The Centers for Medicare & Medicaid Services (CMS) and its parent, the U.S. Department of Health and Human Services (HHS), took “significant security risks” when they let the HealthCare.gov public exchange enrollment system go live on Oct. 1, 2013 — and they still have no good way to know whether the system has security holes.
Gregory Wilshusen and Nabajyoti Barkakati, directors at the U.S. Government Accountability Office (GAO), come to that conclusion in a report on information security and privacy controls weaknesses at HealthCare.gov.
HealthCare.gov helps consumers and small businesses use the state exchanges managed by HHS to apply for qualified health plan (QHP) coverage. HealthCare.gov also helps consumers in states with state-based PPACA exchanges find those exchanges, and a HealthCare.gov consumer information “data hub” helps state-based exchanges verify whether consumers are eligible for PPACA QHP subsidies.
Congress required the HHS secretary to certify that HealthCare.gov was secure before letting it open for business.
Officials at HHS told the GAO that independent security firms had completed testing of the data hub and the HHS-run exchange systems that went live Oct. 1, with no open warnings of high-risk problems. Every state that connected to the data hub complied with CMS security procedures, HHS officials told the GAO.
The GAO directors say they disagree with the idea that CMS took no significant risk when it let HealthCare.gov systems go live.
“The fact that CMS’s security contractor had not been able to test all of the security controls for the [HHS-run exchanges] in one complete version of the system meant that there was an increased risk that undetected security control deficiencies could lead to a compromise that jeopardized the confidentiality, availability, and integrity of HealthCare.gov and the data it maintained,” the GAO directors write.