Documents Reveal Security Risks in Systems Linking to Federal Portal
February 26, 2014 in News
Documents and emails provided to the Associated Press by the House Oversight and Government Reform Committee highlight concerns about the security of state computer systems that connect health exchanges with a federal portal for verifying consumer information, the AP/Miami Herald reports.
According to AP/Herald, states required approval for systems that link to a new federal data portal that confirms personal details about individuals applying for insurance subsidies. The portal includes sensitive data, such as applicants’ income and Social Security numbers.
The documents show that more than two-thirds of state exchanges’ computer systems designed to connect to the federal portal initially were considered “high risk” for security issues.
In addition, the documents included more security concerns than HHS has acknowledged previously. According to the AP/Herald, the documents show a “frenzied” period in which officials authorized risky state systems to connect with the federal portal.
For example, CMS Chief Information Security Officer Teresa Fryer sent an email on Sept. 29, 2013 — just two days before the exchanges launched — stating that CMS was “signing [authorizations] whether or not [the state systems were] a high risk.”
In another document, CMS Administrator Marilyn Tavenner on Sept. 27, 2013, wrote, “CMS views the Oct. 1 connections to … nine states as a risk due to the fact that their documentation may not be submitted or completely reviewed by … Oct. 1.”
The Obama administration said the documents portray “outdated” and partial information of security issues that have either been resolved or are being specifically addressed (Alonso-Zaldivar, AP/Miami Herald, 2/25).
Documents Show Calif. Exchange Has Unresolved ‘Vulnerability’
Meanwhile, a Jan. 10 email between two CMS officials discusses a security “vulnerability” with California’s health insurance exchange and states that the problem had been publically disclosed, the AP/U-T San Diego reports.
In the email, CMS Exchange Information Security Officer Tom Schankweiler wrote that the agency had recently been made “aware of a vulnerability with the [California] exchange that has not been fixed and reference to the weakness is posted in the public domain.”
According to CMS, Covered California already was aware of the issue and was addressing it. According to the AP/U-T San Diego, there has been no indication that consumer information was compromised (Verdin, AP/U-T San Diego, 2/25).
N.D. Exchange Lacks Federal Authority To Connect
In related news, North Dakota officials continue to wait for authorization to connect to the federal portal that verifies personal information of consumers attempting to purchase subsidized health coverage, the AP/Atlanta Journal-Constitution reports.
North Dakota is one of three states — Georgia and New Jersey are the other two — that have still not received authority to connect.
North Dakota Department of Human Services Director Maggie Anderson said the state so far has submitted three plans seeking the authorization, but two have been rejected. The state is waiting for a response on the third.
However, Anderson noted that the system is secure and said the lack of clearance has not “stop[ped] people from getting coverage” (MacPherson, AP/Atlanta Journal Constitution, 2/25).