did not establish a processing site for healthcare.gov systems to ensure they could be recovered in the event of a disaster. to assist cms, we made six recommendations addressing the shortcomings with the information security privacy program and 22 recommendations to resolve technical security weaknesses related to access controls and configuration management. cms concurred or partially concurred with all 28 recommendations and noted that it was taking actions to address each of them. while cms has taken important steps to apply security and privacy safeguards to healthcare.gov and its supporting systems, weaknesses remain that put these systems and the sensitive personal information they contain at an increased and unnecessary risk of compromise. mr. chairman, ranking member cummings and members of the committee, this concludes my opening statement. i would be lap pi happy to answ

questions. >> thank you. >> chairman issa, ranking members cummings, members of the committee, thank you for an opportunity to be here. cms strives to be as responsive as possible. i understand that we have already provided over 140,000 pages of documents to this committee. transparency is important and that's why i'm pleased to be here today and have the opportunity to answer your questions. we will continue to produce documents. in the almost five years that i've had the privilege to work at cms, my focus has been on how we can best serve our beneficiaries, including seniors on medicare, adults and children on medicaid and chip andenrolli marketplace. i work ro to reduce cost, improve quality in ways that make a difference. we're making real and important

progress. as of august 15th this year, we have 7.3 million americans enrolled in the health insurance marketplace coverage. these are individuals who have paid their premiums. we are encouraged by the numbers of consumers who have paid their premiums and continue to enroll in the coverage every day through special enrollment periods. this is the most recent count of people who have coverage throughout the marketplace. each month this number will change slightly as consumers chance igs in and oust coverage as their life circumstances change. everything from getting a you are in job to moving to a new state or becoming eligible for medicare and medicare. there's also good news about medicare. spending per medicare beneficiary is growing slower than the overall economy. the medicare trustees recently projected the trust fund that financing medicare's hospital insurance coverage will remain

solvent until 2030, four years beyond what was projected just one year ago. we strive to make healthcare safer and better. the last five years, we have seen a 9% reduction in harm in hospitals such as decreased healthcare associated infections. this represents over 500,000 injuries, infections avoided. over 15,000 lives saved. approximately $4 billion in avoided cost. this adds up to better healthcare at a better price. i know that makes a real difference for real people. consumers also trust us with their personal information. and i take that trust very seriously. security and privacy are one of our highest priorities. cms has experience in operating the medicare program and its supporting systems and we successfully protect the personal information of both

beneficiaries and providers. however, we must continue to be vinl lent and evolve our assessment and actions to keep up with threats. consumers can use the market place with confidence that their information is safe and take comfort in knowing that no personally identifiable information has been maliciously accessed from the site. our systems are designed with security in mind and our focus on security is ongoing. it did not end when the marketplace launched. cms conducts continuous monitoring using a 24/7 multilayer professional security team and pen traks testing. our systems comply with standards promulgated by the office of management and budget. there is risk inherent in any system. it's sadly a part of the cyber world in which we all live. we appreciate the work down by the gao to suggest additional controls to help us further protect against these risks and

are always seeking to improve upon the security protections in place. as we look forward to our second enrollment period, our goal is to build upon this progress and to address outstanding challenges. we're working to make it as seamless as possible for people to reenroll in coverage and reinforcing our outreach to help more uninsured consumers enroll. we're making management improvements with clear accountability and are committed to being transparent. this coming year will be one of visible and continued improvement but not perfection. as problems arise, we will fix them just as we always have. throughout my career as a hospital executive nurse and public servant, my focus has been on providing people with high quality healthcare. i'm proud of the progress we have made at cms. and i hope to continue to work with congress on our efforts. thank you. >> thank you. miss barron.

i will try to do better. thank you. >> chairman issa, rufranking mer cummings and members of congress, we are making every effort to be transparent as possible. my name is ann barron. i'm the director within the national cyber security and communications integration center, also known as nccic. we respond to major incidents, analyze threats and share critical cyber security information with trusted partners around the world. this is a 24/7 operation center and receives and analyzes hundreds of incidents reports a day. we work with public and private sector partner organizations and are committed to the protection of privacy and civil liberties for all americans.

we strive for a safer, stronger internet for all americans, established in 2003, we focused on securing us federal systems and networks. dhs's cyber security capabilities have grown since the establishment. we are working more closely than ever with partners across public and private sectors to develop a comprehensive picture of malicious active a. cyber security is a shared responsibility and a continuous process. our focus is helping our partners build a resilient and secure system in cyberspace. protecting our networks requires coordination across a global cyber community to enhance other's capabilities as we continue to mature our own. while dhs leads the national effort to secure federal civilian net wokworknetworks, a are supposed to take appropriate

measures to secure met woshgs. we spoke them in carrying out the responsibilities. i'm here in a capacity to provide findings from our analysis of the compromised test server as healthcare.gov. we were notified an incident by cms. we concluded -- we conducted analysis of the images provided to us by cms and found evidence of malware on a test server. as stated by ranking member cummings, we concluded there was no indication of any exposure and no indication of data exfiltration. there's no evidence of movement within the network or further infection. we provided cms a report with the findings as well as mitigation recommendations. additionally, we were able to share indicators from our analysis to so that agencies could protect their own

networks. we are in discussions with hhs to provide further on-site support. dhs remains committed to working with its federal and private sector partners to create a safe, secure and resilient cyberspace. i look forward to answering any questions that you might have. >> thank you. i will start with you then. when did you find out you were going to appear here today? >> i believe i was informed on monday. >> when did you begin preparing for today's hearing? >> when i was informed on monday. >> okay. has cert done a security testing of healthcare.gov? >> we were provided images from cms of the compromised test servers. we provided analysis -- >> i appreciate that. the question was, has cert conducted any security testing of healthcare.gov's

vulnerabilities. >> no. >> so when there has been no loss of information, if you don't know the vulnerabilities, how do you know -- how would she know that to be true? >> i believe that cms conducts their own scanning and testing. >> did you verify their scanning and testing to be sufficient? >> we would be happy to provide that information. >> did you? >> i haven't been provided any details. >> you don't know that? >> within the test network? >> it boils down to, you are here as an expert that i didn't expect from an organization that refused to give my staff any briefing related to it. >> i do apologize for that. i was under the impression that our staff was working with your staff. >> as of yesterday afternoon, they put people who didn't have technical expertise on who told us they would get back to us. that's after more than a week of information we have put in the record where we were denied that. maybe i'll go on to gao. i'm going to ask first of all your indulgence. when this hearing is over, i

would like you to accept -- pardon me? >> i wanted to hear what you had to say. >> that can happen. i would like you to accept a briefing and do a supplemental related to the 13 breaches. >> okay. >> miss tavenner, i'm going to presume you will agree you will have full access to all information related to that so that gao may develop specific additional recommendations based on the actual breaches, the 13 incidents. >> yes, sir. >> okay. that will allow us to get what we don't have here today. i appreciate that. you have gone through an extensive amount. would you describe for the committee the level of cooperation you believe you got? we have heard what you didn't get. are there good news stories in the cooperation as you did your investigation or your audit?

>> we do receive good cooperation from the agent sigs that we audit as it relates to receiving information requests that we provide. and in this case initially, there were delays in providing certain documents that we had requested. in addition, there were certain -- cms attempted to put certain restrictions on the documents. >> did they cite why they were restricting? are you not trustworthy? >> i think though indicated they were concerned about the security information. >> they don't trust you? >> i wouldn't say that, sir, no. but we elevated the issue within gao and within the department. we reached an agreement to where we would be able to and they did provide the information for us to look at. >> at the end of it all, there was no reason after it was elevated there was no reason

that they should have denied it to begin with? >> in my view, no. they should have provided it earlier. but at the same point, you know, they had a concern about the security of the information. so they tell us. their motivation would probably be better addressed by the administrator. >> limited time. i want to set the stage for what others on both sides of the aisle may ask here. when you looked at the robustness of how they determined with such certainty that there had been no breaches, no loss of personally identifiable information, were you satisfied that that -- all those procedures were robust enough with the certainty that miss tavenner said that no losses had occurred, that no losses had occurred? >> well, we did not receive actual security incident reports on these incidents, at least on

the 13. we did receive a written response to an interrogatory in which they indicated that -- at least for the 13, that there was certain pii that was compromised or disclosed to an individual. but it was consumer. it was through a technical glitch. >> wait. i want to understand. personally identifiable information was lost or disclosed? >> was disclosed according to their description. >> miss tavenner, others will ask additional questions. but your opening statement said none had been lost. how can we reconcile none has been lost with a sworn statement that some has been lost? >> i think what my statement said is there were no malicious atta attacks. >> oh, so if you just screw up and put the public's information out there, it's okay? because it wasn't a malicious attack? >> no, sir. i don't think any time we put consumer information out there it's okay. >> so my time has expired.

