Voters, Administration Don’t Expect Perfection on Exchanges

The Obama administration has found their line when it comes to setting expectations for the second roll-out of the federal exchange website: “Improvement but not perfection.”

It’s the semi-optimistic catch-phrase officials have used in congressional testimonies over the past few weeks to describe how well will work come November. Andy Slavitt, principal deputy administrator at CMS said it during his testimony with the House Ways and Means Committee last week. Marilyn Tavenner, CMS administrator used the line during her testimony Thursday morning for the House Committee on Government Oversight and Reform.

Voters also seem to be preparing for problems and not perfection as they head back to the site. Open enrollment begins November 15.

Morning Consult polling shows more than half  of registered voters — 54 percent —  are very concerned or somewhat concerned about security breaches on and the state exchange sites. Thirty-nine percent of registered voters were not too concerned at all.

Fifty-four percent of Democrats and 59 percent of Republicans polled are very concerned or somewhat concerned about security breaches on and state exchange websites. Among Independents, 49 percent were very concerned about security breaches and 42 percent were not too concerned. Polling was conducted from September 12-13, 2014, among a national sample of 2,188 registered voters. The Wall Street Journal reported this month that a hacker breached the site in July.

Screen Shot 2014-09-19 at 10.35.25 AM

A steady drumbeat of Republican criticism on the safety of the site haven’t done much to assuage public fears about putting their information on the cursed federal health exchange website.   As of March 2014, CMS reported spending $840 million for the development of and its supporting systems, according to a July 31 congressional testimony report by William T. Woods, director for acquisition and sourcing management for the GAO.

A Sept. 2014 GAO report says CMS still has much work to do on the site before November.

“While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls,” wrote the agency.

The 78- page document goes into detail about CMS’s incomplete security plans and privacy documentation, incomplete security tests, and not establishing an alternate site should the go under like it did last year. In addition, the agency found the site had weak password requirements and inconsistent security fixes. The report also said lackluster communication between various contractors for may have contributed to the weak security controls.

In Morning Consult’s polling, 66 percent of Democrats believe their individual information is very secure or somewhat secure on the federal and state exchange website while 50 percent of Republicans don’t think their information is not secure/not too secure at all. Forty-five percent of Independents believe their information is safe while 41 percent don’t think it’s safe.

Screen Shot 2014-09-19 at 10.30.23 AM

Fifty-two percent of registered voters believe their individual information is very secure or at least somewhat secure on the federal and state exchanges.

“Protecting consumers’ personal information is a top priority” said CMS officials in an email. “When Americans use, their data is protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards.”

CMS and HHS officials said they’ve already started working on recommendations from the GAO’s September report. HHS said in a statement they do quarterly security control assessment by an independent, private sector third-party, daily security scans and weekly penetration testing finding vulnerabilities that can be exploited in the system.

However, a point of contention between HHS and the GAO is how to do testing. Instead of doing one big test on the site, HHS tests new parts of as they come online. The testing done on the site meets or exceeds the National Institute of Standards and Technology (NIST) standards, said an HHS official. They do annual security control assessments on the federal marketplace site, even though the industry standard is once every three years.

They’re planning to do another site test later this month.
In her testimony on Thursday, Tavenner said the agency has been working tirelessly ahead of the Nov. 15 open enrollment date including “addressing the execution and technology lessons we learned during the first open enrollment period with a disciplined, highly accountable and visible management structure.”

Matt Bishop, a professor for computer science at University of California Davis, said there are always trade-offs of some kind when it comes to security. No security measures are perfect, he says.

“Quite frankly you should be concerned anytime you put personal information on the web,” Bishop said. “If ( was (built) correctly then it should be no less secure than if you were doing banking on the internet.”

Morning Consult polling also found 42 percent of registered voters still prefer to sign up for health insurance online while 30 percent would prefer to sign up using a paper application.

Screen Shot 2014-09-19 at 10.19.10 AM


Bishop said the good thing about paper applications is someone has to have physical access to a paper application to use it. But depending on the application, paper ones can be cumbersome to work with and mail can get lost, he said.

“Anecdotally, our staff and volunteers sometimes hear from consumers who are generally uncomfortable sharing personal information online, but those consumers don’t usually have a specific concern about or the state marketplaces,” said Justin Nisly, national press secretary for Enroll America in an email.  “In those cases, we encourage consumers to use the telephone hotline, or to visit an in-person assisted in their community.”

Patrice Howard, vice president of administrative operations, for the Southern Illinois Healthcare Foundation said they have navigator calls three times a week and website security issues haven’t been a voiced concern among consumers. SIHF received a $240,113 navigator grant from CMS last year. This year they’ll have 31 navigators spread out among the region.

“One of the requirements in the grant was to make sure we were in a secure location and that we had privacy screens for the computers,” Howard said. “Security is one of our prime priorities, so we’re already accustomed to protecting information for a patient.”

She said with technology changing more people are getting comfortable with with putting things on the computer. However, one of the precautions SIHF takes as they’re finishing the application process online is having clients write down their unique IDs and passwords for or the state’s Medicaid site.

“Everything they do at that point is taken with them,” Howard said.

Adam Fox, director of strategic initiatives for Colorado Consumer Health Initiative, said they hadn’t heard from community organizations helping with enrollment that security on Connect for Health Colorado, the state’s exchange website, was an issue for consumers. He said most of the time, health care navigators are cautious about making sure the people they’re helping are entering their information on the website on their own rather than having the navigator do it.

“There are people not as comfortable going through the official process on the computer and I think that’s where health care guides bridge things,” Fox said on MC’s polling regarding application preferences. “(Health care guides) make it more accessible and an easier process for people…if people have the support of navigators the percentage comfortable with the online process would increase significantly.”

Morning Consult