Since the debut of the healthcare.gov site on October 1, when most potential enrollees could not get onto the site, there has been much criticism and placing of blame. In the U.S. House of Representatives, both the Committee on Oversight and Government Reform and the Energy and Commerce Committee recently held hearings to assign responsibility for its failure to launch. At a hearing of the Energy and Commerce Committee on October 24th, representatives of two of the contractors involved, CGI Federal and Quality Software Services, Inc., testified that they warned CMS the system had not been adequately tested and was not ready to go live. Rep. Diana Degette (D. Col.) noted that the witnesses had not mentioned that more testing was needed when they testified in September.
The following week, HHS Secretary Kathleen Sebelius testified before the same committee. She conceded that the rollout of the web site was “a debacle” and apologized. Still, she said she was not aware of the specific issues regarding any failed testing or security gaps. She promised the site would be performing optimally by the end of November. But developments since then suggest that the promise may be impossible to keep.
On November 6th, Tony Trenkle, CMS’ Chief Information Officer, who was responsible for the security of the web site, announced his resignation after it was revealed that he and two other CMS officials had signed off on a “risk acknowledgement” stating that the agency’s plan for ongoing monitoring and testing would “not reduce the (security) risk to the … system itself going into operation on October 1, 2013.” The possibility that adequate security controls would not be ready was raised in an OIG report in August. The auditors found that CMS was behind schedule in its assessments of the security of the data hub used to exchange data among agencies. In July 2013, the agency extended the deadline for a final review of the security of the site to September 30, 2013, the day before the web site would launch. CMS Director Marilyn Tavenner signed off on the launch on September 27th, after Trenkle and other officials had signed the risk acknowledgement.
House Oversight Committee Hearings
On November 13, 2013, Rep. Darrell Issa (R.- Calif.) presided over a hearing of the House Committee on Oversight and Government Reform, at which several high-level HHS information technology ( IT) officials, a representative of the Government Accountability Office (GAO), and Todd Park, Chief Technology Officer at the White House Office of Science and Technology, testified about the efforts to fix the system, and management issues that contributed to the inadequacy of the site. The committee members asked many questions about the decision, made in mid-September, to eliminate the “anonymous shopping” feature of healthcare.gov and require visitors to create an account and register first. Issa asked nearly every witness whether anyone in the administration had made that decision to prevent “sticker shock” when potential enrollees saw the premiums they would have to pay. Henry Chao, Deputy Chief Information Officer and Deputy Director of the Office of Information Services at CMS, stated that the feature was pulled because it had failed during testing; Issa contended that it actually had passed security testing in September, and repeated his allegation. Chao admitted that the “end-to-end” security testing had not been completed before the launch, but insisted that his responsibilities were largely limited to specific operational issues, primarily the data hub, which he stated was not part of the security problem.
Todd Park agreed with other witnesses that best practices would require testing to begin several months before the launch date. He was not involved in the development of healthcare.gov but was brought in to work on the fix after October 1. He stated that the site now can process 17,000 applications per hour and that the response time for a user request, such as loading a page, had been reduced from eight seconds to less than one second.
David Powner, GAO’s Director of Information Technology Management Issues, testified that GAO had studied government IT acquisitions and development for years, and cost overruns and delays were common. Most recently, GAO studied successful projects at several different agencies to learn why they succeeded. He determined that there were specific best practices, particularly in program management, that were necessary for success. Among them were involvement of all stakeholders, including end users, in setting the scope of the project, the prioritization of requirements by program management, and maintaining regular communication between the agency officials and the prime contractor. GAO has developed and published best practices for government IT acquisition, and the Office of Management and Budget (OMB) also has resources available. OMB established a Dashboard to track agencies’ IT acquisitions, but Powner testified that agencies often do not enter the information accurately and timely. The healthcare.gov project consistently showed a “green light” status, notwithstanding the delays and difficulties.
Richard Spires, former Chief Information Officer at the Department of Homeland Security, testified similarly with respect to best practices in government IT acquisition. He also noted that CIOs need to have more control over their projects and that it is important that the person with ultimate responsibility for managing the project be a staff member at the agency rather than an outside contractor. In response to a question from the committee, he stated, “Outsourcing doesn’t work.”
The Committee’s Focus
Many of the committee members made lengthy statements about their opposition to the health reform law in general. Several times, they asked witnesses questions they could not reasonably be expected to answer. For example, an IT witness was asked what law Secretary Sebelius referred to when she told Congress that the law required that the site be up and running on October 1. Todd Park was asked how many people had enrolled in a plan.
Rep. Stephen Lynch (D-Mass.) expressed concern that outreach workers found the requirement to have an email address was the biggest obstacle to the enrollment of low-income people and the elderly through the web site.