| |
Chairman Greenwood, Congressman Deutsch, other
distinguished members of the Subcommittee, thank you for inviting me to discuss
the Health Care Financing Administration’s (HCFA) information technology
security efforts and our plans for the future. Protecting the confidential
health information of the Americans who rely on our programs is a critical
responsibility, and we take this duty seriously. I appreciate the opportunity to
share our efforts and plans with you.
Confidential data are essential to carry out many
of our business functions. For example, to pay a Medicare claim, we must confirm
the beneficiary’s eligibility for Medicare benefits, obtain information about
secondary payers, review the claims history, and perform other data-intensive
activities. Similarly, for a Medicare managed care payment, we have to establish
the beneficiary’s enrollment, calculate the payment amount, and forward that
amount to the plan. In addition, efforts to encourage high quality care require
analysis of the treatments and complications that Medicare beneficiaries
experience. As manager and custodian of this data, we have a legal and practical
responsibility to assure that proper security safeguards are in place for
maintaining confidentiality, integrity, and appropriate availability of this
data. We take this responsibility seriously, and the public counts on us to do
so.
This Committee and Congress recognized this when
they passed the Government Information Security Reform Act, focusing attention
across the government on information security concerns. While we have not yet
experienced any significant breach of our systems’ security, we remain
vigilant in our efforts to protect beneficiary information. Our staff and
partners like the Inspector General (IG) have identified security
vulnerabilities within our systems, and we have taken appropriate steps to
address them. I want to commend the IG, as well as the General Accounting Office
(GAO) and others, for their assistance in highlighting these vulnerabilities and
their recommendations for solutions. Their work serves as an important roadmap
for us as we work to improve security across our Agency. Moreover, in our recent
Chief Financial Officer Electronic Data Processing audit, the IG acknowledged
that we have made progress with our security efforts. As a result of increasing
use and changing technologies, the demands on our information technology
architecture are greater than ever before, and security risks continue to
evolve. Clearly, we must continue to enhance and improve security in order to
meet today’s needs and tomorrow’s challenges.
We recognize that although perfect security is
unattainable, we must constantly and rigorously improve our defenses. As the
technology we use in administering our programs has grown more complex, old
threats have intensified and new security threats have emerged. Even the
smallest technological change can open us to new threats, which cannot always be
anticipated.
As the Deputy Director of HCFA’s Office of
Information Services and Deputy Chief Information Officer, I am acutely aware of
our computer system security responsibilities. We have worked hard, especially
in the past 5 years, to identify, correct, and prevent problems with the
security of our computer systems. We have instituted a comprehensive and
effective system security program across our entire enterprise, and we continue
to make great strides in improving security both in our internal systems and the
systems of our external business partners. We have greatly improved our
security, and we have concrete plans to improve it further.
BACKGROUND
In the history of the Medicare program, there
have been no significant security or privacy breaches with Medicare systems, nor
have there been substantial problems with breaches of confidential beneficiary
or provider data. However, we face considerable security challenges due to
Medicare’s current, complex environment. The complexity of this environment is
driven by the increasingly data-intensive nature of modern health care as we
strive to meet our mission of providing high-quality health insurance coverage
to nearly 40 million older and disabled Americans. By law, Medicare
fee-for-service claims are processed by about 50 private sector insurance
companies who each have their own business processes and variations in the use
of Medicare claims processing software, which we are responsible for overseeing.
From a technology standpoint, such decentralization requires that we transmit
data with contractors to ensure that we bring together up-to-date information on
eligibility, enrollment, deductibles, utilization, and other potential insurance
payers. We also must share eligibility and managed care enrollment data with the
approximately 540 managed care plans providing services to Medicare
beneficiaries.
In addition to these demands, we are striving to
make information about our programs and services more readily available to
Medicare beneficiaries, physicians, and other providers. We need to provide
timely solutions and ready access to information for our customers and partners
so they can research Medicare benefits, billing rules and procedures, the
quality and safety of care, and a host of other subjects. However, we must
balance this need with our responsibility to protect sensitive information from
unauthorized access, such as preventing " hackers" from violating our
internal systems via our public Internet sites. And we must address both of
these priorities within the aging nature of our current information technology
infrastructure.
We learned a great deal about how to address
information technology challenges two years ago when, in partnership with
Congress and over one million health care providers across the country, we
successfully met the Year 2000 challenge. Now, with our resources no longer
committed to that effort, we have resumed efforts to implement legislative
changes mandated by the Health Insurance Portability and Accountability Act, the
Balanced Budget Act of 1997, the Balanced Budget Refinement Act of 1999, and the
Medicare, Medicaid, and SCHIP Benefits and Improvement Act of 2000. We also have
initiatives to modernize other areas related to our business functions,
including establishing the HCFA Integrated General Ledger Accounting System, to
readily support a "clean opinion" on our Chief Financial Officer
audit; and we have refocused on the security responsibility that comes with
using ever-improving information technology.
