After examining the security and privacy of the Healthcare.gov website and its supporting systems at CMS, the Government Accountability Office published a report with 6 security management and 22 technical security recommendations.
After examining the security and privacy of the Healthcare.gov website and its supporting systems at CMS, the Government Accountability Office (GAO) published a report with 6 security management and 22 technical security recommendations.
When the federal insurance exchange website launched October 2013, CMS accepted increased security risks, according to GAO. At the time, 4 states had not completed all CMS security requirements, but were allowed to connect to the data hub anyway. Furthermore, security controls for the federally facilitated marketplace (FFM) had not been tested for a fully integrated version of the system.
“While CMS has security and privacy-related protections in place for Healthcare.gov and related systems, weaknesses exist that put these systems and the sensitive personal information they contain at risk,” according to the GAO.
Some of the security control weaknesses that could threaten Healthcare.gov and related systems include not always requiring or enforcing strong passwords on systems supporting the FFM; some supporting systems were not restricted from accessing the Internet; and CMS did not consistently apply security patches in a timely manner.
GAO also identified boundary protection, identification and authentication, authorization, and configuration management weaknesses.
“Collectively, these weaknesses put Healthcare.gov systems and the information they contain at increased and unnecessary risk of unauthorized access, use, disclosure, modification, and loss,” the report’s authors wrote.
GAO made the following 6 recommendations aimed at improving security management of Healthcare.gov:
1. Ensure that system security plans for the FFM and data hub contain all information recommended by the National Institute of Standards and Technology.
2. Ensure that all privacy risks associated with Healthcare.gov are analyzed and documented in privacy impact assessments.
3. Develop computer matching agreements with Office of Personnel Management and the Peace Corps to govern data that are being compared with CMS data to verify eligibility for advance premium tax credits and cost-sharing reductions.
4. Perform a comprehensive security assessment of the FFM, including the infrastructure, platform, and all deployed software elements.
5. Ensure that the planned alternate processing site for the systems supporting Healthcare.gov is established and made operational in a timely fashion.
6. Establish detailed security roles and responsibilities for contractors, including participation in security control reviews, to better ensure effective communication among individuals and entities with responsibility for the security of the FFM and its supporting infrastructure.
In response to the GAO’s report, CMS Administrator Marilyn Tavenner said at a congressional hearing on September 18 that CMS plans to perform a comprehensive security assessment of Healthcare.gov by the end of September, according to Modern Healthcare. She added that CMS would put in place all the recommendations by the time open enrollment begins on November 15.
Emily Goldberg Shares Insights as a Genetic Counselor for Breast Cancer Risk Screening
October 30th 2023On this episode of Managed Care Cast, Emily Goldberg, MS, CGC, a genetic counselor at JScreen, breaks down how genetic screening for breast cancer works and why it is so important to increase awareness and education around these screening tools available to patients who may be at risk for cancer.
Listen
A new study highlights significant disparity in reimbursement rates across states between hospitals and Medicare; the first patient to receive a genetically modified pig kidney has died; research examines outcomes of over 500 patients receiving medication abortion pills by mail.
Read More
Examining Telehealth Uptake to Increase Equitable Care Access
January 26th 2023To mark the publication of The American Journal of Managed Care®’s 12th annual health IT issue, on this episode of Managed Care Cast, we speak with Christopher M. Whaley, PhD, health care economist at the RAND Corporation, who focuses on health economics issues, including the influence of the COVID-19 pandemic on health care delivery.
Listen
Bringing Connectivity to the Specialty Pharmacy Workflow
May 2nd 2024In a session during the final full day of conference activity at AXS24, experts from CVS Health and Surescripts emphasized the need to simplify the prescribing workflow for specialty medication through proactive messaging, automation, and interoperability.
Read More