GAO: HealthCare.gov Has Security FlawsHHS Disputes Audit Findings on Risks
Federal government auditors have identified weaknesses in the technical controls protecting the security of the federally run Obamacare HealthCare.gov website and systems.
See Also: The State of Security Segmentation
A Government Accountability Office report issued Sept. 16 says the Department of Health and Human Services unit that runs HealthCare.gov, the Centers for Medicare & Medicaid Services, has not always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches and properly configured an administrative network.
"An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development," the audit says, referring to the federally facilitated marketplace, the part of Obamacare run by the federal government on behalf of 36 states.
"Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by HealthCare.gov and related systems, and the disruption of service provided by the systems," the report says.
The House Committee on Oversight and Government Reform on Sept. 18 will hold a hearing dubbed, "Examining ObamaCare's Failures in Security, Accountability, and Transparency" at which the GAO report is expected to be discussed. CMS confirms that its administrator, Marilyn Tavenner, will testify at the hearing.
In a statement to Information Security Media Group, CMS says, "To continuously raise the bar on the website's security and meet evolving threats, it requires constant monitoring and re-evaluation. Feedback from the GAO, the department's Inspector General and outside, independent security experts is part of that process. CMS has already acted on many of recommendations in today's report. We will continue to work closely with GAO to further strengthen the security of HealthCare.gov."
GAO says CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support HealthCare.gov, yet weaknesses remain in the processes used for managing information security and privacy as well as the technical implementation of IT security controls. The report says CMS took many steps to protect security and privacy, including developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections.
"However," the audit says, "HealthCare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions."
HHS Disputes Findings
Jim Esquea, HHS assistant secretary for legislation, disputed some of GAO's conclusions, contending that CMS developed HealthCare.gov consistent with federal statutes, guidelines and industry standards that help ensure the integrity of the systems data.
In a written response to GAO, Esquea says HHS does not concur with the audit findings that CMS accepted significant security risks when it granted the federally and state operated components of HealthCare.gov to operate last September and allowed states to connect to the data hub, which provides connectivity between the federally operated and state operated systems.
Besides the security controls examined by GAO, Esquea says CMS implemented other measures to protect personally identifiable information, including penetration testing that still continues. In addition, he says, CMS conducts continuous monitoring using a 24-by-7, multi-layer IT security team and a change management process that includes continuous testing and mitigation strategies in real time. "These layered controls help protect the privacy and security of PII related to the FFM," Esquea says.
GAO offered six recommendations, including conducting a comprehensive security assessment of the federally operated part of HealthCare.gov. GAO also called on HHS to establish detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the federally operated part of HealthCare.gov and its supporting infrastructure are effective.
Obamacare Opponents React
The GAO report provided political fodder for opponents of Obamacare. "The president and his administration launched HealthCare.gov knowing that the personal information of Americans who bought insurance through the website was not safe," says Sen. Lamar Alexander, the Tennessee Republican who's the ranking member of the Senate Health, Education, Labor and Pensions Committee. "Their personal information was not safe then, and it is not safe now. Someone should be held accountable for this kind of gross mismanagement, and security must be fixed immediately before a major hacking attack does massive damage."
HHS disclosed on Sept. 4 that malware had been uploaded on a HealthCare.gov test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information.
No consumer data was exposed in the incident, HHS officials say (see: HealthCare.gov Server Hacked.
The GAO report comes in response to multiple requests the watch-dog agency had received in recent months from several members of Congress asking for a review of HealthCare.gov information security. Those includes a request, made in a May 1 letter to the GAO, from Rep. Lamar Smith, R -Texas, chairman of the House Committee on Space, Science and Technology.
The requests for GAO to study the security and privacy and security safeguards of the Obamacare insurance exchange site and systems also follow a number of Congressional committee hearings last fall that considered the security risks of HealthCare.gov (see: Expanded HealthCare.gov Scrutiny Sought).
(Executive Editor Marianne Kolbasuk McGee contributed to this story.)