Seema Verma's attempt to privatize HealthCare.Gov runs into a tiny snag...

2019 OPEN ENROLLMENT ENDS (most states)

Time: D H M S

Fire up the Wayback Machine, Peabody, and take us to September 2015:

AP's NEW "HC.gov Security Flaws" story attacks problems FIXED UP TO A YEAR AGO.

Last night I posted what seemed, at first, to be a merely-amusing (if a bit depressing) story about a Florida news station website accidentally (?) reposting a year-old AP newswire story about potential security vulnerabilities at Healthcare.Gov:

"Critical" flaw found in HealthCare.gov security

WASHINGTON -- The government's own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability - but also came away with respect for some of the health insurance site's security features.

Those are among the conclusions of a report released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud.

The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15.

So-called "white hat" or ethical hackers from the inspector general's office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses.

Yikes! That's definitely a serious issue which needs to be addressed ASAP, right?

Well...you know, except for the part where the actual article specifically states that "when they attempted to exploit it like a malicious hacker would, they were blocked by the system's defenses."

So...you know, not quite so "critical" after all, I guess.

However, there's one other little problem. You might note that there appears to be a typo in the third paragraph, which lists the start of Open Enrollment as November 15, when in fact it's actually November 1st; the HHS Dept. moved the start date up two weeks this year.

Here's the problem: That's no typo. Or, more accurately the entire article is a typo.

Here's what I mean...check out this AP Newswire article from September 23, 2014...exactly 1 year and one day earlier.

Yes, it turned out that not only was the AP's panic-inducing headline about HC.gov supposedly being riddled with security problems utter bullshit, the AP's criminally awful "journalism" was far, far worse than that:

Here's the NEW story, which includes a rather incendiary headline:

Audit finds slipshod cybersecurity at HealthCare.gov

WASHINGTON (AP) — The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.

The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general's office. But the episode raises questions about the government's ability to protect a vast new database at a time when cyberattacks are becoming bolder.

While the AP article does link to the actual Inspector General's report in question, nowhere in the article does it say anything about when the IG audit was conducted. The entire story makes it sound as though these are newvulnerabilities/security flaws. Anyone who reads the new article, and who remembers the original story from a year ago (including myself) would understandably assume that either a) the year-old flaws weren't fixed until recently (which doesn't look good) or b) that this is a new report about a different batch of problems (which also doesn't look good).

HOWEVER, it turns out that when you read the actual IG report...

HOW WE CONDUCTED THIS REVIEW

We focused our audit on information security controls over operations and systems that support MIDAS’s database servers. The Centers for Medicare & Medicaid Services (CMS) is responsible for providing guidance and oversight for the MIDAS. Therefore, we reviewed CMS’s policies and procedures related to the MIDAS’s information security controls. We also examined documentation related to the MIDAS and conducted interviews with CMS representatives who administer the system. We reviewed contractor reports related to vulnerability scans of the MIDAS, determined whether CMS had fully addressed and remediated the vulnerabilities found, and conducted database vulnerability scans. We limited our review of controls to those that were in effect at the time of our audit. We conducted our audit work from August to December 2014.

Yes, that's right. The year-ago story appears to have been a draft version of the final audit...and according to the new AP story...

In a written response to the audit, Medicare administrator Andy Slavitt said that "the privacy and security of consumers' personally identifiable information are a top priority" for his agency. Slavitt said all of the high vulnerabilities were addressed within a week of being identified, and that all of the IG's recommendations have been fully implemented.

In other words, here's what happened under the Obama Administration:

  • 1. In August 2014, the IG begins an audit/security testing of Healthcare.Gov
  • 2. In September 2014, the IG reports their initial list of security concerns/recommendations to the CMS division.
  • 3. The AP runs a story on the initial (draft) IG report, with a highly misleading "Critical Flaw!!" headline which doesn't match the actual story content (blocked by system defenses).
  • 4. CMS resolves the more serious problems reported by the IG within 1 week of the draft report (no later than September 30th, 2014).
  • 5. The IG continues to run their audit until December 2014. Meanwhile, CMS continues to implement the rest of the IG's lower-priority recommendations.
  • 6. The IG confirms that CMS has indeed implemented every one of their recommendations.
  • 7. One year later, in September 2015, the IG finally issues their final report...which clearly states that the audit in the report was conducted from August - December 2014, and which also clearly states that every one of the issues they reported had since been rectified, with the serious ones having been fixed nearly a year earlier.
  • 8. The AP runs a new story with another Scary, Misleading Headline, claiming "Slipshod Cybersecurity at Healthcare.Gov"
  • 9. FOX News and other right-wing propaganda outfits pounce all over the "new" story just 5 weeks before Open Enrollment 2016 kicks off.

