The federal government must create procedures to oversee security of state-based health insurance marketplaces and continously monitor security controls for Healthcare.gov, the U.S. Government Accountability Office (GAO) said in a recent report after finding "significant weaknesses" in technical controls.
The GAO identified weaknesses in technical controls that protect the data flowing through the Federal Data Services Hub, including insufficiently restricted administrator privileges, inconsistent application of security patches and insecure configuration of an administrative network. The report also notes weaknesses in three state-based exchanges.
"Without well-defined oversight procedures and more frequent monitoring of security controls, [the Centers for Medicare & Medicaid Services] has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process and maintain," the report says.
Issues at the state exchanges include:
- One state did not encrypt connections to the authentication servers supporting its system
- One state did not filter URL requests from the Internet through a Web application firewall to prevent hostile requests from reaching the marketplace website
- One state did not enforce the use of high-level encryption on its Windows servers
GAO recommended that to improve the security and privacy oversight of state-based marketplaces, CMS should resolve technical information security weaknesses within the data hub related to boundary protection, identification and authentication; improve authorization and encryption; and execute software updates.
A previous OIG report noted that the federal government stored the personal information of millions of insurance marketplace customers in a massive data warehouse with basic security flaws. It also called out a verification gaps and the government's "passive approach to fraud" that compromises billions in federal spending.
Last October, however, the federal marketplace began offering a new consumer security feature, a "Do Not Track" privacy management option, which allows users to opt out of any embedded third-party analytical trackers.
To learn more:
- here's the report (.pdf)