GAO urges security, privacy controls for Healthcare.gov

The federal government must create procedures to oversee security of state-based health insurance marketplaces and continously monitor security controls for Healthcare.gov, the U.S. Government Accountability Office (GAO) said in a recent report after finding "significant weaknesses" in technical controls. 

The GAO identified weaknesses in technical controls that protect the data flowing through the Federal Data Services Hub, including insufficiently restricted administrator privileges, inconsistent application of security patches and insecure configuration of an administrative network. The report also notes weaknesses in three state-based exchanges. 

"Without well-defined oversight procedures and more frequent monitoring of security controls, [the Centers for Medicare & Medicaid Services] has less assurance that state-based marketplaces are adequately protected against risks to the sensitive data they collect, process and maintain," the report says.

eBook

9 Tips for Implementing the Best Mobile App Strategy

The member mobile app is a powerful tool for payers and members. It can help improve health outcomes, reduce operational costs, and drive self-service — anytime, anywhere. In this new eBook, learn tips and tricks to implementing the best mobile app strategy now.

Issues at the state exchanges include:

  • One state did not encrypt connections to the authentication servers supporting its system
  • One state did not filter URL requests from the Internet through a Web application firewall to prevent hostile requests from reaching the marketplace website
  • One state did not enforce the use of high-level encryption on its Windows servers

GAO recommended that to improve the security and privacy oversight of state-based marketplaces, CMS should resolve technical information security weaknesses within the data hub related to boundary protection, identification and authentication; improve authorization and encryption; and execute software updates.

A previous OIG report noted that the federal government stored the personal information of millions of insurance marketplace customers in a massive data warehouse with basic security flaws. It also called out a verification gaps and the government's "passive approach to fraud" that compromises billions in federal spending.

Last October, however, the federal marketplace began offering a new consumer security feature, a "Do Not Track" privacy management option, which allows users to opt out of any embedded third-party analytical trackers.

To learn more:
- here's the report (.pdf)

Suggested Articles

CMS approved a waiver from Nebraska to offer extra benefits to certain Medicaid beneficiaries in exchange for meeting work requirements.

Nearly 3 in 4 employers are planning to roll out new health delivery models in the next three years, according to a new survey.

Regardless of who wins the elections in November, there are three issues that are going to dominate the healthcare discussion in Congress in 2021.