HealthCare.gov’s Security Flaws Put Consumer Data at Risk, GAO Says
September 17, 2014 in News
There still are security flaws in HealthCare.gov that could make consumers’ personal data vulnerable, according to a Government Accountability Office report released Tuesday, AP/Modern Healthcare reports.
The report noted that while the Obama administration has taken steps to improve the site’s security, it must do more to safeguard its weaknesses. According to the report, launching the site before it was fully tested was a major risk (AP/Modern Healthcare, 9/16).
The report stated, “Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by HealthCare.gov and related systems, and the disruption of service provided by the systems.”
Specifically, the report found that CMS, which is in charge of running the site, failed to ensure that the network’s security systems were completed. For example, the agency did not finish certain assessments of the site’s privacy risks, nor did it perform a comprehensive test of its security. According to the report, that testing still was incomplete as of June.
In addition, CMS did not produce a backup site for HealthCare.gov that would allow the agency to recover data in the event of a systems failure.
Other weaknesses included:
- Inconsistent application of security patches;
- The allowance of certain systems to access the website’s infrastructure, which heightened the risk for unauthorized access to data; and
- Weak enforcement of password-strength requirements.
Further, one of the site’s contractors did not secure its administrative network, making it vulnerable to additional unauthorized access (Radnofsky/Armour, Wall Street Journal, 9/16).
According to the report, most of the problems stemmed from confusion about security roles among the site’s contractors and state and federal agencies (Chaithanya, Reuters, 9/16).
GAO recommended six areas where CMS could improve HealthCare.gov’s security, including:
- Creating a backup site for the system;
- Establishing best practices for government agencies; and
- Completing a comprehensive test of all aspects of the system.
GAO Director of Information Security Gregory Wilshusen said that a separate report that was not released publicly recommended 22 specific technical changes. He said CMS agreed with all of the specific changes, but it contested some of the broader recommendations (AP/Modern Healthcare, 9/16).
For example, GAO wants the administration to test the entire system at once, while CMS prefers to test separate aspects individually because that practice aligns with industry standards.
Regardless, CMS said it would work with GAO to improve the flaws in security, noting that it already has acted on some of the report’s suggestions (Wall Street Journal, 9/16).
Sen. Lamar Alexander (R-Tenn.) in a statement said, “Someone should be held accountable for this kind of gross mismanagement, and security must be fixed immediately before a major hacking attack does massive damage” (Reuters, 9/16).
HHS spokesperson Kevin Griffis said, “Protecting consumers’ personal information is a top priority,” adding, “When Americans use HealthCare.gov, their data [are] protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards” (Wall Street Journal, 9/16).