i want the ranking member to have full time. i want to make it clear that word smithing of no malicious was done versus accidental just as we discovered at the time of the launch, that if i went to the section above where the url normally is, whether that thing was launched, if i typed in a different number or a different state code, i could have looked at somebody else's record. that was part of what you guys had wrong on the day of the launch, is that could you go to somebody else's record by changing that long streak at the top, meaning no code. that wouldn't have been malicious, i guess, except if somebody were doing it to see what they would get, that would be malicious. when you say no personally identifiable information was lost through malicious, you don't know how much was lost, you believe the definition of malicious wasn't met, is that right? >> i actually -- i think this relates to the personal incidents -- i think we want to cooperate with the goa on that.

we're happy to review those. >> thank you. yr desire to want to cooperate after we bring you here involuntarily is appreciated. but frankly, you should have cooperated with the gao beforehand. >> sir, i like to cooperate with the gao and oig. we have had over 140 open audits under way. i think we have cooperated. i cape here voluntarily. >> thank you. >> danny? lacy. >> the distinguished gentleman from missouri is now recognized for five minutes. >> thank you. and i thank the ranking member for yielding his time. gao found that healthcare.gov had security weaknesses when it was launched because of a lack of oversight of security

contractors, is that right? >> we found that with respect to when it was first deployed -- recognize that our audit occurred subsequent to the initial deployment. we found that based on review of the documents that there were certain vulnerabilities in controls that he had not been tested at that time and that there were a few vulnerabilities that had been identified through testing through which the cms had accepted in order to provide an authority -- >> whose responsibilities were incumbent upon the contractor, correct? >> well, overall responsibility rests with the service -- >> with the contractor? >> i believe -- i think in some cases there may be incidents where we did identify weaknesses that were operated on systems

operated by a contractor. that was subsequent. that was during the course of our audit. that doesn't necessarily pertain to prior to the system. -- to deployment of the system. >> gao report found there was not a shared understanding of how security was implemented among our entities involved in the development and security testing of the website, is that correct? >> yes. that's correct. what we found, too, is that in certain instances where cms told us who was responsible, the contractor responsible for certain tests such as assessing the secure -- implementing security on a firewall, it went to the contractor. the contractor indicated it was not his responsibility, that it was another contractor and that responsibility was not identified in that contract statement of work. >> yeah. but scenarios like this

obviously increase the likelihood of security risks, is that correct? >> yes, sir. >> and was there a specific cms official or group that was responsible for overseeing the security testing of healthcare.gov? is there a group? >> well, overall, the cms -- chief information security officer has overall responsibility for reviewing and assuring the security over this system. >> now, for a project of this magnitude, shouldn't an agency official with a broad understanding of i.t. security testing oversee contractors? >> i would say yes. >> and was that the case here? >> i would say that, you know, there is -- the cio, cis would

have that responsibility overall. >> okay. who at twould the cms official that would have that kind of understanding of i.t. security? was there a person in place? >> yes. they had the cms ciso. there's several individuals that were responsible for aspects related to security over the healthcare.gov. the there is an information security officer that has responsibility for sharing that security control. >> you know, the issues with i.t. security management did not start with healthcare.gov. as a matter of fact, this is a broader government problem that needs to be addressed. don't you think? >> gao has been reporting information security and federal information security as a government-wide high risk area since 1997.

so sadly, yes, it's a broad government issue. there have been weaknesses -- as an example, for fiscal year 2013, 18 out of the 24 major federal agencies covered by the chief financial officers act reported either a material weakness or significant deficiency in their information security controls for financial reported purposes. 21 out of the 24 igs -- they cited information security as a major management challenge. >> so it would be fair to say that all internet facing systems in the federal and private sector involve some risk, is that correct? >> given the nature of the in r internet and the capabilities and prevalence of hackers who might try to exploit vulnerabilities, yes, the answer is there is risk in conducting online transactions. >> thank you for your responses. mr. chairman, i yield back.

>> i thank the gentleman. we go to the gentleman from florida for five minutes. >> thank you, mr. chairman. i have a copy of your report dated september 2014. in that, you, in fact state gao found -- i think you found that the testing was not complete and that the whole program was rolled out with weaknesses in security and protection of p priva privacy. would that be an accurate state? gao strongly asserts that testing of the website still remains insecure. is that correct? >> i would say that the testing of healthcare.gov and supporting systems has not been comprehensive. >> even to date, we have risks, is that correct? >> today we have risks. >> security risi inkrisks, priv

information risks. thank you. the rollout, they actually rolled this out, i saudi arabw report -- four states had not taken action to secure privacy? >> i would characterize it more as they had not met cms security requirements. >> right. we'll have those for the record, the states. it's incomplete testing. i see basically a coverup of the failure that took place. did you see any of that? they were trying -- i went through some of these e-mails and some of the record, the committee has. i don't know if you saw this. it looks like quite a coverup or they tried to not let the public know the failure of the rollout and the failure of them to protect this information, is that correct? >> i'm sorry. i could not comment on that, because i have not seen --

>> i can tell you, it's page after page. i mean, i can't even use some of the language used here. mr. chairman, i would like to have some of this submitted. >> without objection. the entire report will be placed in the record. >> it's astounding, again. this is a blanking disaster. i mean, this is one of the hhs people who saw what was going on at cms. a two-day story that talks about the issues and detailed explanation, but it's stating overwhelming traffic that could have been replicated in testing. one point after another of the coverup. i think unfortunately people like miss tavenner were involved in some of the coverup. did you ever attempt, ma'am, to

have any e-mails or records deleted to what was going on in the failure? >> i'm not aware of the e-mails. i'm not seeing the e-mails you are responding to. i can't answer that. >> i have one e-mail here. you had asked that it, in fact, be deleted. i can supply you with a copy of it. it says, please delete this e-mail. it goes on to detail what was going on, the failure that was going on. first of all, there was a company by the name of circo with a contract of $1.2 billion, is that correct, to process paper applications? >> we retained them. i don't have the amount in front of me. >> again, this e-mail talks

about them and the failure of the proper processing. there were problems with processing the paper applications? congressman, i'm happy to -- you had nothing to do with awarding of a $1.2 billion contract you would tell the committee, too, right? >> i don't understand what -- the question. >> the contract to process paper. here you are talking about -- >> i'm not part of the -- >> here you talk about the problems with the paperwork. you are asking for deleting of information. then i looked into circo. did you know that circo had been awarded the contract of $1.2 billion while they were being investigated? it's a british uk firm and they were being investigated for some fraudulent activities in the uk as they were being awarded a

$1.2 billion contract? >> no, sir, i didn't know that. >> you weren't aware -- >> i think i stated that last year in a hearing. >> any of the background. again, i think we need to put this -- mr. chairman, i would like to put this e-mail in the record where the witness asks that we delete this particular e-mail and the problems with circo. >> without objection, so ordered. >> finally, are you aware that you violate federal law when you asked to delete information like this? >> again, congressman, i would need to see the e-mail. >> we'll provide the witness, if we could. >> we will pause quickly. if you send it down to her. get it quickly down. i would ask unanimous consent to stop the clock and give her an opportunity to read it. thank you.

>> just simply, is that your e-mail and did you ask to have it deleted? it states pretty clearly your intention. mr. chairman, i will defer to you to get a response from the witness. >> this e-mail is from me, yes, sir. that's accurate. and this e-mail was written to julie battai was involved in the call center. this is about the call center information. i think that i asked that she delight this e-mail because it involves sensitive information regarding the president's schedule. and i think that's actually the area that's redacted. but, no, it is not normally my

custom to ask -- i sometimes i would ask things be close hold or do not forward. in this case, it involved the president's schedule, if i remember this correctly. >> i would also -- i want the entire content of the e-mail entered into the record and the reference further down to circo. thank you. yoe yield back. >> briefly, if i could have indulgence. why would the president's schedule after the fact have any relevance to being needed to be deleted? i hear you. the president's schedule becomes very public in real time within a very short period of time. >> so i can't answer the reason to why this was redacted. i didn't make the decision to redact it. that's done by our oversight committee. >> you were surmising it had to do with the president's schedule, it's not all that secretive. it has no relevance for protection after the fact. >> i understand. >> under the federal records

act, your communication is to be retained, correct? >> and it was retained. my immediate staff was copied on that. it was retained. >> so deleting it doesn't change the fact that it had to be retained for the federal records act? >> it is retained. and, in fact, if you are asking about our response, we did that out of an abundance of caution. i didn't necessarily retain e-mails if they related to scheduling changing. going back to the issue of transparency and trying to be forthcoming about information, be decided to notify nora. >> i would hope that the unredacted versions of all of this would be made available to the gao. and i would ask simply that unredacted versions be seen by the gao to see if, in fact, it's

consistent with what we are hearing. >> a unanimous request. i have articles are circo and people paid to do nothing and circo's checkered past, foreign company for obamacare and an article, the unhealthy truth about obamacare, contractors. i would like these -- >> without objection, so ordered. >> thank you. >> with that, we will go to the gentleman from pennsylvania for five minutes. >> thank you, mr. chairman. thank you to the witnesses for joining us here today. >> i'm good with that. >> one of the most critical features of the affordable care act is that it expands medicaid eligibility to millions of low-income american adults. prior to the aca, medicaid eligibility was restricted

