Watchdog: IRS deployed PPACA system before completing full security checks

September 09, 2015 at 10:14 AM
Share & Print

A watchdog agency says the Internal Revenue Service (IRS) needs to beef up the process it uses to protect a key public health insurance exchange database system, the Coverage Data Repository.

Terence Milholland, the chief technology officer at the IRS, says the IRS believes it's already using a strong testing strategy.

The watchdog agency, the Treasury Inspector General for Tax Administration (TIGTA), is telling the IRS to apply the full testing process to a limited, temporary information-sharing effort that was simply used to help public exchange managers set up their systems, IRS officials say.

TIGTA officials talk about their concerns in a report on Patient Protection and Affordable Care Act (PPACA) data repository risks.

TIGTA gave the report to the IRS in June, but it waited until this week to make the report available to the public, and it blacked out some portions due to security concerns.

The data repository covered in the report holds PPACA exchange plan applicants' family size and income data, not personal health information. The IRS uses the data to verify taxpayers' PPACA exchange plan premium tax credit claims. 

TIGTA investigators looked at how the IRS worked with other agencies when it was developing the systems, how the IRS handled security concerns, and whether the IRS put in the audit trails it needs to see whether authorized system users or intruders got unauthorized access (UNAX) to personal exchange user information.

Earlier this year, the IRS needed to improve the audit trails, and it needed better systems for keeping unauthorized software from running on its computers, TIGTA says.

TIGTA also says IRS let the data repository go online "before responsible officials completely assessed security risks and authorized the system to operate."

IRS officials say the data repository usually connects with the PPACA exchange Data Services Hub system at the Centers for Medicare & Medicaid Services (CMS), not directly with either the state-based exchanges or the HealthCare.gov exchanges that CMS runs.

The IRS did have the data repository connect directly with the exchange managers for a time, so that the exchange managers could validate their systems, but the main focus of the IRS has been on setting up and testing the Data Services Hub, IRS officials say.

But the IRS agreed that it needed to have a better system for making sure that top data repository officials and security staffers had recognized and accepted risks prior to deployment. The agency said it had updated its security operating procedures and templates in response to a TIGTA risk-evaluation recommendation.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center