Nonprofit, nonpartisan journalism. Supported by readers.


Next week’s MNsure launch depends on passing security test

Internal documents show continuing concerns. If serious security flaws are identified during the final check, the project will be grounded until they’re fixed.

“We will not be going live if there’s a smoking gun or risk to security,” said exchange executive director April Todd-Malmlov, who appeared along with MN.IT's Chief Information Security Officer Chris Buse before MNsure's governing board last week.
MinnPost photo by James Nord

MNsure won’t come online in a week if there’s a “smoking gun” or serious security risk to the system, health insurance exchange officials assured lawmakers on Tuesday.

New internal documents obtained by MinnPost continue to show a wide range of concerns, particularly over potential security issues — an area given even lower grades last week in agency reports. They include worries about “an abnormally high risk of a data breach” during the exchange’s first six months — a concern that was given the exchange’s highest risk level.

In recent days, the project’s leaders have been lowering expectations for its rollout on Oct. 1 while also attempting to reassure lawmakers and the public that the exchange will be a secure place for their private data. It’s a departure from the excitement surrounding the exchange when Democrats passed it into law earlier this year.

Article continues after advertisement

“We view security very strongly — as well as the functionality that we’ll be able to provide,” April Todd-Malmlov, executive director of MNsure, told the group of legislators overseeing the exchange. “We will not be going live if there’s a smoking gun or risk to security.”

MNsure officials in recent days have advised the public not to rush to get coverage when the exchange goes live on Oct. 1.

In recent weeks, exchange officials have faced criticism on several fronts, including concerns about security issues, community outreach efforts and the overall question of whether consumers will be able to get the help they need.

Republican legislators have been particularly relentless in criticizing startup efforts, even if it’s not imperative that the exchange work perfectly on the first day.

“People are nervous about this. People are nervous about their data. People are nervous about this going forward,” GOP Rep. Joe Hoppe, one of the members of the oversight committee, said at Tuesday’s meeting.

“We are not leaving the people of the state of Minnesota with a very good feeling about how this is going to work. … People are unsure about MNsure.”

The health exchange — an online marketplace where consumers and small businesses can compare and shop for insurance coverage — will undergo a final security walkthrough before next week. If serious security flaws are identified, the project will be grounded until they’re fixed, officials said. The security issue has drawn fire from Republicans and exchange opponents since an email data breach earlier this month.

Internal MNsure documents obtained by MinnPost show critically important areas where the exchange’s security systems could be at risk — and detail the likelihood of certain scenarios once the exchange launches.

Health exchange officials, however, say the issues are under control.

MN.IT, the state’s information technology agency, will conduct MNsure’s pre-flight check and provide ongoing security support for the exchange. Many of the concerns listed in the documents are ongoing and won’t disappear after the system is fully live.

Todd-Malmlov has clearly distinguished the Sept. 12 information leak, which involved an improper email, and potential security risks in the exchange’s IT systems identified in internal documents. She also made that distinction to legislators on Tuesday and MNsure’s governing board last week.

According to multi-agency documents from Sept. 19, MNsure staff has identified potential serious risks to the system’s security. Exchange leaders say that there are plans in place to address the risks and that such threat assessments are standard practice for a project like this.

MNsure uses a calculation to determine the “likelihood of occurrence” and the “gravity of impact” of potential risks, MNsure General Counsel Mike Turpin said in an interview. The two factors are rated on a scale of one through five and multiplied, with a 25 score representing the highest risk.

A 25 rank would be “something that is highly possible … or this will be something that could happen,” Turpin explained. “It would be a critical matter.”

Risk scenarios detailed

These are among the most severe scenarios identified in the documents:

• “An abnormally high risk of a data breach during the first six months of a new system.” Score: 25

• “A risk that staff and users will not be trained on data privacy and security for the system, resulting in a heightened risk of data privacy violations.” Score: 20

• “A risk that user accounts will not be defined in a way that takes into consideration minimal necessary access, resulting in a heightened risk of data privacy violations, undetected errors, fraud and ethical violations.” Score: 20

• “A risk that participants completing online applications on public computers (e.g., at the library) will leave behind personally identifiable information on those public computers, resulting in an increased risk for identity theft.” Score 16

• “A risk that the security requirements … are not implemented by 10/1, resulting in audit findings and other penalties from CMS [Centers for Medicare and Medicaid Services] and the IRS, potentially affecting MNsure’s ability to connect to the federal hub and state tax data.” Score 15

Board members on Friday asked Todd-Malmlov and others to explain the status of MNsure’s IT security checks. They referred to a recent MinnPost article, which reported on internal documents that said the exchange project is “at risk” to go live on Oct. 1. They asked whether the security protocols were in a similar position.

Security issues were given the highest level of concern last week, raised to “at risk” — the same level as the project as a whole, according to the latest internal documents.

Turpin said the risks were established during a standard MNsure brainstorming session to identify areas to watch. Todd-Malmlov stressed that the risks defined in the documents represent only possible outcomes.

“This document is a risk barometer, but it’s not an evaluation of where the system is,” she said.

“It is not saying, ‘This is what is happening,’” Turpin added. ‘It is a potentiality.”

Chris Buse, assistant commissioner and chief information security officer in the state’s IT agency, told lawmakers that MNsure’s security would be the strongest system in state government.

