Practice Economics

Watchdog finds security lacking at healthcare.gov, two state marketplaces


 

References

Health insurance marketplace websites and databases – including healthcare.gov – need stronger security controls to protect personally identifiable information (PII), according to an audit by the Office of Inspector General (OIG) at the Department of Health & Human Services.

The OIG reviewed information technology (IT) controls within healthcare.gov as well as the state marketplaces in New Mexico and Kentucky. They conducted vulnerability scans and simulated cyberattacks from February to June 2014. While the OIG noted that database administrators had taken steps to ensure PII data protection, auditors identified security vulnerabilities within all three systems.

OIG auditors identified security vulnerabilities within all three systems. ©Balefire9/thinkstockphotos.com

OIG auditors identified security vulnerabilities within all three systems.

In a September report summarizing their findings, auditors said healthcare.gov administrators at the Centers for Medicare & Medicaid Services had failed to:

• Implement a process to use automated tools to test database security configuration settings.

• Implement an effective enterprise scanning tool to test for website vulnerabilities.

• Maintain adequate documentation on encryption.

• Detect and defend against website vulnerability scanning and simulated cyberattacks directed at healthcare.gov.

The auditors also found room for improvement in the Kentucky and New Mexico systems. Administrators at the Kentucky Health Benefit Exchange (KHBE) sufficiently protected PII on its websites and databases in accordance with federal requirements, the OIG report found. However, KHBE administrators had not sufficiently restricted user and group access to authorized roles and functions and had not fully addressed federal requirements for its system security planning, risk assessment, and flaw remediation, among others items.

Meanwhile, the OIG found IT policies that control the New Mexico Health Insurance Exchange (NMHIX) website and databases did not always conform to federal requirements and recommendations to secure sensitive information.

The OIG’s public report did not include details of the systems’ vulnerabilities because of the information’s sensitivity; however, detailed information and recommendations was provided to the CMS and the states. The CMS and New Mexico agreed with all of the OIG’s recommendations and described actions they have taken and plan to take to remedy the problems, according to the OIG report. Kentucky leaders concurred with most recommendations and detailed how they would improve their systems.

agallegos@frontlinemedcom.com

On Twitter @legal_med

Recommended Reading

EHRs rob physicians of 4 hours of free time per week
MDedge Internal Medicine
Physician income in 2013: The East earned least
MDedge Internal Medicine
Managing Your Practice: What is your practice worth?
MDedge Internal Medicine
IOM calls for pay for end-of-life planning
MDedge Internal Medicine
AMA calls on vendors, feds to improve usability of EHRs
MDedge Internal Medicine
Survey: Many physicians plan to reduce their workload
MDedge Internal Medicine
Congress poised to act on 2015 meaningful use full year reporting requirement
MDedge Internal Medicine
CMS website snafu could lead to penalties for meaningful users
MDedge Internal Medicine
Docs step up lobbying to extend Medicaid pay bump
MDedge Internal Medicine
Health experts push flu vaccination for patients and providers
MDedge Internal Medicine