In the marketplace coverage every day through special Enrollment Periods. This is the most recent count of people who have coverage throughout the marketplace. Each month this number will change slightly as consumers transition in and out of coverage, as their life circumstances change. Everything from getting a new job to moving to a new state or becoming eligible for medicaid or medicare. Theres also good news about medicare. Spending for Medicare Beneficiary is growing slower. Than the overall economy. The Medicare Trustees recently projected that the trust fund that finances medicares Hospital Insurance coverage will remain solvent until 2030. Four years beyond what was projected just one year ago. We strife to make Health Care Safer and better. In the last five years weve seen a 9 reduction in harm in hospitals such as decreased Health Care Associated infections. This represents over 500,000 injuries and sections and adverse events avoided. Over 15,000 lives saved and approximately 4 billion in avoided costs. This adds up to Better Health care at a better price, and i know that makes a real difference for real people. Consumers also trust us with their personal information, and i take that trust very seriously. Security and privacy are one of our highest priorities. Cms has decades of experience in operating the Medicare Program and its supporting systems, and we successfully protect the personal information of both beneficiaries and providers. However we must continue to be vigilant and evolve our assessments and actions to keep up with ever changing threats. Consumers can use the market place with confidence that the information is safe and take comfort in knowing that no personally identifiable information has been maliciously accessed from the site. Our systems are designed with security in mind and our focus on security is ongoing. It did not end when the market place launched. Cms conducts Continuous Monitoring using a 24 7, multilayer professional Security Team and penetration testing. Our systems comply with standards promulgated by nist and the office of management and budget. There is risk inherent in any system. It is simply sadly a part of the cyber world in which we all live. We appreciate the work done by the gao to suggest additional controls to help us further protect against these risks and are already seeking to improve upon the security protections in place. As we look forward to our second Enrollment Period our goal is to build upon this progress, and to address outstanding challenges. Were working to make it as seamless as possible for people to reenroll in coverage, and reinforcing our outreach to help more uninsured consumers enroll in coverage. We are making management improvements with clear accountability and committed to being transparent. This coming year will be one of visible and continued improvement, but not perfection. As problems arise, we will fix them, just as we always have. Throughout my career as a hospital executive, nurse and public servant, my focus has been on providing people with high Quality Health care. Im proud of the progress weve made at cms and i hope to continue to work with congress on our efforts. Thank you. Thank you. Miss barrondecamillo. Is that close . Okay ill try to do better. Thank you. Start again . Chairman issa, Ranking Member cummings and members of the committee. Thank you for the opportunity to appear before you today. We are also making every opportunity and every effort to be transparent at dhs, to be as transparent as possible. My name is ann barrondecamillo. Im the director of u. S. Cert within the National Cybersecurity integrations center. We lead the company of homeland securitys efforts in cyberspace to respond to major incidents, analyze threats, and share critical cybersecurity information with trusted partners around the world. U. S. Cert is a 24 7 Operations Center and receives and analyzes hundreds of incidents reports a day. We work with public and private sector Partner Organizations and are committed to the protection of privacy and Civil Liberties for all americans. At u. S. Cert we strive for safer, stronger internet for all americans. Established in 2003 u. S. Cert initially focused on securing u. S. Federal systems networks. Dhss cybersecurity capabilities have grown immensely since the establishment of u. S. Cert and we are working more closely than ever with partners across public and private sectors to develop a comprehensive picture of malicious activity and mitigation options. Cybersecurity is a shared responsibility and a continuous process. Our focus is helping our partners build a resilient and secure ecosystem in cyberspace. Protecting the networks requires coordination across a Cyber Community to enhance others capabilities as we continue to mature our own. While dhs leads the effort, to secure federal civilian Networks Agency heads are responsible for assessing risk to their systems, and taking appropriate measures to secure their networks. U. S. Cert supports agency heads and chief Information Officers in carrying out these responsibilities. Im here today in a technical capacity to provide findings from our analysis of the compromised test server at healthcare. Gov. U. S. Cert was notified of an incident by cms who has the oversight responsibility of healthcare. Gov. We conducted analysis of the images provided to us by cms and found evidence of malware on a test server. As stated by the Ranking Member, our analysis concluded. That there was no indication of personally identifiable information, also known as pii, exposure, and no indication of data exfiltration. Additionally theres no evidence of any Lateral Movement within the network or further infection. We provided cms a report with the findings as well as mitigation recommendations. Additionally, we were able to share indicators from our analysis so agencies, partners and stakeholders could better protect their own networks. We are in discussions with hhs to provide further onsite support. Dhs remains committed to working with its federal and private sector partners to create a safe, secure and resilient cyberspace. I look forward to answering any questions that you might have. Thank you. I will start with you then. When did you find out you were going to appear here today . I believe i was informed on monday. When did you begin preparing for todays hearing . When i was informed on monday. Okay. Has cert done a security testing of healthcare. Gov . We were provided images from cms of the compromised test servers. We provided analysis i appreciate that. The question was, has cert conducted any security testing of healthcare. Govs vulnerabilities. No. As i stated in my opening remarks so when miss tavenner says there have been no loss of personally identifiable information, if you dont know the vulnerabilities, how do you know that how would she know that to be true . I believe that cms conducts their own scanning and testing. But im happy did you verify their scanning and testing to be sufficient . We would be happy to provide that information. Did you . I havent been provided any details. You dont know that . Within the test network . Yeah, it boils down to, youre here as an expert that i didnt expect from an organization that refused to give my staff any briefing related to it. I do apologize for that. I was under the impression that our staff was working with your staff to answer those questions. As of yesterday afternoon, they put people who didnt have Technical Expertise on who told us they would get back to us. Thats after more than a week of information we have put in the record where we were denied that. Maybe ill go on to gao. Im going to ask first of all your indulgence. When this hearing is over, i would like you to accept pardon me . I wanted to hear what you had to say. That can happen. I would like you to accept a briefing and do a supplemental related to the 13 breaches. Okay. Miss tavenner, im going to presume you will agree you will have full access to all information related to that so that gao may develop specific additional recommendations based on the actual breaches, the 13 incidents. Yes, sir. Okay. That will allow us to get what we dont have here today. I appreciate that. You have gone through an extensive amount. Would you describe for the committee the level of cooperation you believe you got . We have heard what you didnt get. Are there good news stories in the cooperation as you did your investigation or your audit . Theres is some good news and some not so good news, mr. Chairman. As we began our audit, and generally we do receive good cooperation from the agencies that we audit, as it relates to receiving information requests that we provide provide. And in this case initially, there were delays in providing certain documents that we had requested. In addition, there were certain cms attempted to put certain restrictions on the on some of the documents. Did they cite why they were restricting . Are you just not trustworthy . I think they indicated they were concerned about the security the sensitive security information. They dont trust you . I wouldnt say that, sir, no. But we elevated the issue within gao and within the department. We reached an agreement to where we would be able to and they did provide the information for us to look at. At the end of it all, there was no reason after it was elevated there was no reason that they should have denied it to begin with . In my view, no. They should have provided it earlier. But at the same point, you know, they had a concern about the security of the information. So they tell us. But you know, their motivation would probably be better addressed by the administrator. Limited time. I want to set the stage for what others on both sides of the aisle may ask here. When you looked at the robustness of how they determined with such certainty that there had been no breaches, no loss of personally identifiable information, were you satisfied that that all those procedures were robust enough with the certainty that miss tavenner said that no losses had occurred, that no losses had occurred . Well, we did not receive actual security incident reports on these incidents, at least on the 13. We did receive a written response to an interrogatory in which they indicated that at least for the 13, that there was certain pii that was compromised or disclosed to an individual. But it was consumer. It was through a technical glitch. Wait. I want to understand. Personally identifiable information was lost or disclosed . Was disclosed according to their description. Miss tavenner, others will ask additional questions. But your Opening Statement said none had been lost. How can we reconcile none has been lost with a sworn statement that some has been lost . I think what my statement said is there were no malicious attacks. Oh oh, so if you just screw up and put the publics information out there, its okay . Because it wasnt a malicious attack . No, sir. I dont think any time we put Consumer Information out there its okay. But i okay, so my time has expired. And i want the Ranking