Healthcare.gov is not secure. Increased and unnecessary risks to its security remain, as the Centers for Medicare and Medicaid services has failed to implement and address security issues, a new report finds.
The Government Accountability Office notes CMS has taken numerous steps to protect personal information, as required under federal law, but Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests and it lacked an alternative processing site to avoid major service disruptions.
Since the launch of the website, CMS has taken steps to address some of the weaknesses, but has not fully mitigated all of them, GAO says. Additionally, the watchdog identified weaknesses in the technical controls protecting confidentiality, integrity and availability of the federally-facilitated marketplace.
CMS, according to GAO, has failed to:
- Always require or enforce strong password controls;
- Consistently implement software patches; and
- Properly configure an administrative network.
GAO says the main reason these safeguards have not been implemented is because CMS does not yet have a shared understanding of how security was implemented for Healthcare.gov among all entities involved with its development.
Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by Helathcare.gov and its related systems, and the disruption of service provided by the systems, the report says.
A CMS spokesperson says, Protecting consumers personal information is a top priority. When Americans use HealthCare.gov, their data is protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards.
To continuously raise the bar on the websites security and meet evolving threats, it requires constant monitoring and re-evaluation. Feedback from the GAO, the departments Inspector General and outside, independent security experts is part of that process, CMS adds. CMS has already acted on many of recommendations in [the] report. We will continue to work closely with GAO to further strengthen the security of HealthCare.gov.
Sen. Orrin Hatch (R-Utah) said in a statement the report reinforces that CMS continues to fail the American public by not taking appropriate actions to ensure the security of HealthCare.gov.
