NEW YORK (Reuters) – The federal government is monthsbehind in testing data security for the main pillar of Obamacare:allowing Americans to buy health insurance on state exchanges dueto open by Oct. 1

The missed deadlines have pushed the government's decision onwhether information technology security is up to snuff toexactly one day before that crucial date, the Department of Healthand Human Services' inspector general said in a report.

As a result, experts say, the exchanges might open with securityflaws or, possibly but less likely, be delayed.

“They've removed their margin for error,” said DevenMcGraw, director of the health privacy project at the non-profitCenter for Democracy & Technology. “There is huge pressure toget (the exchanges) up and running on time, but if there is asecurity incident they are done. It would be a complete disasterfrom a PR viewpoint.”

The most likely serious security breach would be identity theft,in which a hacker steals the social security numbers and otherinformation people provide when signing up for insurance.

The inspector general's report, released without fanfare lastFriday, found that the Centersfor Medicare &Medicaid Services or CMS – theagency within HHS that is running Obamacare – had set a May 13deadline for its contractor to deliver a plan to test the securityof the crucial information technology component.

A test was to have been performed between June 3 and 7. But thedelivery deadline slipped and the test – assessing firewalls andother security elements – is now set for this week and next.

“CMS,” concludes the inspector general's report, “is workingwith very tight deadlines.”

The delays mean that the ruling by CMS's chief informationofficer certifying the Obamacare IT system as secure will be pushedback from Sept. 4 to Sept. 30, a day before enrollment under thePatient Protection and Affordable Care Act, the law thatestablished Obamacare, is supposed to start.

“Several critical tasks remain to be completed in a short periodof time,” the report concluded.

Any additional delays could mean CMS would not have theinformation it needs to authorize use of the system by Oct. 1, theinspector general found.

CMS spokesman Brian Cook said the agency is confidentthe Obamacare exchanges will open on time. “We are on schedule andwill be ready for the marketplaces to open on Oct. 1,” he said.

IDENTITY THEFT?

When people try to enroll in health insurance starting on Oct. 1for insurance plans taking effect in 2014, their identity, incomeand other information they furnish with their application will befunneled through a federal “data hub.”

The hub is like a traffic circle for data. It does not itselfstore information, but instead has digital spokes connecting tothe Internal Revenue Service and other agencies that willallow it to verify information people provide. Opponents ofObamacare have repeatedly raised concerns that sensitive personalinformation could be stolen.

Before the hub or any other federal information system can open,a 2002 law requires that it obtain a “security authorizationpackage,” which is essentially the roadmap for keeping out hackersand preventing security breaches.

The first component of the package provides an overview of thesystem's security requirements and describes the controls thecontractor has installed. It covers access controls andauthentication, for instance, so that hackers cannot ping the huband access IRS data.

A second component is a risk assessment that identifiesvulnerabilities and determines the probability of a databreach.

The final component is an assessment by an independent testingorganization that proper security controls have been implementedcorrectly, are operating as intended, and are meeting securityrequirements.

“CMS has extensive experience building andoperating information technology systems that handlesensitive data” as a result of its experiencewith Medicare and Medicaid, the agency said in astatement.

Despite the tight IT deadlines Obamacare faces, the 2002 federallaw on information security might provide an important loophole.The requirement that CMS's chief information officer make a“security authorization” decision does not mean the CIO has toconclude that the data hub is impregnable. He can decide that,despite identified security risks, the hub can operate.

Health privacy expert McGraw said “the worst case scenario” ofnot meeting the IT security deadline is that the government willnot be able to bring the data hub online on Oct. 1. In that case,people will be able to apply for insurance starting on that datebut will not be told if they have been accepted or whether they areeligible for government subsidies to pay their premiums.