HealthCare.gov could be vulnerable to cyber attacks.
Officials at the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) have delivered that verdict in a new report on tests of the U.S. Department of Health and Human Services (HHS) exchange systems, and of state-based systems in Kentucky and New Mexico. HHS OIG is an agency that’s supposed to keep tabs on HHS.
The agency checked HealthCare.gov — the Patient Protection and Affordable Care Act (PPACA) enrollment system for the public exchanges run by HHS – to see whether system managers are meeting federal security planning and risk assessment standards; how well the system managers respond to actual security incidents, and how a system stands up to automated vulnerability testing.
The agency also conducted penetration testing — efforts to get access to system resources without knowing user names or passwords. Also, the agency conducted similar reviews of the Kentucky and New Mexico systems.
The Kentucky system had some planning problems, because officials were moving technology management from one agency to another, but the exchange itself did well on security tests, HHS OIG officials report. Kentucky managers should make sure to do penetration tests of outside networks, not just of their own systems, officials say.
In New Mexico, investigators found data encryption, remote access, patch management and Universal Serial Bus port problems. Two of the vulnerabilities were critical, according to officials.
At HealthCare.gov, the Centers for Medicare & Medicaid Services (CMS) — the HHS agency in charge of the exchange program — did not detect or defend against investigators’ website vulnerability scanning or simulated cyber attacks, officials say.
One problem was that CMS had not implemented an effective scanning tool to test for site vulnerabilities, officials found. CMS has fixed the problems, but, while the problems existed, they put users’ personal information at risk, officials say.