Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor

Life Health > Health Insurance > Health Insurance

Watchdogs found 'critical vulnerabilities' at HealthCare.gov

By Allison Bell

X
Your article was successfully shared with the contacts you provided.

HealthCare.gov could be vulnerable to cyber attacks.

Officials at the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) have delivered that verdict in a new report on tests of the U.S. Department of Health and Human Services (HHS) exchange systems, and of state-based systems in Kentucky and New Mexico. HHS  OIG is an agency that’s supposed to keep tabs on HHS.

The agency checked HealthCare.gov — the Patient Protection and Affordable Care Act (PPACA) enrollment system for the public exchanges run by HHS – to see whether system managers are meeting federal security planning and risk assessment standards; how well the system managers respond to actual security incidents, and how a system stands up to automated vulnerability testing.

The agency also conducted penetration testing — efforts to get access to system resources without knowing user names or passwords. Also, the agency conducted similar reviews of the Kentucky and New Mexico systems.

The Kentucky system had some planning problems, because officials were moving technology management from one agency to another, but the exchange itself did well on security tests, HHS OIG officials report. Kentucky managers should make sure to do penetration tests of outside networks, not just of their own systems, officials say.

In New Mexico, investigators found data encryption, remote access, patch management and Universal Serial Bus port problems. Two of the vulnerabilities were critical, according to officials.

At HealthCare.gov, the Centers for Medicare & Medicaid Services (CMS) — the HHS agency in charge of the exchange program — did not detect or defend against investigators’ website vulnerability scanning or simulated cyber attacks, officials say.

One problem was that CMS had not implemented an effective scanning tool to test for site vulnerabilities, officials found. CMS has fixed the problems, but, while the problems existed, they put users’ personal information at risk, officials say.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.