HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.”

Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub.

GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures.

The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in gaining access to a test server related to the HealthCare.gov website and installed malware.

Please see the HIPAA Journal Privacy Policy

The report points out that the incidents affecting the HealthCare.gov website did not result in the exposure, loss, or theft of any sensitive data; however, the extent to which security is being tested has highlighted the need for rapid action to be taken to address the security weaknesses GAO discovered during the review.

The report says a number of vulnerabilities were discovered in the data hub’s technical controls, which included inconsistent application of security patches, an insecurely configured administrative network, and insufficiently restricted administrator privileges for data hub systems. These weaknesses are potentially placing the data flowing through the hub at risk of compromise. Weaknesses were also discovered at three state-based marketplaces, some of which were serious. They included a lack of adequate encryption and misconfigured firewalls.

The GAO report says that CMS has made progress since the last review was conducted and has corrected issues highlighted in all previous reports; however, unless the weaknesses identified in the latest report are addressed, “the data hub will likely continue to jeopardize the confidentiality, integrity, and availability of Healthcare.gov.”

CMS has also been addressing vulnerabilities with state-based marketplaces, but due to the lack of a documented oversight program, CMS is unable to ensure that each state is ensuring sufficient privacy and security controls are put in place, and that those controls are implemented properly.

GAO says 27 actions are required to mitigate privacy and security weaknesses. CMS must also improve oversight of state-based marketplaces by:

  • Monitoring the day to day activities of offices and staff
  • Developing policies and procedures for reviewing the SMART tool, including stipulating follow up timescales and assessing the corrective actions taken to address identified vulnerabilities, and
  • Implementing policies and procedures to continuously monitor the privacy and security controls over state-based marketplaces, and also assessing the environments in which systems operate to quickly identify security weaknesses and remediate risks

The full GAO report can be viewed here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.