But Buse was unable to say whether there would be any serious issues getting the system online.

“At this point in time, we don’t see a list of those showstopper issues from a security perspective,” Buse said in response to questioning from committee DFL Rep. Joe Atkins, a leader on the exchange issue. “But until the final review is done, I’m reluctant to give an answer that we’re good to go at this point.”

Turpin also said that the exchange had plans in place to address the risks outlined in the documents.

MinnPost requested a copy of those plans. Exchange staff provided a sample document that included descriptions of how three of the scenarios would be addressed.

Turpin outlined some of the security controls that the exchange has in place, including media storage protection controls, key-card building access and a sign-in sheet. He said the exchange couldn’t disclose certain security procedures because they aren’t public data.

According to the documents, the exchange has completed reviews of security controls, implemented training and created a plan in the event of data breaches or unauthorized disclosures, among other procedures, to manage the “abnormally high risk” of a data breach in the first six months of the system.

In order to combat ethical violations, fraud and data privacy violations from system users, the exchange worked with vendors to limit user access, implemented data privacy training and created an audit trail log to detect “inappropriate” data access.

Lack of training cited

The MNsure documents show that lack of training is also a significant risk.

To combat the risk that “staff and users will not be trained on data privacy and security for the system, resulting in a heightened risk of data privacy violations,” the exchange plan calls for mandatory training for state and county employees and navigators and brokers, removal of system access if training isn’t completed, as well as audit logs and user access restriction.

Training of MNsure and state employees is meant to stop events like the Sept. 12 data breach from occurring.

Todd-Malmlov said exchange staff and consultants go through “writ large” security training, which is the same as that used in the Department of Human Services. That training would have covered issues related to the private information release.

Roughly 95 percent of staff and consultants have passed that training, according to summary data that the exchange provided MinnPost.

“This includes 240 staff and consultants, some of whom are new hires this week and some of whom do not have access to private data. Two hundred and twenty nine individuals have completed and passed both of the mandatory privacy and security training courses,” MNsure spokeswoman Jenni Bowring-McDonough wrote in an email last Friday.

“We track our staff training on an ongoing basis,” she added. “Those employees who have not taken the training are reminded repeatedly. Ultimately, those employees who do not complete the training have their work computer access cut off completely until the training is completed.”

It’s unclear from the information provided if the staffer who released the private data had undergone the training. That employee no longer works at MNsure, Todd-Malmlov told lawmakers on Tuesday, and multiple investigations into the breach are pending.

The IT security training, which Todd-Malmlov said all staffers would have to complete before gaining access to the MNsure system, is totally separate from the data breach, she reiterated.

But Todd-Malmlov acknowledged there would be some difficulties. Staff members have less than a week to complete the training. “Training on that system is a risk because of the shortened timeframe [before Oct. 1],” she said in an interview.

County workers must also be trained on security and how to use the system. The deadline to complete the security training to get access to MNsure was last Friday, DHS spokesman Jeremy Drucker wrote in an e-mail.

He couldn’t specify how many county workers, who are on the front lines for public program enrollment, had completed the training.

But some county officials have expressed concern with the training timeline and the lack of information coming from MNsure. Rhonda Sivarajah, an Anoka County commissioner and GOP candidate for the U.S. House, said she has heard from county staff that there hasn’t been much training.

She said county workers haven’t yet seen the system in action that they will use to input client information.

“It’s very serious. When the state of Minnesota is running commercials and advertising for people to begin applying on Oct. 1, it’s very concerning that the system may not be ready,” she said.

“Ultimately, people are going to be coming to the county for help and we’re not going to be able to assist because we haven’t been able to necessarily given the tools to do that.”

Alycia Riedl, president of the Minnesota Association of Health Underwriters, said insurance brokers and agents also are concerned because the final piece of training required to access the system hasn’t been released yet.

“We’re anticipating that it’ll be out sometime this week,” she said. “I can tell you it’s causing a lot of frustration and anxiety among brokers and agents.”

Concerns for consumers

Sivarajah said her staff also has heard concerns from a local community organization that is supposed to assist people in getting coverage.

Both she and Riedl said the delayed training for navigators was perhaps the most serious concern for consumers.

Sivarajah said she’s worried that the Anoka County Community Action Program navigators won’t have time to complete the 14 to 20 hours of required training before the end of this week.

“I think that they are proceeding with this at a pace that is much too rapid, and as a result, I’m concerned that it’s going to be the public that suffers,” she said.

Riedl also said she expected a significant number of brokers not to be trained by next week.

Todd-Malmlov, the exchange director, said she’s confident there will be enough in-person help across the state to adequately serve Minnesotans beginning on Oct. 1.

A Sept. 19 exchange document listed that as a risk. If brokers and navigators aren’t fully trained, “all calls will end up at the call center, overwhelming the call center, and users will be dissatisfied,” according to the weekly status report.

But Todd-Malmlov said she doesn’t expect exchange enrollment to be huge the first few days.

Asked if there would be some enrollment on the first day, Todd-Malmlov said with a laugh, “I hope so. We’re going to have a lot of lookers. I don’t think a lot of takers right away. … We’re not anticipating that there will be a lot of enrollment the first few weeks.”