Lawmakers seek answers Obamacare Data Hub security

Ask HHS for information on access controls, monitoring tools, and the measures used to protect against cyberattacks

Two Republican lawmakers Wednesday demanded that the U.S. Department of Health and Human Services (HSS) provide information on security measures used to secure the Federal Data Services Hub that was built to support Obamacare healthcare exchanges.

In a letter to HHS Inspector General Daniel Levinson, Congressmen Patrick Meehan (R-Pa) and Diane Black (R-Tenn.) requested information on the results of tests condusted to verify the security of the data hub. They also wanted HHS to identify the consultants used to help carry out the tests, and to disclose what measures are currently in place to protect against cyberattacks.

"It is imperative that Congress be provided with the information necessary to understand how the Data Hub was certified and what continuing controls have been put in place to protect Americans who are currently accessing the system," the two lawmakers wrote.

"Specifically, we request information on the user access controls for the (HHS) staff and Navigators that have been determined appropriate for using the Data Hub," they noted. The letter also asked for details on any measures the HHS might have implemented to monitor for and detect suspicious activity on the data hub.

The data hub, often referred to as the Obamacare Hub, is a routing tool operated by the Centers for Medicare & Medicaid Services (CMS). The technology is designed to let state and federally facilitated healthcare marketplaces quickly verify the eligibility of individuals seeking insurance coverage.

The Hub itself does not store data and merely connects healthcare insurance exchanges with numerous federal databases at the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security, the Department of Veterans Affairs and other agencies.

Though the CMS insists it has measures in place to protect data passing through the hub, many groups, including the Heritage Foundation and the Citizens Council for Health Freedom, contend that it exposes users to identify fraud.

The skepticism of such groups remained in place even after CMS reported last month that the Hub successfully passed an independent security controls assessment by an independent third party auditor.

At the time, the CMS said that it had implemented controls for tracking, investigating and reporting suspicious activities and incidents on the Hub.

In the letter, the two lawmakers asked Levinson for a copy of the security audit and the subsequent authorization it received to operate the data hub. The lawmakers noted that such documents would identify any vulnerabilities in the system and the security controls it uses.

The lawmakers said the complexity of the data hub raises concerns about the security of the names, addresses, Social Security Numbers and other personal data that flows through it.

"It is unclear if certain critical best practices were conducted prior to releasing the Data Hub -- such as pilot programs and employing White Knight hackers to provide feedback on the system's vulnerabilities," they said.

The CMS did not respond to a request for comment.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about government it in Computerworld's Government IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITCybercrime and HackingsecurityDepartment of Health

More about CMSDepartment of HealthFederal DataGovernment ITInternal Revenue ServiceTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place