Member to have full time. I want to make it clear that wordsmithing of no malicious was done versus accidental just as we discovered at the time of the launch, that if i went to the section above where the url normally is. When that thing was launched, if i simply typed in a Different Number or a different state code i could have looked at somebody elses record. That was part of what you guys had wrong on the day of the launch. Is that you could simply go to somebody elses record by changing that long streak at the top. Meaning no code. That wouldnt have been malicious, i guess, except if somebody were doing it to see what they would get, that would be a little bit malicious. So when you say no personally identifiable information was lost through malicious, what youre saying is you dont know how much was lost, you just believe that the definition of malicious wasnt met. Is that right . I actually i think this relates to the personal incidents and i do think that we want to cooperate with the gao on that and were happy to review those. Thank you. Your desire to want to cooperate after we bring you here involuntarily for a hearing is most appreciated. But quite frankly you should have cooperated with the gao beforehand. Sir i think i always like to cooperate with the gao and the oig and weve had over 140 open audits under way. I think we have cooperated. Id also like to say i came here voluntarily. Thank you. Danny . Lacy. The distinguished gentleman from missouri is now recognized for five minutes. Thank you. Thank you mr. Chairman. Thank the Ranking Member for yielding his time. Mr. Wilshusen, gao found that healthcare. Gov had security weaknesses when it was first launched, in part because of a lack of adequate oversight of security contractors. Is that right . We found that with respect to when it was first deployed recognize that our audit occurred subsequent to the initial deployment. We found that based on review of the documents that there were certain vulnerabilities in controls that had not been tested at that time. And that there were a few vulnerabilities that had been identified through testing, through which the cms had accepted in order to give provide an authority to operate. Whose responsibilities were incumbent upon the contractor, correct . It well, overall responsibility, it rests with the service with the contractor . Or . I believe i think in some cases there may be incidents where we did identify weaknesses that were operated on systems operated by a contractor. But that was subsequent. Okay, okay. During the course of our audit that doesnt necessarily pertain to prior to the system. Or to the deployment of the system. Sure. And gao report found that there was not a shared understanding of how security was implemented among all entities involved in the development and security testing of the website, is that correct . Yes. Thats correct. What we found, too, is that in certain instances where cms told us who was responsible, the contractor that was responsible for certain tests, such as assessing the security or implementing security on the firewall, it went to that contractor. The contractor indicated it was not his responsibility, that it was another contractor and that responsibility was not identified in that contract statement of work. Yeah. But scenarios like this obviously increase the likelihood of security risks, is that correct . Yes, sir. And was there a specific cms official or group that was responsible for overseeing the security testing of healthcare. Gov . Is there a group . Well, overall, the cms cio and cis im story chief Information Officer and chief Information Security officer has overall responsibility for reviewing and assuring the security over this system. Now, for a project of this magnitude, shouldnt an Agency Official with a broad understanding of i. T. Security testing oversee contractors . I would say yes. And was that the case here . I would say that, you know, there is the cio, cis would be the individual that would have that responsibility. Over all. Okay. Who would the cms official be that would have that kind of understanding of i. T. Security . Was there a person in place . Yes. They had the cms ciso. In addition theres several individuals that were responsible for aspects related to security over the healthcare. Gov. There is also an Information SystemSecurity Officer that has responsibility for assuring that Security Controls are properly met. You know, the issues with i. T. Security management did not start with healthcare. Gov. As a matter of fact, this is a broader government problem that needs to be addressed. Dont you think . Gao has been reporting Information Security and federal Information Security as a governmentwide high risk area since 1997. So sadly, yes, its a broad government issue. There have been weaknesses as an example, for fiscal year 2013, 18 out of the 24 major federal agencies covered by the chief Financial Officers act reported either a Material Weakness or significant deficiency in their Information Security controls for financial reported purposes. 24 out of the 24 igs, thats 21 out of the 24 agencies cited Information Security as a Major Management challenge. So it would be fair to say that all internet facing systems that all internet facing systems both in the federal government and the private sector, involved some risk, is that correct . Given the nature of the internet and the capabilities and prevalence of hackers who might try to exploit vulnerabilities, yes, the answer is, there is risk in conducting online transactions. Thank you for your responses. Mr. Chairman, i yield back. I thank the gentleman. We go to the gentleman from florida for five minutes. Thank you, mr. Chairman. I have a copy of your report dated september 2014. In that, you, in fact state gao found first of all, i think you found that testing was not complete, and that the whole program was rolled out with weaknesses in security and protection of privacy. Would that be an accurate statement . Okay. I also see that you say gao strongly asserts that testing of the website still remains insecure, is that correct . I would say that the testing of healthcare. Gov and supporting systems has not been comprehensive. Even to date, we have risks, is that correct . Today we have risks. Security risks, privacy information risks. Okay, thank you. The rollout, they actually rolled this out, i saw in the report four states had not taken action to secure privacy . I would characterize it more as they had not met cms security requirements. Right. Security requirements. And well have those for the record, the states. So its incomplete testing. Then, i see basically a coverup of the failure that took place. Did you see any of that . They were trying i went through some of these emails and some of the record, the committee has. I dont know if you saw this. It looks like quite a coverup or they tried to not let the public know the failure of the rollout and the failure of them to protect this information, is that correct . Im sorry. I could not comment on that, because i have not seen i can tell you, its page after page. I mean, i cant even use some of the language used here. Mr. Chairman, i would like to have some of this submitted. Without objection. The entire report will be placed in the record. Its astounding, again. This is a blanking disaster. I mean, this is one of the hhs people who saw what was going on at cms. Politico has a twoday story that talks about the issues, the most detailed explanation, stating the overwhelming traffic that could have been replicated in testing. Just one point after another of the coverup. I think, unfortunately, people like miss tavenner were involved in some of the coverup. Did you ever attempt, maam, to have any emails or records deleted to what was going on in the failure . Im not aware of the emails. Im not seeing the emails you are responding to. I cant answer that. Well, i have one email here. You had asked that it, in fact, be deleted. I can supply you with a copy of it. It says, please delete this email. It goes on to detail what was going on, the failure that was going on. First of all, there was a company by the name of circo that was employed to or retained, a contract of 1. 2 billion, is that correct, to process the paper applications . We retained them. I dont have the amount in front of me. Again, this email talks about circo, and the failure of the proper processing. There were problems with processing the paper applications . Congressman, im happy to it had nothing to do with the awarding of a 1. 2 billion contract you would tell the committee, too, right . I dont understand what the question. The contract to process paper. Here you are talking about im actually not part of the here you talk about the problems with the paperwork. You are asking for deleting of information. Then i looked a little bit into circo. Did you know that circo had been awarded the contract of 1. 2 billion contract while they were being investigated . Its a british uk firm and they were being investigated for some fraudulent activities in the uk as they were being awarded a 1. 2 billion contract . No, sir, i didnt know that. You werent aware i think i stated that last year in a hearing. Any of the background. Again, i think we need to put this mr. Chairman, i would like to put this email in the record where the witness asks that we delete this particular email and the problems with circo at that point. Without objection, so ordered. Finally, are you aware that you violate federal law when you asked to delete information like this . Again, congressman, i would need to see the email. Well provide the witness, if we could. We will pause quickly. If you send it down to her. We might as well get it quickly done. I would ask unanimous consent to stop the clock and give her an opportunity to read it. Thank you. Just simply, is that your email and did you ask to have it deleted . At the beginning, it states pretty clearly your intention. Mr. Chairman, i will defer to you to get a response from the witness. This email is from me, yes, sir. Thats accurate. And this email was written to julie battai, who at the time was involved in the call center. And i think this was about the call center information. I think that i asked that she delete this email because it involved Sensitive Information regarding the president s schedule. And i think thats actually the area thats redacted. But, no, it is not normally my custom to ask sometimes i would ask things be close hold or do not forward. In this case, it involved the president s schedule, if i remember this correctly. I would also i want the entire content of the email entered into the record and the reference further down to circo. Thank you. Yield back. Thank you. I would just briefly, if we could have indulgence. Why would the president s schedule after the fact have any relevance to being needed to be deleted . I hear you. The president s schedule becomes very public in real time within a very short period of time. So i cant answer the reason to why this was redacted. I didnt make the