The Department of Health and Human Services inspector general isn’t letting a good disaster go to waste.
The IG is highlighting how HHS and the Centers for Medicare and Medicaid Services have rebounded since the 2013 HealthCare.gov website rollout debacle.
Ruth Ann Dorrill, the deputy regional inspector general for the HHS’ Office of Evaluation and Inspections, said the goal of the recent report is not to cover well-worn ground of what went wrong. Rather, she said, it’s to give agencies some insights into what they can do to avoid similar disasters.
“The report has a number of contributing factors and then 10 lessons learned from the experience,” Dorrill said in an interview with Federal News Radio. “Based on where CMS is now, the most important ones — I would select three — the first is a continually assessment and learning process followed by a quick action to change course. One of the big problems was the build up to the first open enrollment period was a lack of clear leadership to make decisions and change when things weren’t working. They became dependent on the initial path and weren’t continually learning and assessing from their experiences to be able to alter that as things deteriorated.”
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
The second lesson Dorrill highlighted was what CMS and HHS did after the failed launch in October 2013 — the development of a badgeless culture.
“CMS and contractors grouped together and worked more seamlessly than they had before,” she said. “The CMS staff and contractors — there were 55 contractors on this build in one way or another— worked more closely together as single team without regard of who they were employed by or even what their title was.”
The third area was another tactic used after the site was fixed. Dorrill said CMS and HHS employed a practice of “ruthless prioritization” to better align the work efforts with achievable goals.
“What happens in implementing policy many times is you have a very ambitious schedule and you move forward to try to meet those objectives without a clear recognition of what it takes to implement and the resources are available,” she said. “So that prioritization process allowed CMS to move forward with the most key pieces, and then has caused them to continue to improve the build over the next two enrollment periods.”
Dorrill said this is the first time the OIG has done an after-action review of a program to see what lessons could be learned for future initiatives.
The HHS OIG breaks down the report into three main sections. The first looks at the build up to the launch of the site in October 2013, focusing chronologically on the missteps HHS, CMS and the rest of the government took.
Section two reviews what HHS and CMS have done since October 2013 to improve organizational oversight, technology and the management of industry partners.
Finally, the OIG called on CMS to continue to take advantage of the lessons learned and improve the federal marketplace.
“We felt like the highly publicized launch posed a good opportunity for us to look and turn the lens on the management itself and the operating division and look more closely at how government works and how projects can fail or succeed,” Dorrill said. “It had all of the elements of complicating policy implementation, political context, it was a new program, differing visions for how the program would look, technical complexities, a fixed deadline and uncertainty in funding. So we felt it was a particularly good example to illustrate challenges and how they can be overcome.”
|10 lessons learned from the HealthCare.gov rollout|
In fact, the Government Accountability Office released a new report on March 23 looking at the cybersecurity of the portal.
GAO found the HealthCare.gov website is holding up well against an onslaught of cyber attacks. The GAO reported that over a 17-month period, hackers were unsuccessful in penetrating the health care portal in 315 reported security incidents. Auditors say the majority of these incidents involved such things as electronic probing of CMS systems by potential attackers. GAO says this didn’t lead to a compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient.
Auditors made several recommendations including improving administrator access to the data hub systems, more consistent approach to applying software patches and better and more consistent configuration of the administrative network.
Dorrill said the difference with this report, on which work started in spring 2014 and included more than 80 interviews with CMS and HHS officials, contractors and other stakeholders, was the end goal. It was not to highlight problems but help agencies look forward.
Dorrill said one important lesson for any agency is to have clear project leadership.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“In the case of the federal marketplace project, depending on who you spoke with at CMS, they thought a different division was in charge, either the technical people or the policy people or the maybe the overall CMS administrator,” she said. “It’s easy to see how that happened with a big project spread across a large bureaucracy that you would have shared ownership as opposed to a single leader who could make quick decisions and pull together all of the resources into a single vision and mission.”
CMS ultimately assigned an marketplace CEO and that seems to be working, Dorrill said.
Another important lesson is ensuring employees know they have the responsibility and are accountable for identifying and communicating problems. Dorrill said this is a common problem in public sector management.
“No one thinks it’s their responsibility to raise problems, or if they do, they think the problem will be attributed to them,” she said. “The issue of avoiding bad news or bad reports and hoping for the best had a couple of factors. One was that not only did CMS staff not want to communicate when things were going poorly, but they thought if they released something that wasn’t optimal, they’d have an opportunity to fix it later. It was this lack of commitment to a quality delivery so there wasn’t a sense they needed to raise bad news because they will have time to fix it and it will ultimately work out.”
A third common challenge is the need to better integrate technology and policy. Dorrill said making policy people aware of the technological complexity will go a long way toward making the projects work better and come in on time.
Dorrill said going forward CMS needs to ensure it retains these good practices and shares them across programs.
“CMS has developed new policies that will better marry policy and technology, for example,” she said. “Another thing that will continue too is the hiring of a systems integrator, a contractor who comes in to manage the workflow of the technology. That is something CMS hadn’t done before and I doubt they will ever abandon that again.”