GAO urges security, privacy controls for Healthcare.gov

The federal government must create procedures to oversee security of state-based health insurance marketplaces and continously monitor security controls for Healthcare.gov, the U.S. Government Accountability Office (GAO) said in a recent report after finding "significant weaknesses" in technical controls. 

The GAO identified weaknesses in technical controls that protect the data flowing through the Federal Data Services Hub, including insufficiently restricted administrator privileges, inconsistent application of security patches and insecure configuration of an administrative network. The report also notes weaknesses in three state-based exchanges. 

"Without well-defined oversight procedures and more frequent monitoring of security controls, [the Centers for Medicare & Medicaid Services] has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process and maintain," the report says.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Issues at the state exchanges include:

  • One state did not encrypt connections to the authentication servers supporting its system
  • One state did not filter URL requests from the Internet through a Web application firewall to prevent hostile requests from reaching the marketplace website
  • One state did not enforce the use of high-level encryption on its Windows servers

GAO recommended that to improve the security and privacy oversight of state-based marketplaces, CMS should resolve technical information security weaknesses within the data hub related to boundary protection, identification and authentication; improve authorization and encryption; and execute software updates.

A previous OIG report noted that the federal government stored the personal information of millions of insurance marketplace customers in a massive data warehouse with basic security flaws. It also called out a verification gaps and the government's "passive approach to fraud" that compromises billions in federal spending.

Last October, however, the federal marketplace began offering a new consumer security feature, a "Do Not Track" privacy management option, which allows users to opt out of any embedded third-party analytical trackers.

To learn more:
- here's the report (.pdf)

Suggested Articles

A judge has dismissed the ongoing case between Oscar Health and Blue Cross Blue Shield of Florida over broker arrangements.

Expanding options for dental care in Medicare is a popular idea, but policymakers could take several avenues toward this goal, a new analysis shows.

Tennessee's proposal for a block grant brings a host of questions.