primarily to low-income children, their parents, people with disabilities and seniors. in most states, adults without dependent children were not eligible for medicaid. according to a study issued in april 2014 by the kaiser family foundation, only about 30% of poor non-elderly adults had medicaid coverage in 2012 and uninsured rates for poor adults were more than double the national average. under the aca, medicaid eligibility can be expanded to cover all non-elderly adults with incomes below 138% of the federal poverty level. administrator tavenner, is that correct? >> yes, sir, i believe that's correct. >> the federal government pays states 100% of the costs for the first three years and then

phases that down -- phases its match down to about 90% in 2020. despite this enormous level of federal assistance, more than 20 states have decided not to participate in the expansion leaving millions of their own citizens without healthcare. administrator tavenner, can you comment on the coverage gap that is resulting from these decisions not to expand medicaid in those states? >> yes, sir. i would start first by saying, with pennsylvania's recent decision, we are now at $27 state, i believe, plus the district of columbia who have decided to expand medicaid. obviously, if you look at a lot of independent studies, there's noticeable difference in the states that have decided to expand medicaid in terms of loeg the number of uninsured. we're going to continue to work

with the remaining 20 something. we meet with them on a regular basis to do what we can to encourage folks to expand. >> by not participating, aren't the states that aren't leaving billions of federal dollars on the table that could be used to improve the health of their own citizens? >> yes, sir, they are. and it's also -- it has economic consequences for those states as well. >> of course. recently, some republican governors, as you have alluded to, who had originally refused to expand medicaid have now reconsidered their original decisions and have submitted medicaid expansion plans for cms's approval. for instance, in my own state of pennsylvania, as you mentioned, they decided to expand medicaid which will now provide health insurance to 600,000 low-income adult individuals in our state. administrator tavenner, how will medicaid expansion in pennsylvania impact the health

of its citizens? >> i certainly can get you information from independent studies. but there's a correlation between coverage of insurance and long-term health improvement. >> good. now, i don't want to leave this question out. other than political posturing by the pennsylvania governor, are you aware of any good reason why 600,000 good pennsylvanians went without coverage for an extra nine months from the rest of the states that expanded medicaid right away? >> no, sir. we want everyone to expand and expand quickly. >> well, administrator tavenner, why do you think republican governors are so divided on the issue of medicaid expansion? >> sir, i can't answer that. i'm not sure. i'm sure each state has their reasons. we try to work with them and meet them where they want to be.

>> all right. do you expect to work with additional govern norz who previously opposed medicaid expansion but are now considering reversing their decisions? >> absolutely. >> well, i want to say i thank you for coming here today. and i thank you for your testimony. i hope that governors in states that have so far not elected to expand medicaid will reconsider, will consider the impact on their communities to take advantage of this historic opportunity to lift up all of the americans in their states as well. thanks again, administrator tavenner. i yield back. >> would the gentleman yield? okay. at some future time, i'm happy to work with you and explain republican governors to your satisfaction. with that, we go to the gentleman from utah. perhaps a man that will some day be a republican governor. >> reclaiming my time. i thank the chairman and thank

you all for being here. s my tavenner, question for you about the oregon elf change. the american taxpayers put in $304 million to develop that state exchange. now they want to come over and make a transition. did you or anybody at cms conduct a cost benefit analysis to determine that the switch to the federal exchange was the most cost-effective for the taxpayers? >> yes, sir. we did an analysis of what it would cost for us to bring in -- there's two additional states we're bringing in this year, nevada and oregon. and we did -- i wouldn't say it would be a sophisticated analysis, but we did a cost analysis. as you might imagine, we already have 36 states in the exchange adding two more is cost-effective. >> could you share nathat a natural sis with us?

is that something you could provide to snus. >> certainly. >> what is the additional cost? >> i don't have that in front of me. i'm happy to get it for you. >> what is a good -- when would i raise the flag and say, that's been long enough? can you give me a sense of the time? >> we should be able to get you that in a few days. >> very good. i appreciate that. >> it's part of our bill that's ongoing. >> a few more questions about that. what's being done to claw back -- there's $304 million. is that money all gone? is there some of that coming back? is somebody going to jail? what's going on with it? >> each state -- again -- >> i want to talk about oregon. >> i think oregon has very actively gone after their contractor. i think that's been in the press. but i'm happy to get you more details. >> what's the federal government doing? it was federal taxpayer dollars,

correct, that went into it? >> yes. these were grants awarded to states. it's between the state and the contractor. so the states are working on that. >> cms, health and human services, department of justice, the federal government, pick your entity, we're doing nothing to claw those back -- claw back those dollar snz. >> i think it's early in the decision making. states are going on the basis of individual contracts. >> but the federal taxpayers give $304 million and we just say, well, it's up to oregon to figure out what to do? >> we are working with the state. >> when we gave these grants, was there no condition or expectation that it would work? was there a deal that said that -- we literally hand them over the money and we don't care what happen happens? >> what we did are a series of

progress reports and requirements with the states. i'm happy to get you that information as well. >> try to get some degree of specificity. i haven't heard you say we're doing something to try to claw back nearly a third of -- >> what i said is that states are doing that. we're cooperating with states. >> but where is the federal government? >> we're cooperating with states. the contract is between the state -- >> we're just waiting for oregon to tell us something? >> we're working with oregon and other states. that's all i can say right now. >> mr. chairman, i mean, i don't know how -- >> that's what she said. it's all she's going to say. she won't answer your question. >> i know. i think it's something that the congress should look at. we give out 300-plus million dollars and we call it a day and move on? miss tavenner, is there any criteria or guidance for states who want to drop out and move to

our exchange? have you issued or -- how do you evaluate those? do you just say yes? >> well, we obviously have a list of criteria and requirements for the state to move from a state-based exchange to move to the ffm. these entities stay state-based exchanges. they can continue to do marketing, outreach. what we are doing is the support. there are criteria they have to meet. i'm happen my to share that with you. >> in the package -- >> yes. >> in a few days you will share that with me as well? >> we have a lot of documentation. >> thank you. i appreciate it. again, for my colleagues here, i just -- we really have to look at this. it's stunning to think that we would hand out by the hundreds of millions of dollars to states and have no recourse. if it doesn't work, we kind of throw up our hands and say it's up to somebody else to figure it out. that's not the way we should

operate. it's pretty stunning and very dissatisfying and doesn't produce results, it's not responsible, it's not accountable and very frustrating. i yield back. >> i thank the gentleman. we now go to the gentleman from massachusetts who was here first, mr. lynch. >> thank you, mr. chairman. i want to thank the members of the panel for your willingness to come here and help the committee with this work. miss tavenner, generally the way things work is that the private sector has far more resources than often times our government entities, and they are better prepared, better incentivized to keep data secure. that troubles me because i see a list of -- i'm on the financial services committee as well. and we have been dealing with home depot, we have been dealing with target, we have been

dealing with j.p. morgan chase, the largest bank in the united states of america. we are still not sure about the breadth of that breach, but we're concerned about it. we have hearthand payment systems, 134 million people in the united states. kb financial group, 104 million people. global payment systems, 950,000 people to 1.5 million. we're not sure yet. they each breached the iranian banks, about 3 million people. that was probably us who did that. morning star, 184,000 people. city group, 360,000 people. so you have all these big firms, personally j.p. morgan chase, they got some very, very smart people. they have an extreme financial

interest as well as a reputational interest to hang on to that data. so i'm just worried with the -- sort of the botched rollout, the difficulty with the state exchanges, including my state of massachusetts, we have had data breaches related to healthcare. are you sure that you can sit here under oath today and tell me that nobody's breached the healthcare.gov site and that the folks whose healthcare information, tax information, personal information, that it remains secure today as we sit here? >> let me answer that in a couple of ways. i will go back to the chairman's point about transparency as well. i dare say, there's very little that concerns me more on a daily basis than the security of this website for a host of reasons.

it's a new project. it's been very, very visible in the press on a daily if not hourly basis. and we did have the difficulty in the rollout. we have even within our limited resources spent a great deal of time and money securing the website. we have been able to meet standards, omb standards, hippa standards. but i will always worry about the safety and security of the website. we talked about the earlier incident with the malware. yesterday, i was informed of another case not related to healthcare.gov, but an independent site, if you will, that was working with the cloud, with website material, where there was another malware incident. now, there was no personal information. this is something that i don't even have the details of.

but these are the types of things that worry me every day. we meet about security weekly. we review -- >> yeah. i'm not hearing the answer to my question. i appreciate all of that, believe me, i really do. but i only have a minute left. i think you're going to burn all my time here. there's no guarantee that there has been no breach. i don't want to put it that way. you don't seem to be able to give me a guarantee. >> we have had no malicious breach. >> that's fair enough. one of the problems we're having with our credit card issuers -- i'm using this as an analogy, is that for them that is -- that's product. they sell information, i think. sometimes by selling it, they bring on the breach themselves. they also compile it so that

these credit card companies have 15, 20 years' worth of data there all sitting there waiting to be hacked. my purchases at home depot ten, 15 years ago are still part of that data grouping. do we do anything to put firewalls up so that there -- if there is a breach of the medical information that we can somehow limb t limit the damage? >> if you remember the hub, no information is stored on the hub. that was one step. second, we do not keep any medical information. there is some personal information, but we don't have the need for medical information. so that's not stored within the ffm. the only thing that's stored in the ffm itself separate from the hub is the ability to work appeals of cases for people who

say i didn't get a tax credit, i should have gotten a tax credit. we keep it minimal. >> is that tax information in there? >> no. there's not tax information. there can be sometimes people can state their income, but there's not tax information. >> okay. all right. my time has expired. thank you for your indulgence, mr. chairman. >> thank you. thanks for a good round of questioning. we go to mr. meadows. >> thank you, mr. chairman. i'm over here. i want to go ahead -- i will speed through some of these questions. miss tavenner, can you confirm that cms will not change their open enrollment dates? we had so many different dates that changed before. can you confirm to the american people and really to the providers that those open enrollment dates will not move? >> the open enrollment date for this year is november 15 through february 15. >> those will stay firm? >> yes, sir. >> no changes?

