Kathleen Sebelius

The Centers for Medicare and Medicaid Services will create the new position of chief risk officer to assess risk management practices across the agency, with an initial focus on the troubled HealthCare.gov website.

The creation of the new position is one of three major steps that Department of Health and Human Services Secretary Kathleen Sebelius is taking to improve HealthCare.gov and prevent "the structural and managerial policies that led to the flawed launch of HealthCare.gov" from re-occurring, she wrote in a Dec. 11 blog.

Sebelius also is asking the HHS inspector general to review the contractor performance and program management structure that resulted in the flawed launch of the HealthCare.gov website. And she's asking CMS to enhance employee training related to best practices for contractor and procurement management, rules and procedures.

The HealthCare.gov website and systems support federally facilitated insurance exchanges of 36 states that chose not to independently operate online insurance marketplaces under the Affordable Care Act, more commonly known as Obamacare.

In addition to the many technical woes that initially affected the accessibility and functionality of HealthCare.gov, members of Congress and others criticized the lack of an end-to-end security analysis and test before its Oct. 1 launch (see: IT Experts Answer Obamacare Questions).

Managing Risks

HHS did not respond to an Information Security Media Group request for more details about the three actions Sebelius is taking. While Sebelius did not reveal many details about the exact responsibilities of the new chief risk officer, that new position could have an impact on privacy and security risks of Healthcare.gov and other important CMS initiatives.

"We have too little information on what the responsibilities of the new chief risk officer will be to say definitively whether or not this is a good idea," says Deven McGraw, director of the health privacy project at the Center of Democracy & Technology, an advocacy group.

"In some circumstances, the chief risk officer, or chief risk management officer, is in charge of assuring information security across the enterprise," notes McGraw, who is also chair of the Privacy and Security Tiger Team that advises the Office of the National Coordinator for Health IT, an HHS unit. "If this will be a function of the new chief risk officer, we welcome the appointment."

McGraw adds: "Assuring consistent privacy and security policies across all CMS programs is something we have been urging for years,. Frankly, we've urged that consistent approaches to privacy and security be deployed across all of HHS' programs, not just CMS - but this would be a good start."

Mitigating Risks

The full-time chief risk officer will work on mitigating risks across all CMS programs, Sebelius says. "The chief risk officer will ... assess risk management practices associated with major agency initiatives," she says. "This individual will lead efforts to prepare mitigation strategies to minimize those risks, and will develop metrics to measure the effectiveness of those strategies."

The chief risk officer's first assignment will be to review risk management practices for IT acquisition and contracting, "starting with identifying the risk factors that impeded the successful launch of the HealthCare.gov website," Sebelius says. "I will ask this individual to report back to me in 60 days with recommendations for strategies to mitigate risks in future large-scale, CMS contracting and IT acquisition projects."

The significance of the new position depends on how much power the chief risk officer has to not only identify risks but actually take action, especially with HealthCare.gov, says Kev Coleman, who heads research and data at HealthPocket Inc., a technology and research firm that ranks health plans.