GAO says Healthcare.gov needs security upgrades

Although healthcare.gov is substantially more secure than when it launched in 2013, major security issues continue to put user data and system infrastructures at risk, according to a new report by the U.S. Government Accountability Office (GAO).

The report, released September 16, identified weaknesses in the technical controls of the website around confidentially, integrity and availability.

On September 18, Marilyn Tavenner, administrator for the Centers for Medicare and Medicaid Services (CMS) said at a congressional hearing that the CMS will soon conduct a security assessement of the site's vunerabilities.

Healthcare.gov, established by the Affordable Care Act (ACA), is an aggregator of health insurance plans for all 50 states. The main Marketplace system serves as an enrollment portal for 34 states, while the Federal Data Services Hub (data hub) provides connectivity between the Marketplace system and other state and federal systems. The report addressed security concerns regarding both the Marketplace system and the data hub.

The GAO notes that multiple federal agencies, some of which serve as eligibility checkpoints, exchange information with healthcare.gov including the U.S. Departments of Defense and Homeland Security, the Internal Revenue Service, and the Social Security Administration. Many commercial entities also exchange information with the site, including contractors for the CMS and administrators of health insurance plans.

READ: DC appeals court decision undermines hopes of ACA opponents

TRENDING   

 Meaningful Use 2  

 Oncology: Practice Management   ·   Preparing for ICD-10   ·  Obesity Management   ·   EHR Best Practices

D.C. appeals court decision undermines hopes of ACA opponents

- See more at: http://medicaleconomics.modernmedicine.com/medical-economics/news/dc-appeals-court-decision-undermines-hopes-aca-opponents#sthash.AW9ncufS.dpuf

TRENDING   

 Meaningful Use 2  

 Oncology: Practice Management   ·   Preparing for ICD-10   ·  Obesity Management   ·   EHR Best Practices

D.C. appeals court decision undermines hopes of ACA opponents

- See more at: http://medicaleconomics.modernmedicine.com/medical-economics/news/dc-appeals-court-decision-undermines-hopes-aca-opponents#sthash.AW9ncufS.dpuf  

TRENDING   

 Meaningful Use 2  

 Oncology: Practice Management   ·   Preparing for ICD-10   ·  Obesity Management   ·   EHR Best Practices

D.C. appeals court decision undermines hopes of ACA opponents

- See more at: http://medicaleconomics.modernmedicine.com/medical-economics/news/dc-appeals-court-decision-undermines-hopes-aca-opponents#sthash.AW9ncufS.dpuf

While CMS, which oversees healthcare.gov, has taken many steps to improve site security since launch, the report said it has still not fully mitigated weaknesses surrounding:

• Incomplete security plans and privacy documentation

• Incomplete security tests, and

• the lack of an alternate processing site to avoid major service disruptions.

The report notes that healthcare.gov must conform to federal requirements protecting systems and data. It includes six recommendations to improve the security and privacy of the site:

• Ensure that the system security plans for the Marketplace and data hub contain all the information recommended by National Institute of Standards and Technology.

• Ensure that all privacy risks are analyzed and documented in their privacy impact assessments.

• Develop separate computer matching agreements with several federal agencies to govern data that is being used to verify eligibility for tax credit and cost-sharing reductions.

• Perform a comprehensive security assessment of the Marketplace system, including the infrastructure, platform and all deployed software elements.

• Ensure that the planned alternate processing site for the systems supporting healthcare.gov is established and made operational in a timely fashion.

• Establish detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities are effective.

The U.S. Department of Health and Human Services (HHS), which has top-level oversight of healthcare.gov, disagreed with some of the GAO’s recommendations and agreed with others. In a four-page letter included in the report, HHS said that CMS conducts “continuous monitoring using a 24/7, multi-layer IT professional security team, added penetration testing, and a change management process that incudes ongoing testing and mitigation strategies implemented in real time.”

The site was hacked on July 8 but the hack was not discovered until August 25, according to the Washington Post. The hack was limited to one server that was not connected to other servers, and consumer personal data was not compromised. The Department of Homeland Security launched an investigation following the hack, believed to be the site’s first, said the Post.