decision to redact it. Thats done by our oversight committee. You were surmising it had to do with the president s schedule. The president s schedule is not all that secretive. After the fact, it has no relevance for protection. I understand. Under the federal records act, your communication is to be retained, correct . And it was retained. My immediate staff was copied on that. Thats why you have it. It was retained. So deleting it doesnt change the fact that it had to be retained for the federal records act . It is retained. And, in fact, if you are asking about our response to nora, we did that out of abundance of caution. Because we werent sure. I didnt necessarily retain emails if they related to scheduling changes and this sort of thing. Going back to the issue of transparency and trying to be forthcoming about information, we decided to notify nora. I would hope that the unredacted versions of all of this would be made available to the gao. And i would ask simply that unredacted versions be seen by the gao to see if, in fact, its consistent with what we are hearing. A unanimous request. I have articles about circo and people paid to do nothing, circos checkered past, Foreign Company for obamacare and an article, the unhealthy truth about obamacare, contractors. I would like these without objection, so ordered. Thank you. With that, we will go to the gentleman from pennsylvania for five minutes. Thank you, mr. Chairman. Thank you to the witnesses for joining us here today. Yeah, im good with that. One of the most critical features of the Affordable Care act is that it expands Medicaid Eligibility to millions of lowincome american adults. Prior to the aca, Medicaid Eligibility was restricted primarily to lowincome children, their parents, people with disabilities and seniors. In most states, adults without dependent children were not eligible for medicaid. According to a study issued in april 2014 by the Kaiser Family foundation, only about 30 of poor nonelderly adults had medicaid coverage in 2012 and uninsured rates for poor adults were more than double the national average. Under the aca, Medicaid Eligibility can be expanded to cover all nonelderly adults with incomes below 138 of the federal poverty level. Administrator tavenner, is that correct . Yes, sir, i believe thats correct. The federal government pays states 100 of the costs for the first three years and then phases that down phases its match down to about 90 in 2020. Despite this enormous level of federal assistance, more than 20 states have decided not to participate in the expansion leaving millions of their own citizens without healthcare. Administrator tavenner, can you comment on the coverage gap that is resulting from these decisions not to expand medicaid in those states . Yes, sir. I would start first by saying, with pennsylvanias recent decision, we are now at 27 stits states, i believe, plus the district of columbia, who have decided to expand medicaid. Obviously, if you look at a lot of independent studies, theres noticeable difference in the states that have decided to expand medicaid in terms of lowering the number of uninsured. Were going to continue to work with the remaining 20 something. We meet with them on a regular basis to do what we can to encourage folks to expand. By not participating, arent the states that arent leaving billions of federal dollars on the table that could be used to improve the health of their own citizens . Yes, sir, they are. And its also it has economic consequences for those states as well. Of course. Recently, some republican governors, as you have alluded to, who had originally refused to expand medicaid, have now reconsidered their original decisions and have submitted Medicaid Expansion plans for cmss approval. For instance, in my own state of pennsylvania, as you mentioned, they decided to expand medicaid which will now provide Health Insurance to 600,000 lowincome adult individuals in our state. Administrator tavenner, how will Medicaid Expansion in pennsylvania impact the health of its citizens . I certainly can get you information from independent studies. But theres a different correlation between coverage of insurance and longterm health improvement. Good. Now, i dont want to leave this question out. Other than political posturing by the pennsylvania governor, are you aware of any good reason why 600,000 good pennsylvanians went without coverage for an extra nine months from the rest of the states that expanded medicaid right away . No, sir. We want everyone to expand and expand quickly. Well, administrator tavenner, why do you think republican governors are so divided on the issue of Medicaid Expansion . Sir, i cant answer that. Im not sure. Im sure each state has their reasons. We try to work with them and meet them where they want to be. All right. Do you expect to work with additional governors who previously opposed Medicaid Expansion but are now considering reversing their decisions . Absolutely. Well, i want to say i thank you for coming here today. And i thank you for your testimony. I hope that governors in states that have so far not elected to expand medicaid will reconsider, will consider the impact on their communities, to take advantage of this historic opportunity to lift up all of the americans in their states as well. Thanks again, administrator tavenner. I yield back. Would the gentleman yield . Oh, okay. At some future time, im happy to work with you and explain republican governors to your satisfaction. With that, we go to the gentleman from utah. Perhaps a man that will some day be a republican governor. For five minutes. Reclaiming my time. I thank the chairman. And thank you all for being here. Miss tavenner, a question for you about the oregon exchange. The american taxpayers put in 304 million to develop that state exchange. Now they want to come over and make a transition. Did you or anybody at cms conduct a cost benefit analysis to determine that the switch to the federal exchange was the most Cost Effective for the taxpayers . Yes, sir. We did an analysis of what it would cost for us to bring in theres two additional states were bringing in this year, nevada and oregon. And we did i wouldnt say it would be a sophisticated analysis, but we did a cost analysis. As you might imagine, we already have 36 states in the exchange and adding two more is Cost Effective. Could you share that analysis with us . Is that something you could provided to us . Certainly. What is the additional cost . I dont have that in front of me. But im happy to get it for you. What is a good time when would i raise the flag and say, thats been long enough . Can you give me a sense of the time . We should be able to get you that in a few days. Very good. I appreciate that. Its part of our bill thats ongoing. A few more questions about that. Whats being done to claw back theres 304 million. Is that money all gone . Is there some of that coming back . Is somebody going to jail . Whats going on with it . Each state again i want to talk about oregon. That seems to be the most egregious. I think oregon has very actively gone after their contractor. I think thats been in the press. But im happy to get you more details. Whats the federal government doing . It was federal taxpayer dollars, correct, that went into it . Yes. These were grants awarded to states. The contract is between the state and the contractor, so the states are working on that initially. Cms, health and Human Services, department of justice, the federal government, pick your entity, were doing nothing to claw those back claw back those dollars . Ultimately, i think its a little early in the decisionmaking right now. States are going on the basis of individual contracts. But the federal taxpayers give 304 million and we just say, well, its up to oregon to figure out what to do . We are obviously working with the states. When we gave these grants, was there no condition or expectation that it would work . Was there a deal that said that we literally hand them over the money and we dont care what happens . I mean, it ultimately didnt work, correct . What we did are a series of progress reports and requirements with the states. Im happy to get you that information as well. Lets try to get some degree of specificity. I havent heard you say were doing something to try to claw back nearly a third of what i said is that states are doing that. Were cooperating with states. But where is the federal government . Were cooperating with states. The contract is between the state were just waiting for oregon to tell us something . Were working with oregon and other states. Thats all i can say right now. Mr. Chairman, i mean, i dont know how thats what she said. Its all shes going to say. She wont answer your question. I know. I think its something that the congress should legitimately look at. We give out 300plus Million Dollars and we call it a day and move on . Miss tavenner, is there any criteria or guidance for states who want to drop out and move to our exchange . Is that have you issued, or how do you evaluate those . Or do you just say yes . Well, we obviously have a list of criteria and requirements for the state to move from a statebased exchange to move to the ffm. These entities stay statebased exchanges. They can continue to do their marketing, their outreach. What were doing is the ffm support. There are criteria they have to meet. Im happen my to share that with you. In the package yes. In a few days you will share that with me as well . I appreciate it. We have a lot of documentation. Thank you. I appreciate it. Again, for my colleagues here, i just we really have to look at this. Its stunning to think that we would hand out by the hundreds of millions of dollars to states and have no recourse. If it doesnt work, we kind of throw up our hands and say its up to somebody else to figure it out. Thats not the way we should operate. Its pretty stunning and very dissatisfying and doesnt produce results, its not responsible, its not accountable and very frustrating. I yield back. I thank the gentleman. We now go to the gentleman from massachusetts who was here first, mr. Lynch. Thank you, mr. Chairman. I want to thank the members of the panel for your willingness to come here and help the committee with this work. Miss tavenner, generally the way things work is that the private sector has far more resources than oftentimes our government entities, and they are better prepared, better incentivized to keep data secure. That troubles me because i see a list of im on the Financial Services committee as well. And we have been dealing with home depot. Weve been dealing with target. Weve been dealing with jpmorgan chase, the largest bank in the United States of america. Were still not sure about the breadth of that breach, but were concerned about it. We have hearthand payment systems, 134 Million People in the United States. Kb financial group, 104 Million People. Global payment systems, 950,000 people to 1. 