CALPIRG Education Fund
With the passage of the federal Patient Protection and Affordable Care Act (ACA), Californians will soon enjoy unprecedented access to affordable health insurance. Once fully implemented in 2014, 92 percent of non-Medicare eligible Californians will enjoy health care coverage provided either by their employer, the new Covered California run health insurance exchange market, or public benefit programs such as Medi-Cal. 
Last year Covered California established the California Health care Eligibility, Enrollment and Retention System (“CalHEERS”) to provide Californians with easy access to the health care solutions. The California Public Interest Research Group (CALPIRG) Education Fund is pleased to be able to provide recommendations on best practices and standards for the development and implementation of strong physical, technical and administrative security safeguards for the CalHEERS data ecosystem.
Key to the success of CalHEERS is the element of trust. Simply put, Californians must have confidence that their personal information will be safe, accurate, and used responsibly within CalHEERS. For its part, CalHEERS must be able to rely on the authentication of the individual with which they are engaging and the data they provide in order to offer accurate health care coverage solutions.
This report sets to highlight and address relevant data security and integrity concerns relevant to CalHEERS, and provide a framework for both protecting consumers and supporting the success of Covered California. CALPIRG Education Fund recognizes that Covered California has already addressed several data security and integrity concerns involving CalHEERS. Yet the fact that 30% of data breaches in the U.S. targeted government and health care service providers during 2012 adds urgency to identifying threats and implementing robust policies that secure user data. This report lays out proactive measures that Covered California should take to protect and secure sensitive consumer data within the CalHEERS data ecosystem.
Building on strong security protections found in the Health Information Portability and Accountability Act (HIPAA) Security Rule, and the Fair Information Practice Principles (FIPs), this report provides guidance for protecting against, assessing and addressing risks to data security and integrity, while encouraging a robust cyber-security culture.
As the design and implementation of CalHEERS moves forward, we have the opportunity to build in data security mechanisms and procedures, rather than bolting them on later to an existing design or realized system. Various technical solutions exist to address specific issues outlined in this report. We do not in this report recommend a specific technology or mechanism. Instead, the report seeks to provide technology neutral guidelines and key principles Covered California should take into consideration as they move forward with CalHEERS development.
These include, but are not limited to, the following guiding principles:
Trust: Californian consumers should be able to trust that their personal information will be safe, secure, used responsibly, exposed only to those specifically authorized to access the data, and stored and retrievable under strong security mechanisms. Policies and procedures, as detailed below, should be put in place so that consumers have the confidence and trust in CalHEERS necessary to ensure its success.
Accuracy & Reliability of Data: CalHEERS should take reasonable steps to assure data integrity by implementing policies and procedures that protect information from improper alteration or destruction. Preventing those who do not have access to sensitive data from accessing it, limiting the degree of access to sensitive data for those who do require it, and monitoring user behavior to identify and prevent inappropriate access or modification of sensitive data are all key to maintaining data security and integrity.
Restrictive: The collection of data should be minimal in scope, servicing only the direct needs for which data is collected. Access to collected information must also be minimal, following the principal of “need to know”. Both elements are important to avoid the misuse or abuse of sensitive personal information.
Accountability: Whether intentionally or not, system users can put the information held by CalHEERS at risk. Data managers should be able to conduct audits to accurately detail who accesses information, what actions they are taking, from which locations the system is accessed, and at what times. This is crucial to preventing, minimizing, and addressing potential data breaches.
Key Policy Recommendations
Our report makes the following policy recommendations:
- Data incident plans: CalHEERS should put into place data incident plans, to ensure a rapid and effective response in the event a data breach or other data incident does occur. Such a plan will include a check list of required actions staff can immediately take in order to prevent further damage to the system, contain threats, and preserve existing forensic evidence.
- Protecting data security and integrity: We recommend two key policies for the CalHEERS ecosystem. First is Role Based Access – i.e. preventing those who do not require access to sensitive data from getting it while limiting the degree of access to sensitive data for those who do require it. Second, we recommend monitoring user behavior to identify and prevent inappropriate access or modification of sensitive data.
- CalHEERS ID number: In order to prevent social security numbers from being used as CalHEERS identifiers, we recommend creating a unique CalHEERS identifier (ID number) assigned to each individual consumer after an initial sign-up process. This new CalHEERS ID number will be linked to each individual’s profile, but will not display any of their personal identifiable information. The number could migrate from CalHEERS to relevant insurance provider, and could then be used to track and monitor each consumer’s history throughout the CalHEERS system without putting at risk sensitive user information.
- Two-stage authentication: When users first registeronto the online CalHEERS system, consumers should be authenticated through a two-stage authentication system. This means that in addition to their login ID and password, users will be asked to provide an additional verification code, sent via SMS or email to a device that only they can access.
- Staff oversight:To ensure that all staff and assister activity is monitored and controlled for consumer protection:
- Assisters and CalHEERS staff must be assigned unique individual credentials with specific and limited roll-based permissions that can be audited to monitor actions throughout the system.
- Detailed logs regarding Assisters and other CalHEERS staff activity must be created and retained. Auditors must be able to recognize when an assister has acted on behalf of a consumer, and what actions the Assister has taken.
- Exiting staff profiles must be deleted from the system to prevent unauthorized access.
- Two-stage verification must be required for Assister and staff sign-in.
- Instruction on security and data protection policies must be included in the training of Assisters and other CalHEERS staff.
 Most non-elderly Californians covered under ACA, UCLA Center for Health Policy Research, June 2012. Accessed online at http://www.universityofcalifornia.edu/news/article/27857
 California Healthcare Eligibility, Enrollment & Retention System (CalHEERS) Questions and Answers about the Intent to Award May 31, 2012, California Health Benefit Exchange. Accessed online at: http://www.healthexchange.ca.gov/Documents/CHBE-CalHEERS_Intent_Q-A_05_3…
 In particular, CALPIRG Education Fund notes the CalHEERS Development and Operations Services – Solicitation #
Technical Requirements & Solicitation HBEX4 – Request for CalHEERS Development and Operations Services (January 26, 2012) which acknowledge some of the issues raised in this report.
 The Open Security Foundation, DataLossDB, accessed online January 2013at: http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=last_year
 Specifically, the HIPAA Security Rule, 45 CFR Section 164.300–164.318.
 A 1973 U.S. Federal Trade Commission’s report established the Fair Information Practices – a.k.a “FIPs” or “Principles”- which deal with the accuracy, transparency and uses of information. Use of personal information, no matter the medium or purpose for which it is collected, should be guided by the FIP principles.
 While much of an organization’s focus is put on external threats, research has found that up to 26% of breaches and data loss incidents were a result of internal losses. See Open Security Foundation, DataLossDB, accessed online January 2013at: http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=last_year