INFORMATION SECURITY
In 1997, HCFA’s first Chief Information
Officer, Dr. Gary Christoph, was hired, and he began an effort to identify
security deficiencies in our internal systems. Under Dr. Christoph, we began
testing for security problems so we could better realize what problems exist,
where they are located, and how we can prevent them. Under this guiding
principle, we became one of the first non-military Federal agencies to initiate
third-party penetration testing of systems. We used an "ethical
hacker" to test for vulnerabilities at our Agency and at some of our claims
processing contractors before someone actually seeking to do harm could discover
them. It is imperative to uncover these vulnerabilities, and in many cases we
agreed with and implemented the contractors’ recommendations. In other cases,
we analyzed the findings, considered the recommendations, and developed
solutions that more appropriately fit our business needs while still addressing
the underlying vulnerability. In all cases, we recognize the seriousness of any
vulnerability and know we must carefully balance security with our other
business responsibilities. We do not share confidential beneficiary information
for marketing or other commercial purposes. We also have been conservative in
moving to new e-business technology, to ensure that adequate protections are in
place before we use this type of technology. Moreover, from Fiscal Year 2000 to
Fiscal Year 2001, our spending on major information technology security projects
increased from $5 million to $11.7 million.
In 1998 we began work on an Enterprise-wide
Systems Security Initiative that follows guidance from the National Institute of
Standards and Technology and the Office of Management Budget Circular A-130,
which established policy for the management of Federal information resources.
The central tenet of our initiative is to understand and mitigate the risks to
our information in the most cost-effective manner. As you know, this effort
slowed when we had to dedicate the vast majority of our information technology
staff time and resources to Year 2000 remediation efforts. We resumed focusing
on the Security Initiative in 2000, implementing it along two parallel tracks:
one track focuses on security inside the Agency, and one examines our external
business partners, beginning with the Medicare contractors.
The Security Initiative’s implementation at the
Medicare contractors began in earnest earlier this year when we published
baseline security requirements for the contractors and followed up with an
assessment tool to compare how their security measures to our core requirements.
The results of those assessments will serve as a valuable work plan for our
security efforts in the future.
Our internal HCFA efforts have been ongoing for a
longer period of time and we have made substantial progress. We continually
assess our internal risks and vulnerabilities and take remedial actions to
address them as aggressively as possible within our available resources. For
example, we have developed improved procedures and tools for managing access to
our data. These efforts help ensure that only staff who have a proper and
legitimate professional need have access to sensitive information and that the
staff use these data appropriately within our strict guidelines. We look
carefully at whether an employee’s job entails a "need to know"
confidential information. Even our senior staff, including the Chief Information
Officer and I, cannot browse this information because we do not have a
"need to know." Additionally, we are publicizing our intensified data
security efforts to the entire Agency and contractor staff, informing them of
their responsibilities, and reminding them that bad habits, such as sharing
systems passwords, could lead to unintended consequences. And beginning this
summer, all HCFA staff will complete annual training on computer security. We
believe that this strong effort to protect sensitive material will itself deter
individuals from even attempting to violate our systems.
Throughout our implementation of the Security
Initiative, we have pursued self-testing of our security controls. Periodic
recurrent testing can detect new vulnerabilities that have surfaced because of
new technology, and reaffirm that old vulnerabilities have not been reopened. We
also continue to use third party contractors to conduct "white hat"
penetration tests of various portions of our computer network. When we began
these tests over 3 years ago, we focused on looking into the Agency from
external networks such as the Internet. Recently, we conducted more refined
testing by looking internally at our network from the perspective of an
authorized HCFA user. This is important because published industry-wide
statistics indicate that authorized users or employees are suspected as the
largest source of security breaches.
Along with our own self-assessments and
contractor testing, audits performed by the IG have aided us in identifying
security vulnerabilities in our information systems. For example, the IG found
that Agency and contractor employees could have had unauthorized access to
confidential information, because passwords were not being administered properly
or computer programmers could have had inappropriate access to some files. They
also found instances where people could have had inappropriate access to the
areas where computers were stored. In each of these instances, we have worked
hard to address the vulnerabilities, and we have made significant progress. For
example, we have recertified all of the individuals with password access to our
systems, purging hundreds of individual passwords from our systems.
Additionally, we have secured areas that before permitted inappropriate access
to our computer hardware.
Some of these vulnerabilities were easy to
address, while others are longer-term projects that require more intensive
attention. And we remain open to suggestions of additional ways to improve our
security. Information technology continues to evolve, and we will always have to
strive to keep our health data secure.
CONCLUSION
We have been working hard to protect confidential
health data. Our goal is to build upon a multi-layered series of security
defenses, utilizing firewalls, scanning software, intrusion detection,
administrative controls, access controls, good authorization procedures, and
recurrent security training and education for staff, among other things. Taken
together, these layers of protection establish a solid security posture for our
Agency. We face major challenges in continuing to implement and improve our
computer security program. Over the next fiscal year, we expect to put our
security policy statements into action and develop specific standards, including
establishing minimum floors for protecting all of our sensitive data.
We want to continue to work with you and our
other partners to make sure that we protect this information and fulfill all of
our responsibilities as effectively and efficiently as possible. Thank you for
your support and assistance, and the opportunity to discuss these important
issues with you today. I am happy to answer your questions.
|
|