5 million. Were not sure yet. They even breached the iranian banks, about 3 Million People. That was probably us who did that. Morning star, 184,000 people. Citigroup, 360,000 people. So you have all these big firms, especially jpmorgan chase, theyve got some very, very smart people. They have an extreme financial interest as well as a reputational interest to hang on to that data. So im just worried with the sort of the botched rollout, the difficulty with the state exchanges, including my state of massachusetts, weve had a bunch of data breaches related to health care. Are you sure that you can sit here under oath today and tell me that nobodys breached the healthcare. Gov site and that the folks whose healthcare information, Tax Information, personal information, that it remains secure today as we sit here . Let me answer that in a couple of ways. I will go back to the chairmans point about transparency as well. I dare say, theres very little that concerns me more on a daily basis than the security of this website for a host of reasons. Its a new project. Its been very, very visible in the press on a daily, if not hourly basis. And we did have the difficulty in the rollout. We have even within our limited resources spent a great deal of time and money securing the website. Weve been able to meet fsma standards, omb standards, hipaa standards. But i will always worry about the safety and security of the website. We talked about the earlier incident with the malware. Yesterday, i was informed of another case not related to healthcare. Gov, but an independent site, if you will, that was working with the cloud, with website material, where there was another malware incident. Now, there was no personal information. This is something that i dont even have the details of. But these are the types of things that worry me every day. We meet about security weekly. We review yeah. Im not hearing the answer to my question. I appreciate all of that, believe me, i really do. But i only have a minute left. I think youre going to burn all my time here. So theres no guarantee that theres been no breach . I dont want to put it that way. You dont seem to be able to give me a guarantee that we have had no malicious breach. No breach of personal information. Thats fair enough. One of the problems were having with our credit card issuers im just using this as an analogy that for them, that is a you know, thats product. They sell information, i think. Sometimes by selling it, they bring on the breach themselves. They also compile it so that these Credit Card Companies have 15, 20 years worth of data there all sitting there waiting to be hacked. So my purchases at home depot 10, 15 years ago, are still part of that data grouping. Do we do anything to put firewalls up so that there if there is a breach of the medical information, that we can somehow limit the damage . First of all, yes, part of it is the design of the system. If you remember the hub, no information is stored orn the hub. So that was one step. Second, we do not keep any medical information. There is some personal information, but we dont have the need for medical information. So thats not stored within the ffm. The only thing thats stored in the ffm itself separate from the hub is the ability to work appeals of cases for people who say, i didnt get a tax credit, i should have gotten a tax credit. So we keep it minimal. But we do have it in storage. Is that Tax Information in there . No. Theres not Tax Information. There can be sometimes people can state their income. But theres not Tax Information. Okay. All right. My time has expired. Thank you for your indulgence, mr. Chairman. Thank you. Thanks for a good round of questioning. We now go to mr. Meadows. Thank you, mr. Chairman. Im over here. I want to go ahead i will speed through some of these questions. Miss tavenner, can you confirm that cms will not change their open enrollment dates . I know we had so many different dates that changed before. Can you confirm to the American People and really to the providers that those open enrollment dates will not move . The open enrollment date for this year is november 15 through february 15. Those will stay firm . Yes, sir. No changes . No changes. They can count on it. Okay. Thats good news. How about window shopping . Last time, you actually had to enroll, put your i had to go on, when i was shopping, i actually had to sign up to be able to figure out what i wanted is that going to be available . Window shopping will be available. You would not have to sign up this year. We will be able to compare plans . Thats right. Without having to put any personal data . Yes, sir. Okay. Great. So let me go a little bit further into this. Brian sevok has shared testimony heer here with this committee. Are you familiar with who he is, at hhs . I know who brian is, yes. All right. Let me read when we were looking at the rollout, he said, to your question, this was him in an email. So to your question, how am i feeling about the launch . Not good. Kind of heart broken, actually. Whatever launches, if functional, will only technically meet the criteria of launching the exchange. It will be riddled with hardused connell pro mizes, but i really dont know. Im not seeing anything thats being delivered. Its just piecing things together, kind of through the grapevine. So there was not a real communication going on between cms and hhs through the whole healthcare. Gov launch . Im not familiar with that email. At least i dont think i am. I guess the question was, was there a whole lot of coordination between hhs and cms Technology People going through . Because ive been led to believe that hhs only found out really what was going on through informants. Well, we did weekly updates with hhs. They didnt have to have informants to find out whats going on . I cant remember if brian was in those meetings or not. But i wouldnt think they would need informants. Okay. Did brian recommend to you that the website launch should be delayed because of security testing concerns . Brian did not recommend to me that the launch should be delayed. Brian did discuss because he shared with the committee that he did, so, are you sure that he did not say that we should not delay the launch because of security concerns . I think i need to finish my sentence. My apologies. Thats all right. The rest of that sentence was, there was a discussion about would it be possible to beta test or launch a few states as opposed to bringing up the entire ffm. And i and the team did not think that was possible. And why did you not follow his advice . About the beta site . Well, about delaying . I mean, you say beta site. I say delay. But whether youre right or im right, why did you not follow his advice . Well, i didnt think it was possible the way the ffm was configured to do that, nor did i think it was necessary. Okay. You shared your testimony, earlier you shared your resume. What part of your resume included i. T. Background . That was his expertise. You sounded like youre a health care provider, not an i. T. Expert. I am a health care provider. I have become more of an i. T. Expert in the last year. This was in january, what particular point did your i. T. Expert outweigh his . Actually, taking the recommendations of our i. T. Expert team inside cms, as well as our cms contractors, who i felt were a lot closer to this issue than brian. Okay. So, now we can look backwards and realize that the rollout was a disaster. So, what do you think of your i. T. Expertise within cms today . Was brian right . We should have delayed it . I dont know that brian was right. I know that was he closer to right than your team . Not necessarily. I know that we have come a long way in our launch. And as i said earlier, we have 7. 3 Million People paying premiums i didnt ask how many had signed up. This is about security. And he had a concern in january about security. And yet you ignored his advice. Why would that have been . Because i had my own i. T. Team who conveyed to me that they were confident in the project. I yield back. Im out of time. If any of the other witnesses want to comment on the gentlemans question about a year ago, was the site ready, and should it have launched in retrospect . I would just say that at the time it was launched, that cms did accept increased risk, from a security perspective. Im not having reviewed the data that the cms i. T. Team, i wouldnt feel confident commenting on that. Its very difficult as a Third Party Partner partner to make that assessment without the actual knowledge and data. As a former businessman, i would say that a site that couldnt accommodate a few hundred people simultaneously signing on, and people waiting for weeks or months, security wasnt the reason that that should not have launched. But i appreciate that youre here on security today. The gentlelady from new york, a place where i. T. Comes first for many of her constituents is recognized for five minutes. Thats true. And thats true of the west coast, too. I just want to note that this is the committees 29th hearing on the Affordable Care act. And the sixth on the website. Oh, come on, please. I want to focus on some very positive things. And thats the cost growth is slowing to historic lows and that was one of the huge challenges that we confronted the whole time that ive been in congress, is the just the whopping cost in health care in our country. Now, contrary to some of my colleagues claims that the Affordable Care act is causing Health Care Costs to skyrocket, there have been multiple reports recently that show that the growth of Health Care Spending in the United States is slowing to historically low levels. And that is good news for everyone. Administrator tavenner, earlier this year, the centers for medicare and Medicaid Services issued its National Health expenditure report. Are you familiar with that report . I am familiar with that report. Well, the report found that National Health spending grew by just 3. 7 in 2012, a near record low, and the fourth Consecutive Year of slow growth of Health Care Costs. In your opinion, what factors are driving this historically low rate of growth . And id like the others to chime in, too, if you would like to add to her response. I think that we all felt it was a combination of things. Certainly, the recession early on, but as as time went by and we continued to see this historic low growth, i think some of the actions in the Affordable Care act have made a difference. And its an ongoing conversation i have with my actuary, and i think he would agree if he were sitting with me that its both, that the Affordable Care act has made a difference. Its an ongoing conversation and he would agree that its both. But the Affordable Care act has made a difference. That was outside the scope of my review. That is something i have not been involved in as the director of u. S. Cert. Okay. Fine. Earlier this month, cms released its National Health expenditure projections for 2013 through 2023. And according to these estimates, National Health expenditures grew just 3. 