>> no changes. >> they can count on it. that's good news. how about window shopping? last time you had to enroll, put your -- i had to go on when i was shopping, i actually had to sign up to be able to figure out what i -- is that going to be available? >> window shopping will be available. you would not have to sign up this year. >> we will be able to compare plans? >> that's right. >> without having to put any personal data? >> yes, sir. >> okay. great. let me go a little bit further into this. brian sevok has shared testimony with this committee. sgli kn >> i know who brian is. >> when we were looking out the rollout, he said -- this was him in an e-mail. to your question, how am i feeling about the launch, not good. kind of hareart broken. whatever launches, if functional, will only meet the

criteria of launching the exchange. it will be riddled with confusing and hard to use compromi compromises. but i don't know. i'm not seeing anything that's being delivered. it's piecing things together th together kind of through the grapevine. and so, there was not a real communication going on between cms and hhs during the whole healthcare.gov launch? >> i'm not familiar with that e-mail, at least i don't think i am. >> well, i mean, i guess the question is, was there a whole lot of coordination between hhs and cms technology people going through, because i've been led to believe that hhs only found out really what was going on through informants. >> well, we did weekly updates with hhs on the website. >> so they didn't have to have informants to find out what was going on? >> i can't if brian was in those meetings or not, but i wouldn't

think they would need informants. >> okay. did brian recommend to you that the website launch should be delayed because of security testing concerns? >> brian did not recommend to me that the launch should be delayed. brian did discuss -- >> because he shared with the committee that he did, so, are you sure that he did not say that we should not delay the launch because of security concerns? >> i think i need to finish my sentence. >> my apologize. >> that's all right almost the rest of that sentence is there was a discussion about what would it be possible to beta test or launch a few states as opposed to bring up the entire ffm. and i and the team did not think that was possible. >> and why did you not follow his advice? >> about the beta site? >> well, about delaying? i mean you say beta site, i say delay, but whether you're right or i'm right, where did you not

follow his advice? >> well, i didn't think it was possible the way the ffm was configured to do that, nor did i think it was necessary. >> okay. you shared your testimony, earlier, you shared your res may what part of your resume included an i.t. background, that was his expertise. you sounded like you're a health care provider, not an i.t. expert. >> i'll a health care provider. i have become more of an i.t. expert the last year. >> this was in january, what particular point did your i.t. expert outweigh his? >> taking the recommendations of our i.t. expert team, cms, as well as cms contractors who i felt were a lot closer to this issue than brian. >> okay. so, now we can look backwards and realize that the rollout was a disaster. so, what do you think of your i.t. expertise within cms today? was brian right? we should have delayed it? >> i don't know that brian was

right. i know that -- >> was he closer to right than your team? >> not necessarily. i know that we have come a long way in our launch and as i said earlier, we have 7.3 million people paying premiums -- >> i didn't ask how many had signed up. this is about security and he had a concern in january about security and yet, you ignored his advice. why would that have been? >> because i had my own i.t. team who conveyed to me that they were confident in the project. >> i yield back. i'm out of time. >> the other witnesses want to comment on the answer to the gentleman's question about a year ago was the site ready and should it have launched, in retrospect? >> well, i would just say that at the time of his launch that cms did accept increased risk, that -- from a security perspective. >> not having reviewed the data

that the cmsi.t. team had, i wouldn't feel comfortable commenting associated with that i think it's important to have eyes on the project and be part of the team to make those decision, it's very difficult as a third-party partner participant to make that kind of assessment without the actual knowledge and data. >> as a former businessman, i would say that a site that couldn't accommodate a few hundred people simultaneously signing on and people waiting for weeks or months, security wasn't the reason that that should not have launched, but i appreciate that you're here on security today. the gentlelady from new york, a place where i.t. comes first for many of her constituents is recognized for five minutes. >> that's true, true of the west coast, too. i just want to note that this is the committee's 29th hearing on the affordable care act and the sixth on the website. oh, come on, please. i want to focus on some very positive things. and that's the cost growth is

slowing to historic lows and that was one of the huge challenges that we confronted the whole time that i've been in congress, is the -- just the whopping cost in health care in our country. now, contrary to some of my colleagues' claims that the affordable care act is causing health care costs to skyrocket, there have been multiple reports recently that show that the growth of health care spending in the united states is slowing to historically low levels. and that is good news for everyon everyone. earlier this year, the centers for medicare and medicaid services issued its national health expenditure report. are you familiar with that report? >> i am familiar with that report. >> well work the report found that national health spending grew by just 3.7% in 2012, a

near record low and the fourth consecutive year of slow growth of health care costs. in your opinion, what factors are driving this historically low rate of growth and i'd like the others to chime in, too, if would you like to add to her response. >> i think that we all felt it was a combination of things. certainly, the recession early on, but as -- as time went by and we continued to see this historic low growth, i think some of the actions in the affordable care act have made a difference and it's an ongoing conversation i have with my actuary and i think he would agree if he were sitting with me, it was both, but the affordable care act made a difference. >> that was outside the scope of my review. >> that is something i have not been involved in as the director of u.s. cert. >> okay. fine. earlier this month, cms released

its national health expenditure projections for 2013 through 2023. and according to these estimates, national health expenditures grew just 3.6% in 2013. is that correct? >> i believe that is. >> this is the lowest rate of growth since the federal government began keeping such statistics, since 1960. i would call this a very positive development in public policy. would you agree? >> i would totally agree. >> what about the next ten years? we are always looking ahead. i know cms projects an uptick in health spending overall due to the large number of people who are newly insured through the affordable care act. but what about per enrollee health costs? >> so, going back to that report, i think the trend is expected to move back up, the number of individuals in

medicare and, but i think that stresses the importance of our success in tying together delivery system reform, payment and quality and why that work is critical that we continue. >> well, why will they grow more slowly than before the afghanist affordable care act? >> some of the measures you the in place with the afghanistan, tyii -- the affordable care act, tying payment to outcome, transforming delivery system, which is a work in progress. >> now, the kaiser family foundation recently released an annual enmonth i yes health benefit survey and this report indicates that the slowdown in health spending also extends to employer-sponsored insurance. more good news. according to kaiser, premiums in employer-sponsored health plans grew only 3% in 2012. so, i would like to ask you, that's tied for the lowest rate

of growth since kaiser started measuring the growth of employer health care plans. do you agree with that? >> i reviewed the kaiser report, employer insurance tends to see what we are following in medicare and medicare. yes. >> this seems to be very good news for the american consumers and our overall delivery of health care service, so i'm very pleased with these reports. they say numbers don't lie and numbers are showing an improvement. i want to congratulate you and your colleagues for your work to help bring this to the american people. thank you. >> thank you. the gentle lady from california, ms. speer. >> mr. chairman, thank you. i thank you to our witnesses. i want to congratulate you, you have lived through the real life

"survivor" show and succeeded. i find the fact that we have engaged in the most thoreau, repetitive implement of the aca as an incredible waste of your time. a lot of good news, as my colleague from new york has underscored and really quite interesting to me, for the longest time, there were all those who were panning the afghanista affordable care act, we will never get the numbers and you were meansing it earlier, ms. tavenner, 7.3 million subscribers, correct? then the hue and cry was we won't pay for it, pay for one month and won't pay any longer and it will fall on its face.

that hasn't been the case either, has it? >> no, ma'am. >> the chairman of the committee and a number of republicans just sent you a letter and i want to read it out loud, one segment of it. "in order to enroll beneficiaries in the exchange, healthcare.gov collects, obtains and retains massive amounts of personally identifiable information about millions of americans. this information includes social security numbers, personal addresses, income and employment records and tax return records. it is extremely important that cms and the other federal agencies involved in the exchanges properly protect and maintain this sensitive information." now, i actually agree with that statement and i presume you agree with that statement? >> yes, i do. >> and having agreed with that statement, have you, to date, had any signer attacks that resulted in personally

identifiable information being stolen? >> we have not had any malicious attacks on the site that have resulted in personal identification being stolen. as the chairman rightfully brought up earlier, we did have some technical issuesen at front end that we had that were our own doing that we had to -- >> that's right. but we're in the present day and let's look to where we are and where we're going. okay. now, meanwhile, target security breach included 110 million americans. potentially affected. you're wear of that? >> i am. >> my staff checked the census website and said the total population of the united states is 319 million. so, more than a third of americans potentially had their personally identifiable information breached, stolen, as a result of that target data breach.

there wasn't an interest by this committee to have a hearing on that potentially affecting a third of the american people. see, 110 million people affected, no hearing. zero people affected, and we've had dozens of hearings. it seems like our priorities are not quite on what the american people would be interested in. now, we do know as a result of target that the hacking came from outside this country, it appears it came from russia or from some region near there. and rather than trying to find out where these hackers are coming from and how we can forestall them, we are going to waste more of your time asking you a number of questions about issues that haven't even

impacted. now, some would say, well, accept that's private business. well, how about u.s. is? they have a contract with the federal government. it does security checks and 27,000 people have had their personal information steam stolen from usis, a federal contractor and have we had a hearing on that? nope. appears that's not important either. so, i want to just commend you all for recognizing that you have to do this no matter what, come to these committee hearings, you do it with great respect and we appreciate that. i hope we can send you back to do the work that the american people would like you to do and i yield back. >> i'll take my time now. >> we now recognize the gentleman from maryland for five minutes. >> i want to thank all of you for being here today as we come to the end of this hearing.

i just -- you may, ms. tavenner and others, you may never hear the full thank yous of people who are going to stay alive because of what you and your colleagues have done. and i really mean that there are people -- there's a mother who's now going to be alive, may have been suffering from cancer, breast cancer, like the lady in my district, couldn't get treatment. but she's alive, she got treatment. i have a sister that does a lot with breast cancer and they were waiting -- they had women who had been tested and they were waiting for the affordable care act to pass and come into effect so they could get treatment.

i have come to you today and to your colleagues to thank you. i tell the story that went affordable care act came up, i had one prayer, i came to the floor early, i came early and sat on the front row and i had one prayer, i said, god do not let me die before i vote for it. the reason why i have said that is i have seen so many people who were sick and could not get well. you know, johns hopkins is smack tab in middle of my district, great hospital, one of the greatest in the world. people fly from all over the world to come to johns hopkins. and there are people standing on the outside, could not get in, but the treatment was in there.

and so, you know, i know your colleagues are looking had on and i just don't -- i know they have been through a lot. and i remember when they -- we had the website problem and many were saying, oh, we can never get through this, so, you know, just so horrible and everybody was warning that everything would collapse. but you know what i said? this is a can-do nation. this is a can-do nation. and we need to definitely do when it comes to the health of every single american. and i listened to what you said a moment ago about how, day after day, you worry about making sure that people's information is protected. we could not pay you enough or

pay your colleagues enough to go through what they have been through and to worry as you have worried and to do everything in your power to be protective of the american people. and yeah, you're gonna be criticized. yeah, folks are gonna try to do and say all kinds of things about you. but i have come here at this moment to simply say thank you. thank you for my constituents. thank you for constituents -- our constituents all over this country. and you know, sometimes i think about illness and a lot of people -- i wonder if people have not been ill themselves when they see other people in the position of getting sick or sicker and dying. i wonder whether or not they

have ever been ill and that troubles me, because i think that president obama said it best, and i wish i had coined this phrase myself. he says, sometimes we have an empathy deficit. an empathy deficit. so, i take this moment to thank you and just have just a few questions. i'd like to ask you about the attack by the by the hackers last sum beer i healthcare.gov. my understanding is this attack was not limited to healthcare.gov alone but included a broader universe of targets. is that right? >> so based upon the analysis that our team did, it was a typical kind of malware that's dropped for denial of service attacks. so, basically, they are trying to create a node and a botnet to use for denial service attacks, so, yes, they look at resource servers like this to use them for those types of attacks. >> and the hackers were able to

place malware on a server, but it was a test server that did not have any personal information, is that correct? >> based upon the analysis that our team did, it was a test server that was deployed with its out-of-the-box configuration, meaning the default password hadn't been updated. >> just have two more questions. as i understand it the type of malware at issue is called denial of service. >> mm-hmm. >> malware, which is designed to slow down or even shut down the system but not extract information, is that right? >> correct. the malware is to use the resource of the server as part of this botnet so it wasn't targeting the server, it was using the resource of the server for the botnet for another victim. >> how common are the [ inaudible ] -- >> sorry? >> how common are they? >> they happen every day across the globe on -- [ inaudible ]. >> so the bottom line is that at least as of now, no personal information was transsubmitted

outside the agency is that right? >> correct. the breach was discovered by cms, it was alerted to us. we looked at the images that were provided. there was no ex-filtration of data, there was no loss of pii. due to the segmentation of the network. this was a test network separate from the production network, so there was no lateral movement into the production network associated with this activity. >> thank you. >> thank you. >> i guess, still got more questions but let me make some statement and then i will ask a couple more questions. you know, ms. spiers left and that is unfortunate, this being said when are we going to hold all kinds of hearings, they forgot to mention there is a committee mr. lynch belongs to, the financial services committee and held hearing hads because they oversee the financial community, meaning home depot, target, these other companies that they are referring to, those fall under that committee's primary oversight bas these were financial

transaction related. my staff also mentions that the federal trade commission, the department of justice, the cfpb and the fdic also are looking into each and every one of those. so, with tens of millions of dollars, countless agencies and individuals looking at each of these, the question is, ms. of aener, who's been looking at you mr. will shoeson, in a nutshell, one of the things that you said at the beginning was they didn't have strong passwords, so, somebody could put in a short password and not change it. is that correct? >> that's correct. we identified several technical security control weaknesses with healthcare.gov and its supporting systems. >> so, somebody who didn't change the password created a huge vulnerability, particularly if they had a high level of access, is that right? >> if they used a weak password that could be easily guessed, that would be an increased risk. >> so, marilyn, her birthday, if

used, would have been easy to guess, certainly tried. did they have advance lockout systems and detection and reporting? >> one of the things, i don't want to get too detailed into the types of security controls so we don't give any information -- >> we don't want to tell how -- i understand that i will be a little careful on that but there are techniques that if they were in place would have been much more secure? >> sure. >> the weaknesses that we identify are all -- can be corrected and resolved almost immediately. >> so, what you found a year into the site was they were not using best practices? >> once we identified several weaknesses that increased the risk and unnecessarily increase preventible risk. >> we pay a huge premium for cios, senior executive service, we the congress, have authorized special high pay, a quarter of a million dollars and more, to get certain people with special expertise and we have had some before this committee. you're telling us a year into

this site, they simply have not put in what people would consider best practices in some cases, such as a requirement for strong password and periodic trading -- periodic changing of them and a lack of redunn dandy sonic passwords, common things that protect sites, right? >> those things should be done. yes. >> and you know what's amazing, target and home depot had those kinds of protections, but there was a malicious attack from a foreign nation with advanced tools, some of those tools being exactly the tools that our cia, nsa use to go after the worst of the worst. and we succeed all the time. so, what i'm finding here today is that everyone wants to talk about organizations that employed, in many cases, best practices, that did their best and then were targeted by very advanced networks, criminal networks, networks that may even have had the kgb's successor helping them hack. and they want to talk about those rather than a lack of common sense, simple practices that -- to secure a website,

isn't that true? >> i would say that probably the majority of federal incidents that occur within the federal government could be resolved, perhaps prevented, if agencies were practiced strong signer security. there's always going to be a risk that you come across an agent or an entity, a foreign intelligence service that has very sophisticated techniques that may be difficult to protect against, at least to prevent. but by and large, many security incidents could be corrected and prevented if the agencies practiced strong security control. >> now, even without seeing the 13 compromises that occurred, you were able to make and cms accepted a lot of suggestions that are improving the site here today? >> we looked at the security controls over those devices that we've looked at and identified vulnerabilities that could be corrected and cms concurred with each of the 22 technical recommendations that we are making.

