Close
ThinkAdvisor

Regulation and Compliance > Federal Regulation > IRS

Watchdog: IRS deployed PPACA system before completing full security checks

X
Your article was successfully shared with the contacts you provided.

A watchdog agency says the Internal Revenue Service (IRS) needs to beef up the process it uses to protect a key public health insurance exchange database system, the Coverage Data Repository.

Terence Milholland, the chief technology officer at the IRS, says the IRS believes it’s already using a strong testing strategy.

The watchdog agency, the Treasury Inspector General for Tax Administration (TIGTA), is telling the IRS to apply the full testing process to a limited, temporary information-sharing effort that was simply used to help public exchange managers set up their systems, IRS officials say.

TIGTA officials talk about their concerns in a report on Patient Protection and Affordable Care Act (PPACA) data repository risks.

TIGTA gave the report to the IRS in June, but it waited until this week to make the report available to the public, and it blacked out some portions due to security concerns.

See also: 3 things you CAN’T know about IRS PPACA problems

The data repository covered in the report holds PPACA exchange plan applicants’ family size and income data, not personal health information. The IRS uses the data to verify taxpayers’ PPACA exchange plan premium tax credit claims. 

TIGTA investigators looked at how the IRS worked with other agencies when it was developing the systems, how the IRS handled security concerns, and whether the IRS put in the audit trails it needs to see whether authorized system users or intruders got unauthorized access (UNAX) to personal exchange user information.

Earlier this year, the IRS needed to improve the audit trails, and it needed better systems for keeping unauthorized software from running on its computers, TIGTA says.

TIGTA also says IRS let the data repository go online “before responsible officials completely assessed security risks and authorized the system to operate.”

See also: IRS may turn in PPACA fraud plan a year late

IRS officials say the data repository usually connects with the PPACA exchange Data Services Hub system at the Centers for Medicare & Medicaid Services (CMS), not directly with either the state-based exchanges or the HealthCare.gov exchanges that CMS runs.

The IRS did have the data repository connect directly with the exchange managers for a time, so that the exchange managers could validate their systems, but the main focus of the IRS has been on setting up and testing the Data Services Hub, IRS officials say.

But the IRS agreed that it needed to have a better system for making sure that top data repository officials and security staffers had recognized and accepted risks prior to deployment. The agency said it had updated its security operating procedures and templates in response to a TIGTA risk-evaluation recommendation.

See also: TIGTA: IRS delayed sending PPACA delay data