Official Memo Says the Lack of End-To-End Testing Poses “A High Risk” for the Federal Healthcare Exchange

Linda Musthaler
By | October 31, 2013

Posted in: Network Security Trends

In an earlier post, I speculated that the systems behind the healthcare exchange marketplace known as the Federally Facilitated Marketplace (FFM) and hosted on were not tested end-to-end and could not be trusted to ensure data security and privacy. My speculation a few days ago is now totally confirmed by the people in charge. 

CNN has posted a “decision memo” that is directed to Marilyn Tavenner, Administrator of the Centers for Medicare and Medicaid Services (CMS), the organization largely responsible for implementing the Affordable Care Act (ACA). The memo comes from James Kerr, Consortium Administrator for Medicare Health Plans Operations and Henry Chao, Deputy Chief Information Officer & Office of Information Services Deputy Director. In other words, these are the guys who know the true status of the FFM and

The memo advices Tavenner that the lack of end-to-end systems testing poses “a high risk for FFM.” It states that various components of the system have been tested individually but not in their fully integrated state. Kerr and Chao present a two-part risk mitigation plan that, among other things, proposes to establish a dedicated security team to monitor, track and ensure the risk mitigation plan activities are actually completed.

With her signature, Tavenner approved the plan to mitigate the risks of the FFM. She signed the document on September 27, 2013—four days before the FFM went live nationwide on October 1, 2013.

It’s incomprehensible to me that senior government officials could continue to encourage people to use a system despite the fact that the people who know the most about it say that from a security perspective, the system poses high risks.

Like I said in my previous post, the Federally Facilitated Marketplace is a hacker’s dream. There’s so much personal and financial information tied into this system which we now officially know has never been tested end-to-end and that has a high level of inherent risk.

You May Also Be Interested In: