CMS to Appoint Chief Risk Officer

One of 3 Steps to Address Woes
CMS to Appoint Chief Risk Officer
Kathleen Sebelius

The Centers for Medicare and Medicaid Services will create the new position of chief risk officer to assess risk management practices across the agency, with an initial focus on the troubled website.

See Also: How Top Cybersecurity Leaders Predict Threats and Navigate Risk​

The creation of the new position is one of three major steps that Department of Health and Human Services Secretary Kathleen Sebelius is taking to improve and prevent "the structural and managerial policies that led to the flawed launch of" from re-occurring, she wrote in a Dec. 11 blog.

Sebelius also is asking the HHS inspector general to review the contractor performance and program management structure that resulted in the flawed launch of the website. And she's asking CMS to enhance employee training related to best practices for contractor and procurement management, rules and procedures.

The website and systems support federally facilitated insurance exchanges of 36 states that chose not to independently operate online insurance marketplaces under the Affordable Care Act, more commonly known as Obamacare.

In addition to the many technical woes that initially affected the accessibility and functionality of, members of Congress and others criticized the lack of an end-to-end security analysis and test before its Oct. 1 launch (see: IT Experts Answer Obamacare Questions).

Managing Risks

HHS did not respond to an Information Security Media Group request for more details about the three actions Sebelius is taking. While Sebelius did not reveal many details about the exact responsibilities of the new chief risk officer, that new position could have an impact on privacy and security risks of and other important CMS initiatives.

"We have too little information on what the responsibilities of the new chief risk officer will be to say definitively whether or not this is a good idea," says Deven McGraw, director of the health privacy project at the Center of Democracy & Technology, an advocacy group.

"In some circumstances, the chief risk officer, or chief risk management officer, is in charge of assuring information security across the enterprise," notes McGraw, who is also chair of the Privacy and Security Tiger Team that advises the Office of the National Coordinator for Health IT, an HHS unit. "If this will be a function of the new chief risk officer, we welcome the appointment."

McGraw adds: "Assuring consistent privacy and security policies across all CMS programs is something we have been urging for years,. Frankly, we've urged that consistent approaches to privacy and security be deployed across all of HHS' programs, not just CMS - but this would be a good start."

Mitigating Risks

The full-time chief risk officer will work on mitigating risks across all CMS programs, Sebelius says. "The chief risk officer will ... assess risk management practices associated with major agency initiatives," she says. "This individual will lead efforts to prepare mitigation strategies to minimize those risks, and will develop metrics to measure the effectiveness of those strategies."

The chief risk officer's first assignment will be to review risk management practices for IT acquisition and contracting, "starting with identifying the risk factors that impeded the successful launch of the website," Sebelius says. "I will ask this individual to report back to me in 60 days with recommendations for strategies to mitigate risks in future large-scale, CMS contracting and IT acquisition projects."

The significance of the new position depends on how much power the chief risk officer has to not only identify risks but actually take action, especially with, says Kev Coleman, who heads research and data at HealthPocket Inc., a technology and research firm that ranks health plans.

"The position is only meaningful if the officer has the authority, regardless of political consequences, to suspend the release of new code or temporarily discontinue visitor access to one or more portions of," he says. "The security vulnerabilities attendant to the release of were not a result of the absence of a chief risk officer but, rather, the result of internal decisions made with the full knowledge of incomplete security analysis and testing on the web site."

Review of Obamacare Launch

Sebelius also has asked HHS' Inspector General Dan Levinson to review the troubled development of

"We need a thorough review of the contractor performance and program management structure that resulted in the flawed launch of the website," Sebelius says. "I am asking the inspector general to review the acquisition process, overall program management, and contractor performance and payment issues related to the development and management of the website. We will take action to address the inspector general's findings."

McGraw, the consumer advocate, says the OIG investigation is merited. "The administration cannot go back and undo the damage that was done with the botched launch - but a full, independent, objective analysis of what went wrong, and the opportunity to learn from the mistakes that were made, is critical," she says.

Employee Training

Sebelius says CMS also will update and expand its employee training on best practices for contractor and procurement management, rules and procedures.

"We will expand the scope and content of employee training to ensure that all CMS employees are getting the most extensive and up-to-date guidance - on a regular basis - for managing projects undertaken through contractors, including best practices for internal communications and processes," she says.

"We anticipate that successful risk prevention and mitigation strategies, as well as training updates, will be shared across all HHS agencies."

Obamacare Update

In a separate statement on Dec. 11, HHS disclosed that nearly 365,000 individuals had selected health plans through the state and federal insurance marketplaces by the end of November.

"November alone added more than a quarter million enrollees in state and federal marketplaces. Enrollment in the federal marketplace in November was more than four times greater than October's reported federal enrollment number," according to the statement.

Since Oct. 1, 1.9 million individuals completed the eligibility process by applying and receiving an eligibility determination, but have not yet selected a plan, according to the statement. Also, 803,000 were determined to be eligible for Medicaid or the Children's Health Insurance Program.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.