The Internal Revenue Service (IRS) rushed a major Patient Protection and Affordable Care Act (PPACA) tax form checking system into use earlier this year without putting it through a complete security assessment process, a watchdog agency official says.
In addition, because of IRS PPACA system project management problems, the tax form checker was using outmoded, potentially dangerous versions of the Java Runtime Environment program when the IRS started using the tax form checker, the official says.
Michael McKenney, the deputy inspector general for audit, an official at the Treasury Inspector General for Tax Administration (TIGTA), presented those conclusions in a report on the state of security at the Affordable Care Act Verification Service (AVS).
TIGTA, like other Obama administration agencies, refers to the health care law as the ACA.
The PPACA exchange system began offering consumers health insurance premium tax credits in 2014. Starting with the 2015 tax filing year, tax credit users were supposed to use IRS Form 8962 to report on the use of the new premium tax credits.
The IRS developed the AVS system to check the math, completeness and consistency of 8962 forms; check whether 8962 form users who reported receiving premium tax credits had actually enrolled in exchange plan coverage; and identify taxpayers who had received premium tax credits, but had not yet filed 8962 forms.
Originally, the IRS wanted to complete project-level AVS testing by June 2014. They hoped to start final integration testing, including security testing, in September 2014. But coders developed the AVS system code late, and that caused a series of project-level testing delays, McKenney writes in the TIGTA report.
The IRS cybersecurity team scanned the AVS servers on Jan. 6, 2015, which is the same day the IRS started using the AVS system, McKenney says.
The AVS looked good when the cybersecurity team conducted the scans, but the IRS official who let the IRS begin using the system did not have a complete AVS security assessment report when the system went live, McKenney says.
One result of the AVS development and testing problems is that the AVS system has had bugs, McKenney says.
“For example,” he says, “due to programming errors, the AVS incorrectly performed the math check on Form 8962, line 8b, Monthly Contributions for Health Care, of certain returns.”
Another problem is that the AVS system, like the rest of ACA Release 5.0, started 2015 using Java Runtime Environment versions 5, 6 and 7, McKenney says.
Those versions of Java “had dozens of unremediated vulnerabilities at the time the updated ACA security authorization was signed and the AVS was placed into production,” McKenney says. “These vulnerabilities could allow unauthorized connections, untrusted applications to gain privilege and remote attackers to bypass intended access restrictions.”