OIG: Obamacare Data Repository Had Security FlawsWeaknesses Found in System Used for Data Analysis Have Been Addressed
Federal auditors say a data repository the Department of Health and Human Services uses for data analysis and reporting for the Affordable Care Act, better known as Obamacare, had numerous data security shortcomings that have since been addressed.
Some security experts say the problems identified by HHS' Office of the Inspector General when it examined the Multidimensional Insurance Data Analytics System, or MIDAS, are commonly found at other organizations, including healthcare entities and other government agencies that have large data repositories.
MIDAS, which is operated by the Centers for Medicare and Medicaid Services within HHS, supports the HealthCare.gov health insurance exchange website and systems by acting as a central repository for capturing, aggregating and analyzing enrollment, plan selection, consumer and other marketplace data. MIDAS provides reporting and performance metrics to HHS for Obamacare.
CMS says that among the data contained in MIDAS are consumer names, addresses, email addresses, phone numbers, dates of birth, Social Security Numbers, consumer-provided income information, financial account information, military and employment status and passport numbers.
In a September 2015 report about the audit, OIG says that although CMS had implemented controls to secure MIDAS and consumers' personally identifiable information, "we identified areas for improvement in its information security controls."
OIG says that at the time of its review of MIDAS, which took place between August and December 2014, auditors found that CMS:
- Had not disabled unnecessary generic accounts in its test environment;
- Had not encrypted user sessions;
- Had not conducted automated vulnerability assessments that simulate known attacks, which would have revealed vulnerabilities, including password weaknesses and misconfigurations, specific to the application or databases that support MIDAS;
- Used a shared read-only account for access to the database that contained the consumer PII.
"In addition to the information security control vulnerabilities mentioned above, our database vulnerability scans identified 22 high, 62 medium, and 51 low vulnerabilities," OIG wrote in the report. "We made related recommendations to address the issues we identified.
In a May 2015 letter that's contained in the OIG report, CMS Acting Administrator Andrew Slavitt said that CMS remediated all vulnerabilities and addressed all findings OIG identified by February 2015.
"MIDAS is an internal system accessible only by authorized CMS employees and support personnel," Slavitt noted. "Use of MIDAS must be requested and approved based on appropriate justification before staff or a contractor is granted access."
CMS requires MIDAS, like all federal systems, to comply with the Federal Information Security Management Act of 2002, Slavitt said. "CMS is focused on continually strengthening our security and privacy controls. In addition to weekly vulnerability assessments of the MIDAS environment, we conduct an annual security control assessment that meets federal and industry standards."
Some security experts say the security issues that OIG identified in MIDAS are relatively common at organizations across all business sectors and can put data at risk if not corrected.
"While the MIDAS database is outside of Healthcare.gov, it stores a lot of confidential information related to healthcare insurance," says Tom Walsh, founder of consulting firm tw-Security. "In my opinion, this would make the database a prime target for hackers - a serious concern."
Security and privacy expert Kate Borten, founder of consulting firm The Marblehead Group, says the OIG report spotlights some common weaknesses in security strategies.
"Many organizations perform vulnerability scans and penetration tests, but not all," she says. "And even those organizations performing such tests may not be looking at the application or database levels, or testing passwords."
Securing databases, "especially from a backdoor attack - can be challenging for any organization," Walsh says. "The front-end security of a database relies on the security controls of the application accessing the database. Programs continue to grow in complexity making code reviews more challenging. The security of the backend of the database relies on network and operating system security. The same interfaces that allow the database to exchange data with other systems can become an authorized pathway into the database."
Steps to Take
Organizations can take several measures to address the kinds of weaknesses that OIG identified in MIDAS, as well as other common security issues in these types of systems, says Kerry McConnell, a principal consultant with tw-Security.
- Conducting periodic evaluations at technical and non-technical issues;
- Maintaining strong configuration and patch management for the server and storage;
- Implementing host-based intrusion prevention/detection systems;
- Implementing network-based intrusion prevention/detection systems;
- Deploying data loss prevention solutions where possible to detect information leaking from the organization;
- Maintaining tighter access controls for nonemployees, such as contractors;
- Carefully managing remote connectivity using secure connections, two-factor authentication, session timeouts and access log reviews;
- Hiring third parties to conduct vulnerability scans and penetration tests, but avoid using the same third party two years in a row;
- Managing those with elevated privileges, such as system and database administrators, by limiting the number of individuals with privileges, maintaining a list of those with elevated privileges, requiring strong passwords and/or implementing two-factor authentication and requiring background checks of elevated privilege users every two to three years.