6 in 2013, is that correct . I believe that is. This is the lowest rate of growth since the federal government began keeping such statistics since 1960. I would call this a very positive development in public policy. Would you agree . I would totally agree. What about the next ten years . We are always looking ahead. I know cms projects an uptick in Health Spending overall due to the large number of people who are newly insured through the Affordable Care act. But what about per Enrollee Health costs . So, going back to that report, i think the trend is expected to move back up, with the number of individuals in medicare, and others. But i think that stresses the importance of our success in tying together Delivery System reform, payment and quality, and why that works is critical that that continue. Well, why will they grow more slowly than before the Affordable Care act . I think because of some of the measures we put in place because of the Affordable Care act, tying payment to outcome, transforming Delivery System, which is a work in progress. Now, the Kaiser Family foundation recently released an annual Employee Health benefit survey. And this report indicates that the slowdown in Health Spending also extends to employersponsored insurance. More good news. According to kaiser, premiums in employersponsored health plans grew only 3 in 2012. So, i would like to ask you, thats tied for the lowest rate of growth since kaiser started measuring the growth of Employer Health care plans. Do you agree with that . Do you agree with the kaiser report with the data youve been looking at . I reviewed the kaiser report, employer insurance tends to see what we are following in medicare and medicare. Yes. This seems to be very good news for the American Consumers and our overall delivery of health care service. So im very pleased with these reports. And what do they say, numbers dont lie. And the numbers are showing that its showing an improvement. I want to congratulate you and your colleagues for your work to help bring this to the American People. Thank you. Thank you. The gentlelady from california, ms. Speer. Mr. Chairman, thank you. I thank you to our witnesses. First of all, i would like to congratulate you. You have lived through the real life survivor show, and have succeeded. I find the fact that we have engaged in the most thorough, repetitive review of the aca as an incredible waste of your time. Now, theres a lot of good news, as my good colleague from new york has just underscored. And its really quite interesting to me that for the longest time, there were all those who were panning the Affordable Care act saying, well never get the numbers. And lo and behold, you announced it earlier, miss tavenner, i believe, over 7. 3 million subscribe subscribers, correct . Then the hue and cry was we wont pay for it, pay for one month and wont pay any longer and it will fall on its face. That hasnt been the case either, has it . No, maam. The chairman of the committee and a number of republicans just sent you a letter and i want to read it out loud, one segment of it. In order to enroll beneficiaries in the exchange, healthcare. Gov collects, obtains and retains massive amounts of personally identifiable information about millions of americans. This information includes Social Security numbers, personal addresses, income and employment records and tax return records. It is extremely important that cms and the other federal agencies involved in the exchanges properly protect and maintain this Sensitive Information. Now, i actually agree with that statement and i presume you agree with that statement . Yes, i do. And having agreed with that statement, have you, to date, had any Cyber Attacks that have resulted in any personally identifiable information being stolen . We have not had any malicious attacks on the site that have resulted in personal identification being stolen. As the chairman rightfully brought up earlier, we did have some technical issues on the front end that we had, that were of our own doing. Thats right. But were in the present day and lets look to where we are and where were going. Okay. Now, meanwhile, target Security Breach included 110 million americans potentially affected. Thats 110 million. Youre certainly aware of that . Yes, i am. So my staff checked the u. S. Census website, and said the total population in the United States is 319 million. So, more than a third of americans potentially had their personally identifiable information breached, stolen, as a result of that target data breach. But strangely, there wasnt any interest by this committee to have a hearing on that. Affecting potentially a third of the American People. See, 110 Million People affected, no hearing. Zero people affected, and weve had dozens of hearings. It seems like our priorities are not quite on what the American People would be interested in. Now, we do know as a result of target that the hacking came from outside this country, it appears it came from russia or from some region near there. And rather than trying to find out where these hackers are coming from and how we can forestall them, we are going to waste more of your time asking you a number of questions about issues that havent even impacted. Now, some would say, well, accept thats private business. Well, how about usis . They have a contract with the federal government. It does security checks and 27,000 people have had their personal information stolen from usis, a federal contractor and have we had a hearing on that . Nope. Appears thats not important either. So, i want to just commend you all for recognizing that you have to do this no matter what, come to these committee hearings, you do it with Great Respect and we appreciate that. I hope we can send you back to do the work that the American People would like you to do and i yield back. Ill take my time now. We now recognize the gentleman from maryland for five minutes. I want to thank all of you for being here today as we come to the end of this hearing. I just you may, ms. Tavenner and others, you may never hear the full thank yous of people who are going to stay alive because of what you and your colleagues have done. And i really mean that. There are people theres a mother whos now going to be alive, that may have been suffering from cancer, breast cancer, like the lady in my district. Couldnt get treatment. But shes alive, she got treatment. I have a sister that does a lot in the area of breast cancer, and they were waiting they had women who had been tested, and they were waiting for the Affordable Care act to pass, and come into effect, so they could get treatment. I have come to you today and to your colleagues to thank you. I tell the story that when the Affordable Care act came up, i had one prayer, i came to the floor early, i sat on the front row, and i had one prayer. I said, god, do not let me die before i vote for it. The reason why i said that is because ive seen so many people who were sick and could not get well. You know, Johns Hopkins is smack dab in the middle of my district. A great hospital. One of the greatest in the world. People fly from all over the world to come to Johns Hopkins. And there are people standing on the outside, could not get in, but the treatment was in there. And so, you know, i know your colleagues are looking on, and i know theyve been through a lot. And i remember when we had the website problem, and many were saying, oh, we can never get through this, so, you know, this is just so horrible. And everybody was warning that everything would collapse. But you know what i said . This is a cando nation. This is a cando nation. And we need to definitely do when it comes to the health of every single american. And i listened to what you said a moment ago about how, day after day, you worry about making sure that peoples information is protected. We could not pay you enough or pay your colleagues enough to go through what they have been through and to worry as you have worried and to do everything in your power to be protective of the American People. And yeah, youre gonna be criticized. Yeah, folks are gonna try to do and say all kinds of things about you. But i have come here at this moment to simply say thank you. Thank you for my constituents. Thank you for constituents our constituents all over this country. And, you know, sometimes i think about illness, and a lot of people i wonder if people had not been ill themselves when they see other people in the position of getting sick, or sicker, and dying. I wonder whether or not they have ever been ill. And that troubles me. Because i think president obama said it best, and i wish i had coined this phrase myself. He said, sometimes we have an empathy deficit. An empathy deficit. And so i take this moment to thank you, and i just have a few questions. Id like to ask you about the attack by the hackers last summer against healthcare. Gov. It was my understanding that this attack was not limited to healthcare. Gov alone, but included a broader universe of targets, is that right . Based upon the analysis that our team did, it was a typical kind of malware thats dropped for denial of service attacks. They were trying to create a botnet for attacks. Yes, they look at resource servers like this, to use them for those types of attacks. And the hackers were able to place malware on a server, but it was a test server that did not have any personal information, is that correct . Based upon the analysis that our team was doing, it was a test configuration. It meant that the default password hadnt been updated. I have two more questions. As i understand it, the type of malware in issues called denial of service malware, which is designed to slow down or even shut down the system, but not extract information, is that right . Correct. The malware is to use the resource of the server as part of this botnet. It wasnt targeting the server, it was using the resource of the server as a part of a bot net for another victim. How common are these attacks . Very frequently. They happen every day across the globe on the internet. So the bottom line is that at least as of now, no personal information was transmitted outside the agency, is that right . Correct. The breach was discovered by cms, and alerted to us. We looked at the images that were provided. There was no loss of pii, or loss of data. This is a test network separate from the production network. So there was no Lateral Movement into the production associated with this activity. Thank you. Thank you. I guess ive still got more questions. But let me just make some statements, and then ill ask a couple more questions. You know, miss speier has left, and its unfortunate, because mr. Lynch was here earlier. When this was all being said about, when are we going to hold all kinds of hearings, they forgot theres a committee, the Financial Services committee, and theyve held hearings because they oversee the financial community, meaning home depot, target, these other companies theyre referring to, these fall under that committees prior oversight, because these were financial transaction related. My staff also mentions that the federal trade commission, the department of justice, the cfpb and fdic also