Published December 20, 2015
Despite efforts to protect patient information on the HealthCare.gov website, a new government watchdog report scheduled to be released Thursday says security issues are still a concern.
According to the Government Accountability Office report, “weaknesses remained in the security and privacy protections applied to HealthCare.gov and its supporting systems.”
The agency will present its findings to the House Oversight and Government Reform Committee on Thursday.
In the report, the GAO makes six recommendations to the Department of Health and Human Services to implement security and privacy controls to protect sensitive material. The report also makes 22 recommendations to resolve technical weaknesses in security controls.
Problems with the site ranged from the agency not setting up an alternate processing site for HealthCare.gov systems to allow them to be recovered if the site was hacked or went down to the strength of passwords.
“In addition to these weaknesses, we also identified weaknesses in security controls related to boundary protection, identification and authentication, authorization and configuration management,” the report states. “Collectively, these weaknesses put HealthCare.gov systems and the information they contain at increased and unnecessary risk of unauthorized access, use, disclosure, modification or loss.”
According to the GAO report, HHS has agreed with three of the six recommendations and has agreed with all 22 technical recommendations.
Many Republican lawmakers have criticized the technology used to run and maintain the HealthCare.gov site since it was launched last fall. They argue that the Obama administration rushed through the system despite knowing problems existed.
HealthCare.gov is used in 30 states as a one-stop shop for health-insurance plans. Signing up for plans as well as applying for tax credits requires them to enter personal data about themselves including their Social Security number.
The government report says the agency in charge of the site also failed to ensure system-security plans were in place and instead was relying on a draft data-use agreement with a contractor who is paid to verify user identities.
The newest security warnings follow demands earlier this month from House Oversight and Government Reform Committee Chairman Darrell Issa that a key ObamaCare official testify before his committee after the Obama administration revealed hackers successfully breached the site.
Issa, R-Calif., said in a statement that Marilyn Tavenner, the administrator for the Centers for Medicare and Medicaid Services, “must testify” before Sept. 18 to discuss “transparency, accountability, and information security.” regarding the federal website.
The health care site had numerous technical problems when it was launched last fall and was initially unworkable for most consumers. Among the issues that concerned the administration's own technical experts at the time was that security testing could not be completed because the system was undergoing so many last-minute changes.
The part of HealthCare.gov that serves as the entry way for consumers eventually passed security certification, but the GAO revealed that security testing continued well into this year on other important components that deal with health plan information and financial management. The administration said that's because those components were still in stages of development.
The report also confirmed security flaws in state computer systems linking to the federal network, a problem reported earlier this year by The Associated Press.
The Associated Press contributed to this report.