HHS OIG Identifies Security Vulnerabilities in Ky., N.M. Exchanges
September 25, 2014 in News
Health insurance exchanges in Kentucky and New Mexico have security vulnerabilities that could put residents’ personally identifiable information at risk, according to a report released this week by HHS’ Office of Inspector General, Health IT Security reports.
For the report, HHS OIG used the National Institute of Standards and Technology’s security standards and guidelines to examine various exchange functions, including:
- Data encryption;
- Database vulnerability;
- Information security controls;
- Mobile device management;
- Remote access; and
- Web application vulnerability (Ouellette, Health IT Security, 9/23).
HHS OIG conducted its review of the Kentucky Health Benefit Exchange from April to May and its review of the New Mexico Health Insurance Exchange in March (HHS OIG report, 9/23).
The report found that KHBE successfully secured consumers’ personally identifiable information during:
- Consumer data entry;
- Storage in exchange database; and
- Data transmission.
However, the report said that the exchange failed to:
- Properly restrict user access to specific roles and functions; and
- Meet federal requirements for several functions, including security planning, risk assessment and incident response capability.
KHBE said that it partially agreed with the recommendation to restrict database access to particular users and functions and that it would evaluate whether it needed to further restrict such access.
Meanwhile, the report found that NMHIX had:
- One data encryption vulnerability;
- One patch management vulnerability;
- One Universal Serial Bus port and device vulnerability; and
- Two remote access vulnerabilities.
NMHIX agreed with all of HHS OIG’s recommendations to correct the issues and detailed steps it had taken to do so (Health IT Security, 9/23).
Bill Would Allow User To Delete HealthCare.gov Profiles
Hurt said he proposed the bill in response to cybersecurity concerns about the website. He added that the legislation would help protect the privacy of individuals who created HealthCare.gov profiles but decided not to enroll in coverage.
He said, “Clearly, major cybersecurity risks exist within the online federal marketplace, and these grave security concerns make it even more imperative that individuals have the ability to remove their personal information permanently from HealthCare.gov, which this bill enables” (Marcos, “Floor Action,” The Hill, 9/23).
HealthCare.gov Cost Surpasses $2B
Meanwhile, the total cost of HealthCare.gov is now more than $2 billion, exceeding previous estimates, according to released Wednesday, The Hill reports.
HHS Secretary Sylvia Mathews Burwell recently had projected that the cost of HealthCare.gov to be about $1 billion through fiscal year 2015, according to The Hill.
Meanwhile, the analysis puts the total cost of implementation of the ACA is more than $73 billion since 2010.
CMS “pushed back” against the report, saying that the ACA overall has been saving money for consumers. CMS spokesperson Aaron Albright said, “The fact is expenditures related to the Affordable Care Act are publicly available and widely known, but what’s also known is just how much it’s saving — $9 billion for consumers and billions more for reductions in uncompensated care, among other savings for the American people.”
Lawmakers criticized the administration over the law’s costs.
House Oversight Committee Chair Darrell Issa (R-Calif.) said, “Two billion dollars is an awful lot to pay for a website with lingering security issues that transfers the costs of health care from customers to taxpayers” (Viebeck, The Hill, 9/24).