Some of the Patient Protection and Affordable Care Act (PPACA) exchanges may have obvious holes in the security measures they use to protect federal tax information and finding those holes may take the Internal Revenue Service (IRS) years.

Officials at the Treasury Inspector General for Tax Administration (TIGTA) — a watchdog agency that keeps tabs on the IRS — have published information about the steps the state-based exchanges are using to protect tax information in a new report.

The state-based exchanges are using the tax information to verify exchange users’ identities and to verify whether the users’ qualified for the new PPACA premium subsidies or PPACA cost-sharing reduction subsidies.

One thing the TIGTA officials have done is show just how much tax information the IRS is sending to the exchange system. The IRS sent about 23 million tax information reports during the first annual PPACA exchange open enrollment period, from October 2013 through March 2014. About 13 million of the reports went to the HealthCare.gov system at the U.S. Department of Health and Human Services (HHS). The rest went to state exchanges.

See also: Watchdog: IRS PPACA exchange systems worked well

Why should you care about how the exchanges protect tax information?

If you have sold any qualified health plans (QHPs) through an exchange, the answer is obvious. The last thing on earth you need this month is for your customers’ tax information to be hacked.

Even if you are a life agent, or a financial advisor, you may have a stake in seeing that hackers do not figure out some creative way to use the office of the nearest public exchange to tap the IRS taxpayer information databases.

So, what could some (or many) of the exchanges done wrong? Read on.

Calendar

1. Some exchange programs were too poorly run to be able to give TIGTA a “plan of action and milestones” (POA&M) report that TIGTA could use in its own report.

 

TIGTA analysts got POA&Ms from HHS to create a chart showing how many state-based exchanges had which kind of open data security weaknesses as of Oct. 1, 2013.

The analysts found, for example, that eight states had problems with identification and authentication, and seven had problems with identifier management.

But TIGTA could use only 11 POA&Ms in the chart … because it could get POA&Ms for only 11 exchanges. Five other exchanges had none.

Pen

2. Exchanges’ may not have gotten top managers to sign the required security authorizations.

 

Top exchange managers are supposed to show that they have thought long and hard about the seriousness of taking in personal tax information, and thought long and hard about security controls, by signing authorization forms. The exchanges didn’t have to send the signed forms to the IRS, but they were supposed to have the signed forms in their offices.

In real life, the exchange offices TIGTA officials visited in person — in California and Connecticut — could not show the officials the signed forms.

Because top exchange officials had not signed the forms, the IRS had no proof that a top exchange manager had assessed and accepted the risks of any controls not yet in place when the exchange went live, TIGTA officials say.

See also: Audit: PPACA tax credits vulnerable to fraud

Treasury

3. The IRS could take as long as three years to do on-site testing of the security systems at some exchanges.

 

The Office of Safeguards at the IRS conducted on-site test of three of the 16 state-based exchanges within the first six months of operation, and three more exchanges by June 2014.

But the schedule in place when TIGTA started doing its report gave the IRS three years to review all of the exchanges, even though the Internal Revenue Manual suggests that entities receiving tax information for the first time should be reviewed within the first year after starting to get the information.

See also: IRS watchdog finds PPACA problems

Servers

4. At least one exchange might have really left a digital door unlocked.

 

TIGTA notes at one point, in a discussion of why having on-site inspections of the exchanges would be a good idea, that, at one exchange, testing “revealed a serious weakness related to remote access requiring prompt action.”

TIGTA leaves the exact nature of that “serious weakness” to the imagination.

See also: Model exchange faces security breach