The Centers for Medicare & Medicaid Services (CMS) reported 316 security related incidents involving the Healthcare.gov portal between October 2013 and March 2015, the Government Accountability Office (GAO) disclosed in a new audit report.
GAO said its “review of CMS records for this period [found] the majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient.”
GAO reported, “None of the incidents included evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information.”
However, GAO also noted that it identified additional weaknesses in technical controls that could place sensitive information at risk of unauthorized disclosure, modification or loss.
GAO identified what it called “significant weaknesses in the controls at three selected state based marketplaces” which “included insufficient encryption and inadequately configured firewalls, among others. In September 2015, GAO reported these results to the three states, which generally agreed and have plans in place to address the weaknesses.”
“Without well-defined oversight procedures and more frequent monitoring of security controls,” GAO assessed, “CMS has less assurance that state based marketplaces are adequately protected against risks to the sensitive data they collect, process, and maintain.”
GAO said CMS has taken steps to protect the security and privacy of data processed and maintained by the systems and connections supporting Healthcare.gov, including the Federal Data Services Hub (data hub), which are consistent with federal guidance.
The data hub is a portal for exchanging information between the federal marketplace and CMS’s external partners.
“To protect these systems,” GAO reported, “CMS assigned responsibilities to appropriate officials and documented information security policies and procedures.”
However, GAO said it identified weaknesses in technical controls protecting the data flowing through the data hub which included:
- Insufficiently restricted administrator privileges for data hub systems;
- Inconsistent application of security patches; and
- Insecure configuration of an administrative network.
