Health insurance marketplace websites and databases – including healthcare.gov – need stronger security controls to protect personally identifiable information (PII), according to an audit by the Office of Inspector General (OIG) at the Department of Health & Human Services.
The OIG reviewed information technology (IT) controls within healthcare.gov as well as the state marketplaces in New Mexico and Kentucky. They conducted vulnerability scans and simulated cyberattacks from February to June 2014. While the OIG noted that database administrators had taken steps to ensure PII data protection, auditors identified security vulnerabilities within all three systems.
©Balefire9/thinkstockphotos.com
OIG auditors identified security vulnerabilities within all three systems.
In a September report summarizing their findings, auditors said healthcare.gov administrators at the Centers for Medicare & Medicaid Services had failed to:
• Implement a process to use automated tools to test database security configuration settings.
• Implement an effective enterprise scanning tool to test for website vulnerabilities.
• Maintain adequate documentation on encryption.
• Detect and defend against website vulnerability scanning and simulated cyberattacks directed at healthcare.gov.
The auditors also found room for improvement in the Kentucky and New Mexico systems. Administrators at the Kentucky Health Benefit Exchange (KHBE) sufficiently protected PII on its websites and databases in accordance with federal requirements, the OIG report found. However, KHBE administrators had not sufficiently restricted user and group access to authorized roles and functions and had not fully addressed federal requirements for its system security planning, risk assessment, and flaw remediation, among others items.
Meanwhile, the OIG found IT policies that control the New Mexico Health Insurance Exchange (NMHIX) website and databases did not always conform to federal requirements and recommendations to secure sensitive information.
The OIG’s public report did not include details of the systems’ vulnerabilities because of the information’s sensitivity; however, detailed information and recommendations was provided to the CMS and the states. The CMS and New Mexico agreed with all of the OIG’s recommendations and described actions they have taken and plan to take to remedy the problems, according to the OIG report. Kentucky leaders concurred with most recommendations and detailed how they would improve their systems.
On Twitter @legal_med