time using your professional \nexpertise to help us better understand a situation in which it \nis still my considered opinion that this hearing has \ndemonstrated by virtue of testimony even more questions about \nthe readiness.\n    There has been testimony as said it is not a question that \nthis needs to be a stepping-off point to prevent a system from \nbeing put in place, but is it ready to go today?\n    At a certain point, is it so clear that it is not ready \nthat the requirements that are continuing to push this forward \nat a certain point start to become perhaps not even just \nnegligent, but otherwise. Great concern to me.\n    Once again, I want to thank each of the panelists for their \nvaluable testimony.\n    Well, I am not getting ready to close because the Member \nfrom Pennsylvania has one final question.\n    Mr. Marino. Thank you. I refer to my prosecutorial \nbackground as the Chairman does. We were U.S. attorneys \ntogether, but I want to bring up two points if I may.\n    Mr. Astrue, you were questioned about when you left the \nagency, and I think it was pointed out that you hadn\'t been \nthere in, what would it be now, 9 months or 8 months. How long \nwere you with the agency before that?\n    Mr. Astrue. Six years and a day.\n    Mr. Marino. You based your opinion on your experience over \nthat 6-year period and what you had gleaned even before that in \nyour career.\n    Mr. Astrue. Sure, and since that time, I have tried to keep \nup on the issue. I don\'t call into the agency, but people \nretire, you talk to people----\n    Mr. Marino. Well, we do call into the agency and ask \nbecause we get calls from our constituents, ``What do I do \nabout this?\'\' ``What do I do about that?\'\'\n    Since last year up until September, and I get the same \nanswers now in September that I did last year and in January \nand February of this year is ``We don\'t know.\'\' So given the \nfact that there have been waivers, delays, I don\'t think much \nhas changed over the last 1.5 to 2 years.\n    In conclusion, ma\'am, could you please tell me, did you \never have a point when you were doing these investigations \nconcerning security that you thought maybe a statement should \nhave been made to HHS, Health and Human Services, HHS \nconcerning I don\'t have enough data to form an opinion as to \nwhat the security is going to be or not be?\n    Ms. Daly. Well, Congressman, I want to focus--initially, on \nthe scope of our work, the scope of our work really wasn\'t to \nprovide an opinion. We were actually going out there to do just \nan audit over that. We were provided the data that we had \nrequested if it was, even had been created.\n    That is one of the challenges. I have done a number of \nsystem development jobs over my career of a variety of systems \nand it is always a challenge when you are doing this because \nyou are doing something that doesn\'t exist yet and so that \nmakes it more challenging to get all of the information----\n    Mr. Marino. Good point. I mean, did you ever raise that? \nThese things do not exist yet, so how can we form a conclusion, \na factual conclusion?\n    Ms. Daly. Well, that is exactly right. So in those cases, \nthat is why we reported that the information wasn\'t available \nand when they expected to have it available. That is clearly \nwhat was in our report.\n    If you could beg me an indulgence, I would like to say that \nI think our office of inspector general is one of the most \nhighly-respected in the accountability community and that we do \na tremendous job for the American citizen and taxpayer.\n    Our office returned $6.9 billion in expected recoveries \nlast year along with over 1,100 civil and criminal actions, and \nI think our record speaks for itself. Thank you.\n    Mr. Marino. We rely on you.\n    Ms. Daly. Thank you. Thank you.\n    Mr. Marino. We rely on you.\n    Again, thank you so much.\n    Chairman, thank you so much for indulging me.\n    Mr. Meehan. Thank you.\n    Ms. Daly, I do thank you for your service.\n    I thank each of the panelists. The Members of the committee \nmay have some additional questions for the witnesses, and if \nthey are directed to you I would ask that if you can, you would \nrespond in writing.\n    So without objection, the committee, the subcommittee now \nstands adjourned.\n    [Whereupon, at 4:32 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n'