GAO Report: Healthcare.gov Needs to Address Security Weaknesses

After examining the security and privacy of the Healthcare.gov website and its supporting systems at CMS, the Government Accountability Office (GAO) published a report with 6 security management and 22 technical security recommendations.

When the federal insurance exchange website launched October 2013, CMS accepted increased security risks, according to GAO. At the time, 4 states had not completed all CMS security requirements, but were allowed to connect to the data hub anyway. Furthermore, security controls for the federally facilitated marketplace (FFM) had not been tested for a fully integrated version of the system.

“While CMS has security and privacy-related protections in place for Healthcare.gov and related systems, weaknesses exist that put these systems and the sensitive personal information they contain at risk,” according to the GAO.

Some of the security control weaknesses that could threaten Healthcare.gov and related systems include not always requiring or enforcing strong passwords on systems supporting the FFM; some supporting systems were not restricted from accessing the Internet; and CMS did not consistently apply security patches in a timely manner.

GAO also identified boundary protection, identification and authentication, authorization, and configuration management weaknesses.

“Collectively, these weaknesses put Healthcare.gov systems and the information they contain at increased and unnecessary risk of unauthorized access, use, disclosure, modification, and loss,” the report’s authors wrote.

GAO made the following 6 recommendations aimed at improving security management of Healthcare.gov:

1. Ensure that system security plans for the FFM and data hub contain all information recommended by the National Institute of Standards and Technology.

2. Ensure that all privacy risks associated with Healthcare.gov are analyzed and documented in privacy impact assessments.

3. Develop computer matching agreements with Office of Personnel Management and the Peace Corps to govern data that are being compared with CMS data to verify eligibility for advance premium tax credits and cost-sharing reductions.

4. Perform a comprehensive security assessment of the FFM, including the infrastructure, platform, and all deployed software elements.

5. Ensure that the planned alternate processing site for the systems supporting Healthcare.gov is established and made operational in a timely fashion.

6. Establish detailed security roles and responsibilities for contractors, including participation in security control reviews, to better ensure effective communication among individuals and entities with responsibility for the security of the FFM and its supporting infrastructure.

In response to the GAO’s report, CMS Administrator Marilyn Tavenner said at a congressional hearing on September 18 that CMS plans to perform a comprehensive security assessment of Healthcare.gov by the end of September, according to Modern Healthcare. She added that CMS would put in place all the recommendations by the time open enrollment begins on November 15.