Practice Economics

Watchdog finds security lacking at healthcare.gov, two state marketplaces


 

References

Health insurance marketplace websites and databases – including healthcare.gov – need stronger security controls to protect personally identifiable information (PII), according to an audit by the Office of Inspector General (OIG) at the Department of Health & Human Services.

The OIG reviewed information technology (IT) controls within healthcare.gov as well as the state marketplaces in New Mexico and Kentucky. They conducted vulnerability scans and simulated cyberattacks from February to June 2014. While the OIG noted that database administrators had taken steps to ensure PII data protection, auditors identified security vulnerabilities within all three systems.

OIG auditors identified security vulnerabilities within all three systems. ©Balefire9/thinkstockphotos.com

OIG auditors identified security vulnerabilities within all three systems.

In a September report summarizing their findings, auditors said healthcare.gov administrators at the Centers for Medicare & Medicaid Services had failed to:

• Implement a process to use automated tools to test database security configuration settings.

• Implement an effective enterprise scanning tool to test for website vulnerabilities.

• Maintain adequate documentation on encryption.

• Detect and defend against website vulnerability scanning and simulated cyberattacks directed at healthcare.gov.

The auditors also found room for improvement in the Kentucky and New Mexico systems. Administrators at the Kentucky Health Benefit Exchange (KHBE) sufficiently protected PII on its websites and databases in accordance with federal requirements, the OIG report found. However, KHBE administrators had not sufficiently restricted user and group access to authorized roles and functions and had not fully addressed federal requirements for its system security planning, risk assessment, and flaw remediation, among others items.

Meanwhile, the OIG found IT policies that control the New Mexico Health Insurance Exchange (NMHIX) website and databases did not always conform to federal requirements and recommendations to secure sensitive information.

The OIG’s public report did not include details of the systems’ vulnerabilities because of the information’s sensitivity; however, detailed information and recommendations was provided to the CMS and the states. The CMS and New Mexico agreed with all of the OIG’s recommendations and described actions they have taken and plan to take to remedy the problems, according to the OIG report. Kentucky leaders concurred with most recommendations and detailed how they would improve their systems.

agallegos@frontlinemedcom.com

On Twitter @legal_med

Recommended Reading

EHRs rob physicians of 4 hours of free time per week
MDedge Surgery
Physician income in 2013: The East earned least
MDedge Surgery
Death by discontinuity of care
MDedge Surgery
IOM calls for pay for end-of-life planning
MDedge Surgery
Survey: Many physicians plan to reduce their workload
MDedge Surgery
Congress poised to act on 2015 meaningful use full year reporting requirement
MDedge Surgery
Surgeons’ earnings lowest in nonmetropolitan areas
MDedge Surgery
CMS website snafu could lead to penalties for meaningful users
MDedge Surgery
PROOVIT registry results make case for expansion
MDedge Surgery
Health experts push flu vaccination for patients and providers
MDedge Surgery