OIG Discovers Security Flaws in Washington State Insurance Exchange Website
A review of Washington State’s health insurance exchange conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed a number of website and database security issues that have placed personally identifiable information (PII) at risk of exposure.
OIG conducted its review to determine whether the Washington health insurance marketplace had implemented appropriate controls to ensure PII was protected in line with Federal requirements, including those detailed in the Centers for Medicare & Medicaid Services’ (CMS) Minimum Acceptable Risk Standards for Exchanges.
The CMS requires all exchanges to develop security plans, perform risk assessments, conduct scans for security vulnerabilities, develop patch management policies and procedures, conduct penetration testing, and remediate any security vulnerabilities that are identified.
OIG assessed the Washington marketplace’s policies and procedures, and evaluated the security controls that had been implemented to protect the website and database. The marketplace’s internal controls were outside the scope of the review.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
While a number of security controls had been implemented, OIG found that the Washington marketplace had not always complied with federal requirements. OIG auditors discovered that a vulnerability scan had not been performed, and the website and database had not been appropriately secured.
As a result, vulnerabilities existed which could potentially have been exploited by malicious actors. Some of the vulnerabilities were serious and could have resulted in the confidentiality and integrity of data being compromised. However, OIG auditors did not find any evidence to suggest that any of the security vulnerabilities had actually been exploited.
The marketplace’s Plan of Action and Milestones had also fallen short of the minimum requirements of the Centers for Medicare & Medicaid Services.
OIG noted in its report, that “without proper safeguards, systems were not protected from individuals and groups with malicious intent to obtain access in order to commit fraud, waste, or abuse or launch attacks against other computer systems and networks.”
OIG issued a number of detailed recommendations to address the security failures and increase protections. The marketplace agreed with OIG recommendations and has taken action to address the security vulnerabilities, and has corrected issues with its policies and procedures.
