OIG Finds HealthCare.gov VulnerabilityReport Outlines Strengths, Weaknesses of Obamacare Systems
Federal auditors found one "critical vulnerability" when they tested the security of HealthCare.gov, the website for Obamacare, earlier this year, but that vulnerability has since been resolved.
The report released on Sept. 23 by the Department of Health and Human Services' Office of the Inspector General gives the security of the Obamacare site and systems a mixed review.
The OIG report was issued one week after another government watchdog agency, the Government Accountability Office, also issued a report that found numerous shortcomings in HealthCare.gov information security measures (see GAO: HealthCare.gov Has Security Flaws). At a House hearing on Sept. 18, Marilyn Tavenner, administrator of the Centers for Medicare and Medicaid Services, testified that CMS would address GAO's concerns by implementing the recommendations made by the agency before the next Obamacare open enrollment season opens on Nov. 15 (see HealthCare.gov Security Fixes Promised).
For its audit of HealthCare.gov, OIG from February to June 2014 reviewed the site's security controls and completed a Web application vulnerability scan.
OIG says the vulnerability scan and simulated attacks, which were conducted in April and May, revealed one critical vulnerability in HealthCare.gov, which it confirmed with CMS, the unit of HHS responsible for the Affordable Care Act programs, including the HealthCare.gov website and systems.
"CMS stated that it was aware of the vulnerability and had developed a corrective action plan with a scheduled completion date of June 30, 2014," the report states. "Therefore, the vulnerability had not been fully remediated at the time we performed our vulnerability scan. Subsequently, CMS informed us that the recommended remediation was implemented to resolve the vulnerability."
In its report, OIG outlined a number of positive and negative findings about HealthCare.gov security.
On the positive side, OIG says that since the launch of HealthCare.gov on Oct. 1, 2013, CMS has taken actions to lower the security risks including, for example:
- Establishing a dedicated security team under the CIO to monitor and track corrective action plans for vulnerabilities and ensure they are completed;
- Performing weekly vulnerability scans of federally facilitated marketplace-related systems, and;
- Completing two security control assessments.
OIG, however, says it also found a number of "areas for improvement" that CMS had not completed by the time of its review. Those include CMS:
- Not detecting and defending against OIG's website vulnerability scanning and simulated cyber-attacks directed at the Healthcare.gov website;
- Not implementing a process to use automated tools to test database security configuration settings on all of its supporting databases;
- Not implementing an effective enterprise scanning tool to test for website vulnerabilities; and
- Not maintaining adequate documentation to verify that it had encrypted a database containing user credentials by using a Federal Information Processing Standard (FIPS) 140-2-approved cryptographic module,
OIG notes in the report that in written comments, CMS concurred with all of OIG's recommendations and described the actions it has taken and plans to take to implement them. "However, CMS stated that it did not believe that the finding and recommendation related to encrypting files using an encryption module that has been FIPS 140-2 validated should be included because the actions it has taken to resolve the issue were sufficient," the report notes. "Although CMS had implemented controls to mitigate risks related to the finding, we did not receive supporting documentation to verify FIPS 140-2 compliance during our audit and remain concerned about CMS's use of encryption modules that are not FIPS 140-2 validated." Therefore, OIG did not change its recommendation, the report says.