Got it?

OK, so what sort of technological changes did the Trump Administration bring to HealthCare.Gov? From May 2017:

The Center for Medicare and Medicaid Services (CMS) announces streamlined direct enrollment process for consumers seeking Exchange coverage

Today, the Centers for Medicare & Medicaid Services (CMS) announced a new streamlined and simplified direct enrollment process for consumers signing up for individual market coverage through Exchanges that use HealthCare.gov. Consumers applying for individual market coverage during the upcoming open enrollment period through direct enrollment partners will now be able to complete their application using one website. This reduces needless regulatory burden for businesses that provide direct enrollment services and offers consumers easier access to healthcare comparisons and shopping experiences for coverage offered through HealthCare.gov.

At the time, my response was...cautious. The headline of my post was "CMS makes 2nd sneak play to semi-privatize ACA exchanges (and this *may* be OK)". I basically took a "wait and see" attitude, and concluded with the following:

Whether this is a good or bad thing depends on your POV, really. Before it was dismantled by GOP Governor Matt Bevin, the Kentucky ACA exchange, kynect, was praised by Kentucky residents...even though many of those enrolled in policies via kynect never understood that they were enrolled in "Obamacare" or "the Affordable Care Act". They thought that "kynect" was some totally unrelated state-run program. This has led to...misunderstandings, to say the least.

In short, as long as concerns about things like security/sharing of sensitive enrollee data, manipulation of enrollees into policies which aren't the best option for them and so on are appropriately handled, this might be a reasonable change to improve the ACA exchanges...but it's being done purely as a way of undermining and weakening the exchanges, it's a bad move which should set off red flags for ACA supporters.

Well, that was last year.

That brings me to this week:

HealthCare.gov system hack leaves 75,000 individuals exposed

(CNN) A hack was detected earlier this month in a government computer system that works alongside HealthCare.gov, exposing the personal information of approximately 75,000 people, according to the agency in charge of the portal.

In a statement to CNN, the Centers for Medicare and Medicaid Services (CMS) said the system that was exposed through the hack was the Direct Enrollment pathway, which allows agents and brokers to assist consumers with applications for coverage in the Federally Facilitated Exchanges, or FFE. The statement detailed that the agent and broker accounts that were associated with the hack were "deactivated, and -- out of an abundance of caution -- the Direct Enrollment pathway for agents and brokers was disabled."

Again: This does not have anything to do with HealthCare.Gov itself; this is the system which third-party brokerages use to interface with HealthCare.Gov.

It's also important to note that unless I'm mistaken, those services can still be used to enroll in ACA policies; they'll just have to do it using the clunkier method they used before Trump's CMS instituted the new Direct Enrollment system until the security issiue is resolved...although that might be a while:

"We are working to get this functionality that exchanges agents and brokers use back up within seven days," a representative for CMS told CNN. When asked if the source of the hacking had been identified and if the system was in a good place ahead of the sign-up season beginning in November for coverage under the Affordable Care Act, the representative could not answer due to it being an active federal law enforcement investigation.

Um. That's not exactly filling me with confidence, guys.

It's also important to note, as both Sabrina Corlette and Carolyn McClanahan just reminded me, that...

In wake of hack of https://t.co/7v1c8gwHu8 users' personal info, it's worth remembering that @HHS relaxed its oversight requirements this year for direct enrollment sites. @GtownCHIR https://t.co/3UYmpmefAE

— Sabrina Corlette (@SabrinaCorlette) October 22, 2018

Just so.

Still, I agree with Verma that it's important to clarify the distinction between HealthCare.Gov itself and the Direct Enrollment pathway:

"I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted," CMS Administrator Seema Verma said in the statement. "We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."