CMS Uses Weak ID Verification and Has No Plans to Change
According to a recent Government Accountability Office (GAO) audit, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) is using an outdated and weak method of remote ID verification which is no longer considered to provide sufficient protection against fraud.
The CMS website, which is used to find federal income-based financial subsidies and private health insurance, uses knowledge-based verification to confirm an individual’s identity. Individuals are asked to confirm their name, address and date of birth and are then asked questions to which only they would know the answer, such as information found in their credit file.
While knowledge-based ID verification based on entries in a credit file does provide a good level of security, that all changed with the massive data breach at Equifax. A great deal of personal information was stolen by hackers – information that could be used to answer security questions. Without a more secure system of ID verification, Americans will be at risk of fraud.
There are several alternative methods for ID verification that provide a greater level of security and protection against fraud, such as the use of a mobile phone to take a photo of an ID document which is compared to the document on file. Alternatively, instead of using credit files, entries in an individual’s mobile phone records could be used. Several federal agencies have attempted to strengthen their remote ID verification methods but have struggled with implementing new solutions.
GAO conducted audits at six agencies following the Equifax breach to assess the extent to which new methods of verification had been implemented. Two of the six agencies have now transitioned to new forms of ID verification (General Services Administration (GSA) and the Internal Revenue Service (IRS)).
The Department of Veterans Affairs (VA) has partially transitioned, but still uses knowledge-based verification for some individuals. The Social Security Administration (SSA) and the United States Postal Service (USPS) are committed to eliminating knowledge-based ID verification, but do not yet have a formal plan or timescale for doing so.
Only the CMS is using knowledge-based ID verification and has no plans to reduce or eliminate knowledge-based ID verification in the future. Healthcare.gov only has email address confirmation, even though that only confirms that the user who provided the information also owns the email account used to create the account.
Several reasons have been given as to why alternative methods of ID verification are not suitable, including cost, the lack of viable solutions, and implementation difficulties. One difficulty is not everyone possesses a mobile device, so mobile-based verification is not universal solution.
The reason given for not changing Healthcare.gov was it was not cost-effective; however, GAO pointed out that NIST guidance does not permit federal agencies to use knowledge-based verification simply because it is cost effective to do so.
CMS also argued that NIST guidance was insufficient. GAO agreed that more could be done and has called for NIST to issue further guidance that can be followed by federal agencies to implement more secure ID verification methods.
GAO has urged CMS to continue to explore alternative options. “Until CMS takes steps to develop a plan with time frames and milestones to eliminate the use of knowledge-based verification, CMS and Healthcare.gov applicants will remain at an increased risk of identity fraud,” wrote Gao in the report.
GAO has also called for the Office of Management and Budget (OMB) to issue guidance to federal agencies requiring them to report their progress in adopting more secure ID verification methods.