are looking into each and every one of those. So with tens of millions of dollars, countless agencies and individuals looking at each of these, the question is, ms. Tavenner, whos been looking at you . Mr. Wilshusen, in a nutshell, one of the things that you said at the beginning was, they didnt have strong passwords. So somebody could put in a short password and not change it. Is that correct . Thats correct. We identified several technical Security Control weaknesses with healthka healthcare. Gov. So it created a huge vulnerability, especially if they had a high level of access, is that right . If they used a weak password that would be easily guessed, that would be increased risk. So marilyn and her birthday, if that had been used, certainly would have been tried. Did they have advance lockout systems and detection in reporting . One of the things i dont want to get too detailed into the types of Security Controls so we dont give any information we dont want to tell how weak it still is, i understand that. So ill be a little careful on that. But there are techniques that if they were in place, would have been much more secure . Sure. The weaknesses that we identify are all can be corrected. And resolved almost immediately. So what you found a year into this site was, they were not using best practices . We identified several weaknesses that increased the risk, and unnecessarily increased preventable risk. We pay huge premium for cios, we, the congress, have authorized special high pay, quarter of a Million Dollars and more, to get special people with expertise. Weve had some of them before this committee. Youre telling us a year into this site, they simply have not put in what people would consider best practices in some cases, such as a requirement for strong password, and periodic trading periodic changing of them and lack of redundancy on passwords, common things that protect sites, right . Those things should be done, yes. Whats amazing is target and home depot had those kind of protections, but there was a malicious attack from a foreign nation with advanced tools. Some of those tools being the exact tools that our cia and nsa use to go after the worst of the worst and we succeed all the time. So what im finding here today is, is that Everyone Wants to talk about organizations that employed in many cases best practices that did their best and then were targeted by very advanced networks, criminal networks, networks that may even have had the kgb successor helping them attack. And they want to talk about those, rather than a lack of commonsense, simple practices to secure a website, isnt that true . I would say that probably the majority of federal incidents that occur within the federal government could be resolved, perhaps prevented if agencies practiced strong cybersecurity. Theres always going to be a risk that you come across, an entity, a Foreign Intelligence Service that has very sophisticated techniques that may be difficult to protect against. At least to prevent. But by and large, many security incidents could be corrected, and prevented, if the agencies practice strong Security Controls. Even without seeing the 13 compromises that occurred, you were able to make and cms accepted a lot of suggestions that are improving the site here today . Yes, we looked at the Security Controls over those devices that we looked at. And identified vulnerabilities that could be corrected. Cms concurred with each of the 22 technical recommendations that were make. So all of the talk about this robust team, all of those experts brought in from silicon valley, special people that worked on the president s reelection, all those people had missed those 22 points . That, i cant answer in terms of but when you suggested these, did they say, oh, we were already doing them, we just forgot . Or did they say, we werent doing them and now we will . We identified them during the course of our review and theyve accepted our findings and indicated they will implement our recommendations. Youre very kind. Would the gentleman queeld for one quick point . Go ahead. A lot has been talked about in terms of the different sites and home depot and target, and i was one of those that shopped at target and i have a new credit card today. There are two distinct differences. One is, im not compelled by law to shop at target. I am compelled by law to sign up for obamacare. Theres a huge difference. Mr. Chairman, what happens is, those are voluntary transactions. Of which i dont have to give my Social Security number to them. I give them a credit card and i do a transaction. Its very different for healthcare. Gov. I thank the gentleman. We now go to the gentlelady for new mexico. Mr. Chairman, thank you very much for recognizing me. I want to thank the panel here today. And i share many of my colleagues concerns that we should be doing the very best to protect information, and certainly weve led in the private sector world with hipaa and related requirements. Security protections, and working diligently and tirelessly to make sure that patient protection, patient privacy, and now Financial Information must be protected. And i think that the point is important that every person must sign up and be insured through the Affordable Care act. And i want to just read this. Because i think it bears in the context of this hearing, i think it bears repeating. So in gao, in the march 2013 report, found that the federal government continues to face cybersecurity challenges, including designing and implementing riskbased cybersecurity programs at federal agencies, establishing and identifying standards for critical infrastructures, and detecting and responding to and mitigating cyber incidents. And since that report, weve got 28 gao additional recommendations. And i know weeve been talking about them today in this hearing. Gao has designated security as a highrisk area. In the federal government since 1997. And i think that there isnt anyone in this committee, or anyone in congress or the public that doesnt think that more should be done, and that in fact we embrace every potential positive productive, professional recommendation moving forward. And so given that, ms. Tavenner, knowing that the upcoming November OpenEnrollment Period is coming for millions of americans, who will be shopping on the exchanges, how prepared are you to take these 28 recommendations and others to assure protection . Yes, maam. Let me start with the 22 technical recommendations. 19 of those have been resolved, fully mitigated, or will be further reviewed prior to open enrollment. So those will be handled. Of the six other recommendations, we are in the process of either completing we have completed those, or will complete those prior to open enrollment. And based on the 19 youve identified, miss tavenner, and the remaining measures to implement, you are confident that not only are they implemented, but theyre tested and will have to the greatest degree i mean, i might disagree with some of my colleagues that we can do everything in our power, and those hostile, those negative, those who intend us harm and access that information, for their own gain, will find ways to do that. I want to make sure that were doing everything that we know that mitigates and prevents and gives us the opportunity to also detect when theres been a problem. Youre confident that these will be tested and in place by the open Enrollment Period . I am confident. But we will never quit continuing to try to improve the process. Our work with the department of homeland security, our work with gao, oig, will always be looking for improvements. I appreciate that. And given that were working on another issue in my state, i appreciate your attention to that. And your coming, mr. Chairman, were working on a Behavioral Health issue. It all ties to make sure consumers have confidence that theyre protected in a way that cms is responsible to protect those citizens. That they are clear that your responsibility and oversight is paramount to the work that you do. And that the access to health care is only as good as making sure that the information and the protections that are required by law are in fact in place, and that they can go to cms when theres a problem and have that resolvedcms when ther and have that resolved objectively and appropriately. I really appreciate your attention to all of those matters. Thank you. I yield. I just want to make sure that i understood what you just said. And i agree with every word that my colleague just said. But youre saying theres six recommendations left, is that right . Sorry, sir. There were six major and please correct me, greg, if i get any of this wrong. There were six major recommendations and were in the process of completing those. And some of them are done and the answer to those is all of them would be done prior to open enrollment. And open enrollment starts when . November 15th. So we can would you let us know officially when they are done . Yes, sir. To the chairman and myself . Yes, sir. Id really appreciate that. Yes, sir. The earlier report was you didnt agree to all six, but now you will agree to all six . I think in some of them we partially concurred. Whether we totally agreed or not, i think there were some things, for instance, there was a different description of how we did security testing versus what gaio wanted. That wasnt necessarily going to change, but we understand where theyre coming from. We just have a different way of getting the security testing done. The rest of these things, such as the privacy impact statement, we will have that done. That was a documentation issue. The computer matching agreements, well agree with that and get that in place prior to open enrollment. Also, security agreement, well complete that. Of the 22 technical recommendations, 19, weve already done. The others, were reviewing. And ill be happy to do something in writing back to the chairman and to the rank i think we both would appreciate it. Gentleman from North Carolina . I wanted to follow up on one thing. Really, as we start to focus on some of these other issues it takes our eye off of the core issue and thats providing health care to the american public. I can tell that you take that seriously. It is a distraction, to say the least, when we have a billion dollars spent on a web site that doesnt work, Security Issues that are there. But along that same time, there was a rule that came out with regards to Medicare Part d in january. A rule that would limit some of the options of our seniors. A rule that you came much to your credit and said were not going to do. And i want to say thank you for doing that. On behalf of millions of Senior Citizens who would have seen choices limited. Do i have your assurances here today that we are not going to put forth a rule that is similar in nature to that rule that was brought back . I very rarely have an opportunity to have you in a public forum under oath. So, on behalf of millions of americans, do i have your assurances that were not going to do it . I think you made a good deposition exhibit. I think you