>> so, all of the talk about this robust team, all of those experts brought in from silicon valley, special people that worked on the president's re-election, all those people had missed those 22 points? >> that i can't answer in terms of -- >> but when you suggested these, did they say, oh, we are already doing them, we just forgot or saying we weren't doing them and now we will? >> i would just say that we identified them during the course of our review and they have accepted our findings and indicated that they will implement. >> you are very kind. >> would the gentleman yield for just one quick point? >> i was one of those who shopped at target and i have a new credit card today. there are two distinct differences. one is i'm not compelled by law to shop at target. i am compelled by law to sign up

for obama -- cacare. there's a huge difference. mr. chairman, what happens is those are voluntary transactions, which i don't have to give my social security to them, i give them a credit card and i do a transaction. it's very different for healthcare.gov. >> that's very true r i thank the gentleman. we now go to the gentle lady from new mexico who has arrived for a round of questioning. >> mr. chairman, thank you very much for recognizing me and i want to thank the panel here today. and i share many of my colleagues' concerns that we should be doing the very best to protect information and certainly, we've led in the private sector world with hippa and related requirements, security protections and working diligently and tirelessly to make sure that patient protection, patient privacy and now financial information must be protected.

and i think the point is important that every person must sign up and be insured through the affordable care act. and i want to read this i think it bears energy the context of this hearing, bears repeating. in gao, in the march 2013 report, found that the federal government continues to face signer security challenges, including designing and implementing risk-based signer security programs at federal agencies, steak and identifying standards for critical infrastructures, and detecting and responding to and mitigating signer incidents. and since that report, we've got 28 gao additional recommendations and i know that we've been talking about today in this hearing. in fact, gao has designated federal information security as a high-risk area in the federal government since 1997.

and i think that there isn't anyone in this committee or anyone in congress or the public that doesn't think that more should be done, and in fact, that we embrace every potential positive, productive, professional recommendation moving forward. and so given that, ms. tavenner, knowing that the upcoming november open enrollment period is coming for millions of americans who will be shopping on the exchanges, how prepared are you to take these 28 recommendation and others to assure protection? >> yes, ma'am. let me start with the 22 technical recommendations. 19 of those have been resolved, fully mitigated or will be further reviewed prior to open enrollment. so, those will be handled. of the six other recommendations, we are in the process of either completing -- have completed those or will complete those prior to open enrollment. >> and based on the 19 that

you've identified, ms. tavenner, and the remaining measures to implement, you are confident that not only are they implemented but they are tested and will have, to the greatest degrees, i might disagree with some of my colleagues that we can do everything in our power and those hostile, those negative, those who intend us harm and intend to access that information for their own gain will find ways to do that. i want to make sure that we are doing everything that we know that mitigates and prevents and gives us the opportunity to also detect when there's been a problem. you're confident that these will be tested and in place by the open enrollment period? >> i'm confident but we will never quit continuing to try to improve the process. our work with the department of homeland security, our work with gao, oig, will always be looking for improvements. >> i appreciate that. and given that we know we're working on another issue in my state, i appreciate your

attention to that and your coming, mr. chairman, we are working on a behavioral health issue. for me, it all ties to making sure that consumers have confidence, that they are protected in a way that cms is responsible to protect those citizens, that they are clear that your responsibility and oversight is paramount to the work that you do and that the access to health care is only as good as making sure that the information and the protections that are required by law are, in fact, in place and they can go to cms when there is a problem and have that resolved, objectively and appropriately. i really appreciate your attention to all those matters. >> thank you. >> i yield. >> ms. tavenner, i just want to make sure that i understood what you just said. that -- and i agree with every word that my colleague just said. but you're saying then there's six recommendations left, is that right? >> sorry, sir there were six

major and please correct me, greg, if i get any of these wrong, there were six major recommendation and we are in the process of completing those and some of them are done and the answer to those is all of them will be done prior to open enrollment. >> and open enrollment starts when? >> november 15th. >> so, we can -- would you let us know officially when they are done? >> yes, sir. i think -- >> to the chairman and myself. really appreciate that. >> if the gentlelady further yield, the earlier report we had is you didn't agree to all six, but you agreed to three out of the six, you now will agree and complete all six? >> so i think in some of them, we partially concurred but we are getting the work done. whether we totally agreed or not, i think there were some things, fringes, there was a different description of how we did security testing versus what gao wanted. that wasn't an action we would change, but we understand where

they are coming from, we just have a different way of getting the security testing done. the rest of these things, such as the privacy impact statement, we will have that done, that was a documents issue. the computer matching agreements with peace corps and opm, we will agree to that get that in place prior to open enrollment, security agreement governingic question facts, complete that of the 22 technical recommendations, 19, we have already done the others, we are reviewing and i will be happy to do something in writing back to the chairman and to the ranking -- >> i think we both would appreciate it. >> all right. >> gentleman from north carolina? >> i wanted to follow up on one thing, ms. tavenner and it really, as we start to focus on some of these other issues, it takes our eyes off of the core issue and this's what the ranking member was talking about, which is providing health care really to the american public. and that's your primary

responsibility. i can tell that you take that seriously. it is a distraction to say the least, when we have a billion dollar spin on a website that doesn't work, security issues that are there. along that same time, there was a rule that came out with regards to medicare part d in january that -- a rule that really would limit some of the options of our seniors, a rule that you came, much to your credit, and said we're not going to do. and i want to say thank you for doing that on behalf of millions of senior citizens who would have seen choices limited. do i have your assurances here today that we are not going to put forth a rule that is similar in nature to that rule that was

brought back? i very rarely have an opportunity to have you in a public forum under oath, and so on behalf of millions of americans, do i have your assurances that we're not going to do it? i think you made a good decision. my mom, who's a senior citizen, thinks that you made a good decision. so, do i have your assurances that we will not see a similar rule? >> i'm not interested in bringing back the pieces that we've pulled. >> okay. that's good almost answer. so, do i have your assurances, yes or no -- >> you have my assurances that i won't bring back the things i. rust pulled. how about that? >> or something similar? >> or something similar. >> let me tell you the reason why and it gets back to cbo indicates that much of the reason it is working so well is the competitive nature we have.

we are going to limit options for our seniors, some cancer, some anti-epileptic, these are serious things, so you and i can banter back and forth, but really what i need is on behalf of the american people, your assurances here today that that's not going to happen? >> now you are bringing specific, i'm not interested in bringing back the drug categories, if that he is the question. i'm not interested in bringing that back. i am interested in promoting competition, promoting private market and i think we have tried to do that with the marketplace rules as well. so, we would continue to work -- >> not going to limit competition and we are not gonna narrow what people can get? >> that's -- would be my preference, yes, sir. >> that he is a your assurance? >> that's my assurance. >> all right. thank you. i yield back. >> could you yield to me? >> sure. be glad. >> briefly, item four from the gao says perform a comprehensive security assessment of the ffm,

including the infrastructure platform and deployed software elements. now, initially, that was one that you said no to. are you saying you will perform that full system-wide test and have it done by november 15th, 'cause that's sort of the -- that's sort of the one that gao couldn't -- we can't know what we don't know until you do that, is that right? the mic, please. >> we get into a discussion of style here. it is our intention, and we will complete a full end-to-end assessment, security assessment prior to open enrollment, yes, sir. that's scheduled for later this month or october. i think where we got into a different kind of structure had to do with infrastructure and platform and our definitions, but i think our intentions are the same. >> why don't we let, greg, if would you give us the rest. >> as long as the tests that they perform includes how the

applications interface with the operating platforms and the infrastructure to look at it in totality is going to be critical, because certain vol you are in ranbilities on certain levels, layers of the security, could affect the security of the other components of it, 'cause there are a number of components involved with this website, supporting systems, and a number of different entities involved with their operation. >> so, for the layperson out there, would it be fair to say that, for example, when software opens a portal on a particular piece of equipment, that that can create a vulnerability in one type of hardware that it wouldn't in another, that that's the kind of thing that they have to look at the actual hardware they are using, what it interfaces with and so on, is that right? >> and to include looking at the firewalls and the routers and switches that support it as well as the operating systems and how they are being configured. yes, sir. >> and i presume any remote

access to devices, vpns or any of that would be part of it all it takes, if i understand right, is one pc that has a vpn connection that isn't in the software but once you put it in, it can create a separate vulnerability, right? and that's what you're looking for? so if i saw the heads nod, and i like that, the two of you are -- one of you's going to come back to the ranking member and myself if this agreement that you're gonna do that by november 15th doesn't happen. is that right? maybe both of you? >> i would be following work with your staff to do some follow-up. >> i think that's all that mr. cummings and i would like to know, since you're shaking your heads and smiling now, if that stops between now and november 15th, one of you will tell us? >> yes, sir. >> mr. cummings? >> i mean, i'm going to encourage you to do that. just do it. please. >> we will do that. >> and i'm not trying to be

smart. i mean, ms. tavenner, i know that -- and all of you, i know you're trying to do what's in the best interest of the american people. i understand that. but it seems as if what we want is the highest level of best practice, am i right, mr. chairman? >> absolutely. >> the highest level. and i can't help but when i was thanking you on behalf of my constituents, i could see a tear come up in your eye and you know, so often, i think federal employees, a lot of people don't realize that a lot of our employe employees, most of them are not in government for the money. they are in it and i have people coming trying to work for our committee all the time who are willing to take reduction of salaries from the private sector because it's something about this that feeds their souls,

something about lifting up the public and making their lives better. and so, to all of you and to all of the federal employees who may be listening out, the ones behind you, ms. tavenner and all the ones that maybe in the audience and up here, i just want to thank you very much. thank you. >> thank you. and i understand the gentlelady from new mexico, did you have any follow-up questions, ms. grisham? >> mr. chairman, i don't, i was thanking you and i appreciate both the leadership of the chairman and the ranking member to assure that we get feedback and they represented very effectively all of my concerns and points so, thank you very much for your leadership. >> thank you. i've got a couple very quick wrap-ups that came out of these and big smile, because we are nearing the end. there was a question about more people being insured. and i just have to ask, is medicaid insurance? >> in my opinion, medicaid is insurance, for sure.

