Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards

Life Health > Health Insurance > Health Insurance

Watchdogs found 'critical vulnerabilities' at

Your article was successfully shared with the contacts you provided. could be vulnerable to cyber attacks.

Officials at the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) have delivered that verdict in a new report on tests of the U.S. Department of Health and Human Services (HHS) exchange systems, and of state-based systems in Kentucky and New Mexico. HHS  OIG is an agency that’s supposed to keep tabs on HHS.

The agency checked — the Patient Protection and Affordable Care Act (PPACA) enrollment system for the public exchanges run by HHS – to see whether system managers are meeting federal security planning and risk assessment standards; how well the system managers respond to actual security incidents, and how a system stands up to automated vulnerability testing.

The agency also conducted penetration testing — efforts to get access to system resources without knowing user names or passwords. Also, the agency conducted similar reviews of the Kentucky and New Mexico systems.

The Kentucky system had some planning problems, because officials were moving technology management from one agency to another, but the exchange itself did well on security tests, HHS OIG officials report. Kentucky managers should make sure to do penetration tests of outside networks, not just of their own systems, officials say.

In New Mexico, investigators found data encryption, remote access, patch management and Universal Serial Bus port problems. Two of the vulnerabilities were critical, according to officials.

At, the Centers for Medicare & Medicaid Services (CMS) — the HHS agency in charge of the exchange program — did not detect or defend against investigators’ website vulnerability scanning or simulated cyber attacks, officials say.

One problem was that CMS had not implemented an effective scanning tool to test for site vulnerabilities, officials found. CMS has fixed the problems, but, while the problems existed, they put users’ personal information at risk, officials say.


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.