made a good decision. My mom, whos a senior citizen, thinks that you made a good decision. Do we have your assurances that youre not bringing back a similar rule . Im not interested in bringing back a similar rule. So thats close. Do i have your assurances . You have my assurance that i wont bring back what i just pulled. Or something similar . Or something similar. Let me tell you the reason why. It gets back to cbo indicates that much of the reason it is working so well is the competitive nature that we have. I mean, thats what the study says. And, yet, were going to limit competition. Were going to limit options for our seniors. Some cancer, some antidepressants, some antiep leptic. These are serious things. So you and i can banter back and forth, but, really, what i need, is on behalf of the American People, your assurances here today that thats not going to happen. Now youre bringing specifics. Im not interested in bringing back the drug categories, if thats the question. I am not interested in bringing that back. I am interested in promoting competition. Promoting private market. And i think weve tried to do that with the marketplace rules, as well. So were not going to leapt competition. And were not going to narrow what people can get . Thats would be my preference, yes, sir. Thats your ashushs. Thats my assurance. All right. Thank you. I yield back. Could you yield to me . Sure. Id be glad. Briefly, item four from the gio says perform a comprehensive security assessment of the ffm including the infrastructure platform. Now, initially, that was one you said no to. Are you saying you will perform that full systemwise test and have it done by november 15th . Thats sort of the one that gio couldnt we cant know what you dont know until you do that, is that right . The mec. We get into discussion of style here. It is our intention, and we will complete a full, endtoend assessment security assessment prior to open enrollment, yes, sir. Thats scheduled for later this month or october. I think where we got into a different kind of instruction had to do with infrastructure and platform definitions. Why dont we let greg, if you would, give the rest of it. Its how the phase and the operating platforms and the infrastructure to look at it in totality is going to be critical. Certain vulnerableties on certain levels could affect the security of the other components of it because there are a number of components involved with this web siet ate and its supporting systems and a number of different entities involved. So for the layperson out there, would it be fair to say that, for example, when software opens a portal on a particular piece of equipment, that that can create a vulnerability in one type of hardware that it wouldnt in another . That thats the kind of thing that they have to look at. The actual hardware theyre using, what it interfaces with, is that right . Including looking at the firewalls and routers that supporter and the operating systems and how theyre being con figured, yes, sir. And i suppose any vpns or any of that would be part of it. All it takes, if i understand right, is one pc that has a vpn connection that isnt in the software but once you put it in, it can create a separate vulnerability, right . And thats what youre looking for. So if i saw the heads nod, and i like that, the two of you are one of you is going to come back to the Ranking Member and myself, if this agreement that youre going to do that by november 15th doesnt happen. Is that right . Maybe both of you . Id be willing to work with your staff to do some follow up work. I think thats all mr. Couplings and i would like to know. If that stops between now and november 15th, one of you will tell us. Yes, sir. Mr. Cummings . I mean, im going to encourage you to do that. Just do it, please. We will do that. And im not trying to be smart. I mean i know that and all of you. I know youre trying to do whats in the best interest of the American People. I understand that. But it seems as if what we want is the highest level of best practice . Am i right . The highest level . Absolutely. I couldnt help it. When i was thanking you on behalf of my con stitch went co could see a tear well up in your eye. So often, i think, federal employees, a lot of people dont realize that a lot of our employees, most of them, are not in government for the money. Theyre in it and i have people coming trying to work for our committee all of the time who are willing to take reduction of salaries from the private sector because its something about this that feeds their souls. Something abolifting up the pub and making their lives better. So for all the federal employees who may be listening, the ones behind me and in the audience and up here. I just want to thank you very much. Thank you. Thank you. And i understand the jeptgentley from new mexico, did you have any follow up question sns. Mr. Chairman, i dont. And i appreciate you and the chairman and the Ranking Member to make sure we get feedback. They represented very effectively all of my concerns and points so thank you so much for my leadership. Thank you. Ive got a couple very quick wrap ups that came out of these. Big smile because were nearing the end. There was a question about more people being insured. And id just have to ask, is medicaid insurance . In my opinion, medicaid is insurance, for sure. But that was not but the actual level of insurance under medicaid that ifgs tai was talking about is its medicaid insurance. Thats whats lowering the number of insured is medicaid . Plus the marketplace. Both are lowered. Which is subsidies, primarily. The actual number of people who are receiving unsubsidized health care has gone down, is that right . You know, actually, the number of people insured off the Exchange Without subsidy is also risiing. I dont have the latest private insurance. Its been going on for the last ten years and that seems to have kind of stabilized out. If you have medicaid and you have the Marketplace Exchange with or without subsidy, i think thats what youre seeing. Those questions led to a fact that everything is better. He projected that by 2021, the impact of the Affordable Care act will be a 346527 billion increase in the deaf silt. Essentially because the government is going to pay that 190 for medicaid. The government is going to provide those subsidies and the government is, in fact, the taxpayer. So the deficit will rise based on the money that buys that insurance. Is that true . I am not familiar with that report. But general tax revenues are, in fact, paying for the subsidies and medicaid. It doesnt come out of a trust fund. Medicaid is ordinary income tax. Is that correct . Im sure that you know that, mr. Chairman. I dont. For the record, medicaid is paid out of income tax and much of medicare is paid out of income tax. That the trust fund, when we talk about it, pays only a small part of what our seniors reflect. Now, i have really the final question, and its one that deeply concerns me and it wasnt the main topic today, but its right in your lane. On may 15th, you projected 8 million as an enrollment number. August, its 7. 3, what happened to that 700800,000 people . The 8 million individuals, and i think that number was, after the end of open enrollment, had signed up. And i think during the course of the next several months, individuals may have either gotten employersponsored insurance, they may have found they were eligible for medicaid instead of the marketplace. And some individuals may have decided to not go forward and pay. Thats a great question and the reason ill ask that question is peoplesserting that signing up meant nothing and paying meant everything. How much of that 700,000 plus drop did not pay . Wouldnt it be all of those people did not pay . I dont think well know that until the end of the year. But let me ask the question a different way, because, you know, im an old businessman. People signed up. They were there for insured; is that correct . They enrolled, they were insured . These are people who signed up for a plan. But in order to get insured, you had to make a payment. No, they were insured right away. And then if they didnt make the payment, they went off. After 90 days, right. So they basically got a free ride. 700,000 people got a free ride. So they had coverage. And if something catastrophic happened, they could make a payment. If something catastrophic didnt happen, they could just let it drop. Sorry. I dont think we know that information. No, this is a structural question that i know you must know or the technical people behind you must know. If 8 Million People sign up lets just say 8 Million People sign up and not the 700700, 700,000 who dropped but lets just say 50 people out of 8 million had a health event. Did they get to go to the doctor during that 90 days because they had signed up and hadnt yet paid. Yes. The system as it is today is a incredibly, easily gamed system, if i understand correctly. 316 million americans could all sign up and get 90 days worth of free insurance. And if nothing happens, theres no downside that theyre just letting it lapse by not making a payment. Is that right . You dont go after them. You dont follow up. You dont sue them for the coverage they had but never paid for, do you . Which i think is why its important to know as of august, 7. 3 million were making their payments. 7. 3 Million People may have made small payments because they were subsidized. Are you prepared to release those figures of the 7. 3 million, how many of them were completely unsubsidized, how many were partially subsidized . Yes, we will be able to talk about that. Estimate when . I dont have an estimate, but im happy to get that for you. Okay. Being an old businessman, i must admit that giving people 90 days free and no retrospective look, to me, your initial numbers are of no value. We dont know how many people signed up, but next year, im presuming if gao is going to estimate the sign ups, theyre going to be only use, if they get 8 million again, they can assume that 7. 3 is the net number . I think 7. 