but that is not -- >> but the actual level of insurance under medicaid that was talked about, it's medicaid insurance, that's what's lowering the number of uninsured is medicaid? >> plus the marketplace. both. both are lowering that number. >> which is then subsidies, primarily? the actual number of people who are receiving unsubsidized health care has gone down, is that right? >> you know, i -- and i don't have all the reports in front of me, but actually, the number of people insured off the exchange without subsidy is also rising. i don't have the latest private insurance, private insurance had a negative trend that had been going on for the last ten years that seems to have kind of stabilized out, if you add medicaid and you add the marketplace exchange, with or without subsidy, i think that's what you're seeing this. >> the reason is that those questions led to this sort of feeling that you know, everything was better, but isn't

it true that the medicare trustee, charles blauhas, he projected by 2021, the impact of the affordable care act will be a 346-527 billion increase in the deficit, essentially because the government's going to pay that 190% for medicaid, the government's going to provide those subsidies and the government is, in fact, the taxpayer, so the deficit will rise based on the money that buys that insurancesome that true? >> i'm not familiar with that report. >> okay. but the government is general tax revenues are, in fact, paying for these subsidies and for medicaid, doesn't come out of a trust fund. medicaid is ordinary income tax? is that correct? >> i'm sure that you know that, mr. chairman. i don't. >> well, for the record, medicaid is paid out of income tax. and much of medicare is paid out

of income tax. the trust fund, when we talk about it, pays only a small part of what our seniors reflect. now, i have really the final question and it's one that deeply concerns me and it wasn't the main topic today, but it's right in your lane. on may 15, you projected 8 million as an enrollment number. august, it's now 7.3. what happened to that 700 to 800,000 people? why was there such a precipitous drop? >> so the 8 million individuals, and i think that number was after the end of open enrollment, had signed up. and i think during the course of the next several months, individuals may have either gotten employer-sponsored insurance, they may have found other eligible for medicaid instead of the marketplace, and some individuals may have decided no to go forward and

pay. i think there was always -- >> that's great question and it's -- the reason i ask that question is, you know, people were asserting that signing up meant nothing and paying meant everything. how much of that 700,000-plus drop were people who did not pay or do you know? >> i don't know that information. >> wouldn't it be all of those people did not pay? >> i don't think we will know that until the end of the year and then we will probably -- >> let me ask the question a different way, because, you know, i'm an an old businessman. people signed up. they were there for insurers, is that correct? they enrolled, they were insured? >> these were people who signed up for a plan, but in order to get insured, you had to make a payment, right? >> well, no, they were insured right away and then if they didn't make the payment, they -- >> 90 days. right. >> so, they basically got a free ride, 700,000 people got a free ride. they had coverage and if something catastrophic happened, they could make a payment and if

something catastrophic didn't happen, they could just let it drop. >> sorry. i don't think we know that information. >> well, no, this is a structural question that i know you must know or the technical people behind you must know. if 8 million people sign up, let's just say 8 million people sign up and not the 700,000 who dropped, but let's just say 50 people out of 8 million had a health event and they weren't gonna pay, they just signed up on a lark because it's a free ride to sign up, but then they had a health event, did they get to go to the doctor during that 90 days because they had signed up and hadn't yet paid? >> yes. >> so, the system as it is today is an incredibly easily gamed system, if i understand correctly? 316 million americans could all sign up and get 90 days worth of free insurance and if nothing

happens, there's no downside, they are just letting it lapse by not making a payment, is that right? you don't dunn them, don't go after them, don't follow-up, don't sue them for the coverage they had but never paid for, did you? >> which i think is why it's important to know as of august, 7.3 million were still making their payments and were still continuing the insurance. >> 7.3 million people may have made small payments because they were highly subsidized or larger payments because they weren't. are you prepared to release those figures any time soon so we understand the 7.3 million, how many of them, if any, it will be some, were completely unsubside diocesed, how many were partially subsidized, how many were substantially subsidized? >> we will have that information and as soon as we have it, we will release it, but yes, we will be able to -- >> estimate when? >> i don't have an estimate but i'm happy to get that for you. >> okay. being an old businessman, i must admit that giving people 90 days

free and no retrospective look to find out whether -- whether, in act if a, they were maybe dually insuring, just signing up for a lark, to me means that your initial figures are of no value and people should be sinnic and say we don't know how many people have signed up, but next year, starting november 15th, i'm presuming that if gao is going to estimate the signups, they are going to be able to only use that if you get 8 million again, they can assume that 7.3 is the net number, right? >> i think 7.3 is a really strong number and i would remind you that those individuals who sign up and get tax credits still have a reconciliation process next april, right? >> yeah, we're looking forward to that part to see if there's a clawback. my parting question, this committee held a hearing and on the issue of over $15 billion owed to the american people by

the state of new york for excess payments in violation of the law, in violation of cms maximums, that falls under your watch. have you done anything to reclaim that $15 billion? >> yes, sir, we have. >> and have you gotten any of it back? >> we recently initiated that. i don't think we have gotten any of it back yet, but we sent the -- basically the request for recovery r >> you have made a -- you've made a request for recovery? >> we follow our normal process. >> do you have the authority to simply withhold, the way you would to a private entity? you know, if i'm a doctor and i overbill $15 billion or maybe some minor amount less than that, if i'm less hard working, the first thing you would do is cut off payments for services, right? you simply wouldn't send them a penny. you are sending millions or billions of dollars to new york every month, aren't you? >> so, i can brief you or your team on this in some detail.

initially, what we would do, whether it's a doctor, an entity or whatever, we ask them how they would like to repay us and we -- >> i wish that were true. >> i think that's -- >> i've had too many health care entities who make it very clear, your people come in you make a determination, the moment you make a determination, they basically have to quit their practices and go into an appeal process and in the meantime, they are not receiving a penny. and you clawback. so, you want to state that in a way that the pry sat sector people call me up and say how do you let her say that you give people lots of time and ask them how they would lake to repay it? >> i think you know i was on a private sector side for quite a period of time and so if there is a question of overpayment, yes, cms will make you aware of an overpayment situation. >> and then clawback real fast? >> unless you want to pay them up front, in which case -- >> if you're able to write a $15 billion check, they won't deduct from the revenue is new york prepared to give you a $15 billion check? >> i can't speak for new york.

>> but right now, new york and perhaps others owe the american people money from excess payments and they are not being treated the way private sector is being treated. they are being treated a little bit with kid gloves. 15 billion's a lot of money. >> actually, we went through the first year and we made a request or demand for the money. so, and i'm happy to brief your staff on that. >> would the gentleman yield? >> of course. >> you have hit on an area that we have had a number of hearings already with regards to rack audits. and i'm -- i would implore you to treat new york the same way you're treating the constituents in my home state of north carolina. because very quickly, what you do is you put private companies out of business, because you deny the claim and you say, you either pay up or you go home. and if you're not gonna treat new york the same way you treat north carolina, i've got a real issue with it, ms. tavenner.

>> so, we would treat north carolina the same way we would treat every other state. >> well, no, i'm talking about government versus private. i'm talking about private companies. >> i'm sorry, we would treat new york the same way we would treat anyone who owes us. new york, i just got this information from my staff, has appealed this decision, which is the same option that anyone has. >> right. and a private company, when they appeal, the answer is the same, pay up in five years or go out of business. >> i understand. >> i mean, the statute says 60 months, i know it very well. >> i know, we have treated states the same way we treat providers. >> all right. so they are going to have to pay up within 60 months, new york? >> i'm happy to get you information, i don't have it in front of me. >> i yield back. thank you. >> thank you both, go to the ranking member and i appreciate your staff's assistance because although it's an issue that you know is never going away before this committee, it wasn't the main subject for today. mr. cummings? >> i want to go back to the 7.3 million people who paid their premiums. and i guess around 700,000 who

did not. there are all kinds of reasons, i guess, why people may not pay their premiums. a lot of people in our society are still struggling with all kinds of things. you talked about a reconciliation process, can you talk about that for a moment? >>. >> the way that it works, individuals, the 90-day grace period is society up to have -- give individuals an opportunity to pay. at the same time, they start to receive tax credits. these tax credits are reconciled the next year on their income tax returns. if people have underpaid on their aptc, then they are likely to get a tax credit back. if they have -- meaning they have received a higher aptc than intended based on their income, they may owe the federal government money back and that's part of the partnership we have

with irs. i don't think that the 700,000 -- in fact, i was very pleased to know we have payment levels of 90%. this is a brand-new program. this has never been done before. by the end of '14 look back on '14 we will understand the circumstances. i expect in some cases, they may have moved, they may have got married, they may have got insured, they play is lost than income and gone on medicaid or the uninsured ranks, we will only know that as we do a look back and we are careful not to look back too early. >> and these are not necessarily people trying to game the system. >> no, sir. >> i mean, i -- i see folks every day that they are still being informed as to what the affordable care act is all about. and trying to make it one -- one singer says working 9 to 5 just to stay alive. >> that's right. >> but in my district, sometimes it's working two jobs just to

stay alive and so they are struggling, trying to manage all this information, trying to do the best they can to take care of their families and many of them going through some very difficult circumstances. >> that's right. >> all right. thank you very much. >> thank you. >> the gentleman from virginia, normally the first to arrive, we just finished round three and the close. would the gentleman have some questions? >> i think the chairman -- >> the gentleman is recognized. >> i was on the house foreign affairs committee with the secretary of state, forgive me for being late. >> i'm sure the questions there were provocative. so -- >> yes. welcome to the panel. mr. will shoesen, what it be unreasonable of us to suggest that no company, no government, no individual, should feel entirely secure and safe in the digital age?

