Actions Needed to Address Weaknesses in Information Security and Privacy Controls
Targeted News Service |
What GAO Found
Many systems and entities exchange information to carry out functions that support individuals' ability to use Healthcare.gov to compare, select, and enroll in private health insurance plans participating in the federal marketplaces, as required by the Patient Protection and Affordable Care Act (PPACA). The
While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls. CMS took many steps to protect security and privacy, including developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections. However, Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions. While CMS has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the FFM. Specifically, CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network. An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development. Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, and the disruption of service provided by the systems.
Why GAO Did This Study
PPACA required the establishment of health insurance marketplaces to assist individuals in obtaining private health insurance coverage.
GAO (1) describes the planned exchanges of information between the Healthcare.gov website and other organizations and (2) assesses the effectiveness of the programs and controls implemented by CMS to protect the security and privacy of the information and IT systems used to support Healthcare.gov. GAO compared the implementation of controls over Healthcare.gov's supporting systems with privacy and security requirements and guidelines. This is a public version of a limited official use only report that GAO issued in
What GAO Recommends
GAO is making six recommendations to implement security and privacy management controls to help ensure that the systems and information related to Healthcare.gov are protected. HHS concurred but disagreed in part with GAO's assessment of the facts for three recommendations. However, GAO continues to believe its recommendations are valid, as discussed in the report.
For more information, contact
Barkakati at (202) 512-4499 or [email protected].
TNS 30FurigayJane-140917-4862764 30FurigayJane
Copyright: | (c) 2014 Targeted News Service |
Wordcount: | 706 |
Life Insurance Coverage Slowly On Decline
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News