3 is a really strong number. Those individuals who sign up and get tax credits still have a reconciliation process next april, right . Yeah, were looking forward to that part to see if theres a clawback. My parting question, this Committee Held a hearing. And the issue of over 15 billion owed to the American People by the state of new york for excess payments in violation of the law. And violation of cms maximums. That falls under your watch. Have you done anything to reclaim that 15 billion . Yes, sir, we have. And have you gotten any of it back . Senator, we recently initiated that. I dont think we have gotten any of it back yet, but we sent, basically, the request for recovery. Youve made a request for recovery . We follow our normal process. Do you have the authority to simply withhold the way you would to a private entity . If im a doctor and i overbill 15 billi 15 billion or maybe so amount less than that if im less hard working, the first thing you would do is cut off services. Youre sending millions or billions of dollars to new york every month, arent you . So i can brief you or your team on this in some detail. Initially, what we would do, whether its a doctor or an entity or whatever, we ask them how they would like to repay us. I wish that were true. Ive had too Many Health Care entities who make it very clear, your people come in, you make a determination, the moment you make a determination, they basically have to quit their practices and go into an appeal process. And, in the meantime, theyre not receiving a penny and you clawback. So you want to state that in a way that the private sector people dont call me up and say how did you let her say that you give people lots of time and ask them how they like to repay it . I think you know i was on that private sector for quite a period of time. So if there is a question of overpayment, yes, cms will make you aware of an overpayment situation. And then clawback real fast. Unless you want to pay them up front. If youre able to write a 15 billion check, they wont hold back the ref knew. Is new york able to give you a 15 billion check . I cant speak for new york. So new york and perhaps others owe the American People for services. 15 billi 15 billion is a lot of. Actually, we went through the first year and made a request or demand for the money and im happy to brief your staff on that. Will the jegentleman yield . Sure. You have hit on an area with a number of meetings that we have had already. And i woum implore you to treat new york the same way youre treating the constituents in my home state of North Carolina. Very quickly, what you do is you put private companies out of business because you deny the claim and you say you either pay up or you go home. And if youre not going to treat new york the same way you treat North Carolina, ive got a real issue with it. So we would treat new york the same way we treat every other state. No, im talking about government versus private. Im sorry, we would treat new york the same way as anyone who owes us. Now, new york has appealed this decision, which is the same option that anyone has. Right and a private company, when they appeal, the answer is the same. Pay up in five years or go out of business. I mean, the statute says 60 months. I know, we have treated states the same way we treat providers. So theyre going to have to pay up in 60 months. I yield back. I thank you both and it will go to the Ranking Member. I appreciate your staffs assistance. It wasnt the main subject for today. Mr. Cummings . I want to go back to the 7. 3 Million People who paid their premiums and i guess around 700,000 who did not. A lot of people in our society are struggling with all keends of things. You talked about a reconciliation process. Can you talk about that for a moment . The way that it works, individuals, the 90 day grace period is set up to give individuals an opportunity to pay. At the same time, they start to receive tax credits. These tax credits are reconciled the next year on their income tax returns. If people have underpaid on their aptc, then they are likely to get a tax credit back. If they have over meaning if theyve received a higher aptc than intended based on their income, they may owe the federal government money back. And thats part of the partnership we have with irs. I dont think that the 700,000 is in fact, i was very pleased to know that we have payment levels of 90 . This is a brand new program. This has never been done before. I expect in some cases they may have moved. They may have gotten married. They may have gotten insured. They may have lost their income and gone on medicaid or into the uninsured ranks. You will only know that as we look back and we were careful not to look back too early. These are people not necessarily trying to gain the system. I see folks every day that theyre still being informed as to what the Affordable Care is all about act is all about and trying to make it one singer says working 9 to 5 just to stay alive. But in my district, sometimes its working two jobs just to stay alive. So theyre struggling. Trying to manage all of this information. Trying to do the best they can to take care of their families and many of them going through some very difficult circumstances. Thats right. All right. Thank you very much. Thank you. The gentleman from virginia, normally, the first to arrive, weve just finished round three and the close. Would the gentleman have some questions . I thank the chairman. I was on the House Foreign Affairs committee with secretary of state. Forgive me for being late. Im sure the questions there were provocative, so yes. Welcome to the panel. Mr. Willsusen, would it be unreasonable of us to suggest that no company, no government, no individual should feel entirely secure and safe in the digital age . I would say referring to use of unknown transactions on the internet and the like that there are certainly risks and the nature of the internet as well as the competency and prevalence of hackers who might wish to exploit with those weaknesses. The issue of securing public and private Information Systems, i assume is not something unique . No, theres always a need to protect that information. And, certainly, as we mentioned earlier, the federal government has been identifying high risk since 1997. Right. Two administrations ago. Probably. Right. Ms. Tabaner, hello. And welcome to our committee. I welcome you and thank you for your work. Let me ask you a question, one of the things we hear about the roll out of the web site in retrospect the coordination is seen as a technical issue while cms and the department of health and Human Services with the reform and the bigger pieces and maybe this got short tricked. And it turned out to be the achilles heel. The whole enterprise was at riszing because of this failure, which was a technology issue. 234 looking back on it, what lessons did you learn . Some of the Lessons Learned and changes that you made early on in year one but definitely for year two, is we need a systems integrator. We needed better communication. Youre priegt, there was probably more time spent on the nontechnical components and we didnt realize the technology was as difficult as it was. So those were Lessons Learned. I think weve put changes in place. We are very, very happy with the number who signed up. Year two is going to be an equally hard year. Are you familiar with the act . Not completely, sir. That bill tries to get at how the government manages i. T. Procurement and acquisition and it addresses how the federal government is managed. I think its baseden the conclusion that its not wellmanaged. Is it gaos position that we do need some reforms which was almost 20 years ago, and in technology, 20 years is light years. Sir, thats actually outside my particular area. I focus on Information Security and privacy issues. But i can get that information to you. Certainly theres need for improvements and how ite is federally secured by the government. And thiss an implementation issue. The house has certainly tried to address that and weve found bipartisan, Common Ground on these issues. I urge you to look at the bill and see how it applies to your particular area. I will. I thank you. And, mr. Chairman, thank you for allowing a shameless plug for our legislation one more time. Well, in closing, its not shameless, but its a good plug. This is a committee that does legislation on a very bipart san bb bipartisan basis in most cases. I do think that todays hearing was worthwhile. I hope that mr. Cummings and i both expect that there would be a little bit more certainty as to the security that would come out of the web site. Cms is critical to the American People. Your role has been expanded, perhaps more with the Affordable Care act than any item before. Mr. Cummings often talks about the federal work force. I want to close by saying that just because we give you a hard time of item after item and what about the billions of dollars given to these states. We know its hard. We want dwovt to oversee itself to the greatest extent possible. And its the reason that we do appreciate the gao. I want to thank you for being here today. With that, mr. Cummings gives me a yes, we stand adjourned. Affairs secretary and actor and disabled veterans advocate gary sinesi. It is with it is with great pleasure that we introduce our master of ceremonies, form Secretary Department of transportation and former secretary advisor in washington d. Krmt, the honorable ray la hood. Good morning. [ applause ] isnt this a glorious day . Made even more glorious by all of you being here. We are making history today. Ladies and gentlemen, honored dignitaries, long time friends and family members and, of course, our very special guests, the men and women whose sacrifice on the battlefield is an eternal reminder of their service to our nation. We welcome you with the deepest of gratitude and thank you for joining us for this moe m momentous occasion. At long last, we have arrived. [ applause ] 16 years of hard work and dedication summed up just now 16 years of dedication summed up just now in our fiveminute film, vision to reality. Isnt this a magnificent setting . Thank you to all of those who made it happen. Great care and thought has gone into the design of this sacred place. I hope you all will spend some time after the ceremony exploring the memorials beautiful grounds. Beautiful grounds. I am personally particularly inspired by these stunning glass walls. And i want you to know that several of the courageous men and women, whose words and images are displayed in the walls, are here with us today. Thank you for being here. And lets not forget while were here, at present there are 4 million living disabled veterans. Some with physical disabilities and others with invisible disabilities such as ptsd. Those disabilities, lifelong disabilities, are a part of the ongoing cost of war. But, unfortunately, often forgotten. Thats why its imperative that this memorial be built. And here we are with a permanent reminder and tribute to the service and sacrifice of americas disabled veterans. They have honored us with their service and selfless duty. Now it is our turn to honor them with this memorial. The first of its kind to honor disabled veterans across all branches of the military and through all historic and current conflicts. Before we begin todays dedication, id like to introduce our guest that are with us. The honorable robert mcdonald, secretary of veterans affairs. The honorable sally jewell, secretary of the department of interior. A great american, gary sinise, National Spokesman of the disabled veterans light memorial foundation. Robert vogel, superintendent of the National Mall and memorial parks. Michael mccoy, acting director of the national vh chaplain center. Representing the disabled veterans life memorial foundation, are its passionate, hardworking board of directors who have been charged with erecting this memorial and they spent the last 16 years working on this and have given countless hours of time to ensure its successful completion. Mrs. Lois pope,