>> i would say for referring to use of online transactions on the internet and the like that there are certainly risks associated with that, just given the weaknesses and the nature of the internet as well as the competency and prevalence of hackers who might wish to exploit those weaknesses. >> the issue of securing public and private information systems, i assume is not something unique to the affordable care act? >> no, it's an issue for any computer system operated for -- by any agency, any organization. there's always a need to protect that information and certainly, as we mentioned earlier, within the federal government, gao has been identifying federal information securitieser, government risk areas since 1997. >> right, since 1997? >> yes, sir. >> two administrations ago?

>> two administrations ago? >> probably. >> ms. tavenner, hello and welcome to our committee. >> thank you, sir. >> i think. it may not have been entirely a felicitous beginning to this hearing, but i welcome you and thank you for your work. but let me ask you a question, one of the things that we hear about the rollout of the website in retrospect is that the coordination of i.t. management is disparity irk not always focused an perhaps seen as a technical issue while, you know, cms and the department of health and human services were focused on perhaps the bigger picture and the reforms getting in place and the pieces finally fitting into the mow zalic and maybe this got short shah rift and

turned out to be the achilles' heel and the whole enterprise was at risk because of this failure, which was a technology issue. in looking back at it, what lessons did you learn as a manager and is there some validity to that critique, from your point of view? >> yes, sir, i think there's some validity to that critique and some of the lessons learned and changes that we've made, one for year two is we needed a systems integrator, we needed someone to help with a coordination, we need a clear point of accountability, we need better communication, and you're right, there was probably more time spent on the non-technical components and we didn't realize as the technology was as difficult as it was. those were lessons learned, i think we put changes in place, we are very, very happy with the

number who signed up. we have -- year two is going to be an equally hard year, it won't be perfection, it will be greatly improved. and we are looking forward to finding some more uninsured and help folks get coverage. >> thank you for that candid response. final question, are you familiar with the bill that the chairman and i have co-authored called the federal information technology acquisition and reform act, a mouthful? >> a little bit, sir. but not completely. >> well, that bill tries to get at how the federal government manages i.t. procurement and acquisition and addresses how the federal government is manag managed. and i think it's based on the conclusion that it's not well managed and it's very inefficient and there are too many people with the titles cio and what could go wrong with

that? the estimate is 20 of the $82 billion we spend on i.t. acquisition every year is at least inefficiently used, sometimes downright, is it gao's position we need i.t. updates and reforms to kind of update on clinger cohen which was almost 20 years ago. and in technology, 20 years is light years. i focus on information security and privacy issues. we have others that -- >> but aren't -- >> i can get that answer to you -- >> that would be fine. but isn't information security related to how well we're managing our i.t. assets? >> oh, certainly. and certainly there is need for improvements in how i.t. is secured within the federal government. and by -- that's an implementation issue. and we're also on record that

fisma that governs information security across the government could also be updated and modified. >> well, again, i believe this committee and the chairman ranking member and i have been involved in that, as well. but we -- the house has certainly tried to address that. and found bipartisan common ground on these issues. i urge you to look at the bill and see how it applies to your particular area. >> i will. >> i thank you, and mr. chairman, thank you for allowing a shameless plug for our legislation. one more time. >> well, in closeing, it's not shameless, but it's a good plug. we'll try to do everything without having you back. and i think we're on the right track. this is a committee that does legislation on a very bipartisan basis in most cases and it doesn't get reported. and then we have oversight and perhaps it's not as bipartisan and it often does get reported.

i do think today's hearing was worthwhile. i believe that hopefully mr. cummings and i both expect that there'll be a little bit more certainty as to the security that will come out of the website. cms is critical to the american people. your role has been expanded perhaps more with the affordable care act than any item before. and, mr. cummings often talks about the federal workforce and certainly about the good work that's being done. i want to close by saying that just because we give you a hard time over item after item, just because number of members asked about -- what about these billions of dollars given to states for their failed websites doesn't mean we think it's easy. just the opposite, we know it's hard, we want government to oversee itself. to the greatest extent possible.

and it's the reason we do appreciate and support the gao, we do appreciate and support the inspectors general. and we try to be their, if you will, their supporters in order to get the kinds of certainty and when necessary reforms that are necessary. i want to thank you for being here today, i think this was an informative hearing. and with that, mr. cummings gives me a yes, we stand adjourned. president obama addressed the united nations general assembly this morning, and the hill posted this story online following the president's remarks. president obama called for the muslim world to reject the cancer of terrorism in a speech meant to build support for the u.s. campaign against the islamic state in iraq and syria or isis.

it is time for the world, especially muslim communities to explicitly, forcefully and consistently reject the ideology of al qaeda and isil, obama said, using another acronym for isis. obama spoke hours after the latest u.s. strikes against islamic militant strikes in syria. president obama will be chairing the u.n. security council this afternoon as it meets to discuss foreign fighters traveling to the conflict zones and joining terrorist organizations. live coverage of the security council scheduled to start at 3:00 p.m. eastern time just a few minutes from now on c-span. economists with the centers for medicare and medicaid services held a briefing recently on their health spending projections and estimating growth to remain slow at 3.6% for 2013 as a result of factors including the pace of the economic recovery. they also say spending will increase in coming years due to

the health care law's coverage expansions, faster economic growth and increases in population aging due to the baby boom generation. the journal "health affairs" organized this event. >> good morning. i'm the editor in chief of "health affairs" for the journal at the intersection of policy and health care. as you know and the reason you're here is that with all that's going on in health policy today, there's great interest in many aspects of what's changing in our health care system, but much of that interest has to do with spending. the total levels, the composition, who's paying, what they're paying for. and in that context, i'm pleased to continue an annual tradition at health affairs of publishing the national health projections prepared by the office of the

actuary. they're going to be presenting a paper that we are releasing today. it's under embargo until 4:00 p.m. and you also have a cd with the graphic information that you can use along with the materials in the paper. you're going to hear today from representatives of the office of the action ware, andrea sisco, an economist at cms will kick us off. a senior economist in the national health statistics group in the office of the action ware will follow. the deputy director of the national health statistics group in the office of the actuary. will be fielding the questions you may have. this is the product of a team and a tremendous amount of effort goes into these projections. they're of great value to policy makers and it's my pleasure to turn to andrea to begin the presentation of information.

>> thank you very much, alan. thank you for your interest in our work. and before i get started, i'd like to take an opportunity to thank health affairs for all of their work and their help in helping us to prepare this publication and also for planning today's event. and i'd also like to take an opportunity to recognize and thank all of the folks in the office of the actuary who contributed to this report. many of whom are here in the audience today. so thank you all very much, as well. and now for what you've all been waiting for. i'll begin with an overview of our major findings. health spending growth in 2013 is expected to remain slow at

3.6%. and this would be the fifth consecutive year of growth under 4%. the slow projected rate of growth is due to the sluggish economic recovery, lower payment rate growth for medicare due to sequestration and the affordable care act, as well as continued slow growth in the utilization of medicare services. as well as continued increases in private health insurance cost sharing requirements, including continued increases in the adoption of high deductible health plans. over the remainder of the projection period, the aca coverage expansions, faster economic growth and population aging are expected to contribute to faster projected health spending growth. and in particular for 2014, we project a growth rate of 5.6%. and for 2015 through 2023, 6% per year on average. and although health spending growth is projected to pick up over the projection period, as i

just mentioned, the average rate of growth is slower than experienced over the last two decades. over the full projection period, health spending growth is projected to grow 5.7% per year on average and outpace economic growth by 1.1 percentage points on average. and as a result, the health share of gross domestic product is expected to rise to 19.3% by 2023. and before we get further into our results, i'd like to provide a bit more background in context for our projections and touch briefly on a few key points. our projections are developed using actuarial techniques and we produce by servicing good, payer and sponsor in accordance with the national health expenditure accounts, classification and methodology.

specific spending and enrollment impacts of the affordable care act, particularly the coverage expansions, plus some selected additional provisions were estimated using the most recent and updated version of the office of the actuary health reform model. and finally, the projections are produced in a manner consistent with the projected baseline scenario of the 2014 medicare trustees report. and namely that medicare physician fee schedule rates are projected to grow 0% in 2015 and .6% per year on average for 2016 through '23. as opposed to the scheduled growth set forth by the sustainable growth rate formula and current law. and that includes a reduction of about 21% on april 1st of 2015. and if you would like any further information about our model methodology, please see end note one. and the updated version that ahad plies to this set of