The report from the
"Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of (personal information), as well as disruption of critical marketplace operations," the report finds.
MNsure has been plagued with technology issues since its launch in 2013, including a website that consumers often found difficult to access and buggy back-end systems to manage cases on public programs. Many of those problems have been fixed since 2013, but others remain in progress.
The inspector general made four specific recommendations for MNsure and Minnesota IT Services to fix the vulnerabilities. Its report did not disclose what those recommendations were "because of the sensitive nature of our findings." Neither were specifics mentioned late last month when the audit was generally discussed at a MNsure steering committee meeting.
MNsure, the report noted, disagreed with two unspecified security recommendations from the inspector general. But at the meeting last month,
"MNsure remains a highly-secure system that Minnesotans should feel confident using," MNsure and Minnesota IT Services said in a joint statement.
Buse said it was no surprise that they found some vulnerabilities.
"The fact that the team found vulnerabilities was not surprising to us," he said. "The reality that we face as security professionals today is that every computer system in the world has software vulnerabilities."
Though the report was published this week, MNsure's systems were analyzed in the summer of 2015. The inspector general's office informed MNsure of the vulnerabilities "promptly" before issuing the report.
Buse said the inspector general's team had several "specialized tools" that were able to find vulnerabilities "faster and more accurately" than the state's existing tools. He said he was "quite impressed" to see that and is exploring acquiring licenses for those tools.
(c)2016 the Pioneer Press (St. Paul, Minn.)
Visit the Pioneer Press (St. Paul, Minn.) at www.twincities.com
Distributed by Tribune Content Agency, LLC.