Skip to main content

Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls

GAO-14-730 Published: Sep 16, 2014. Publicly Released: Sep 16, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Many systems and entities exchange information to carry out functions that support individuals' ability to use Healthcare.gov to compare, select, and enroll in private health insurance plans participating in the federal marketplaces, as required by the Patient Protection and Affordable Care Act (PPACA). The Centers for Medicare & Medicaid Services (CMS) has overall responsibility for key federal systems supporting Healthcare.gov, including the Federally Facilitated Marketplace (FFM) system, which contains several modules that perform key functions related to health plan enrollment, and the Federal Data Services Hub (data hub), which provides connectivity between the FFM and other state and federal systems. CMS is also responsible for overseeing state-based marketplaces, which vary in the extent to which they exchange information with CMS. Other federal agencies, including the Department of Defense, Department of Homeland Security, Internal Revenue Service, Office of Personnel Management, Peace Corps, Social Security Administration, and the Department of Veterans Affairs also play key roles in maintaining systems that connect with CMS systems to perform eligibility-checking functions. Finally, a number of commercial entities, including CMS contractors, participating issuers of qualified health plans, agents, and others also connect to the network of systems that support enrollment in Healthcare.gov.

While CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls. CMS took many steps to protect security and privacy, including developing required security program policies and procedures, establishing interconnection security agreements with its federal and commercial partners, and instituting required privacy protections. However, Healthcare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions. While CMS has taken steps to address some of these weaknesses, it has not yet fully mitigated all of them. In addition, GAO identified weaknesses in the technical controls protecting the confidentiality, integrity, and availability of the FFM. Specifically, CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network. An important reason that all of these weaknesses occurred and some remain is that CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development. Until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, and the disruption of service provided by the systems.

Why GAO Did This Study

PPACA required the establishment of health insurance marketplaces to assist individuals in obtaining private health insurance coverage. The Department of Health and Human Services' CMS is responsible for overseeing the establishment of these marketplaces, including creating the website for obtaining coverage. The marketplaces became operational on October 1, 2013. As requested, this report examines the security and privacy of the Healthcare.gov website.

GAO (1) describes the planned exchanges of information between the Healthcare.gov website and other organizations and (2) assesses the effectiveness of the programs and controls implemented by CMS to protect the security and privacy of the information and IT systems used to support Healthcare.gov. GAO compared the implementation of controls over Healthcare.gov's supporting systems with privacy and security requirements and guidelines. This is a public version of a limited official use only report that GAO issued in September 2014. Certain information on technical issues has been omitted from this version.

Recommendations

GAO is making six recommendations to implement security and privacy management controls to help ensure that the systems and information related to Healthcare.gov are protected. HHS concurred but disagreed in part with GAO's assessment of the facts for three recommendations. However, GAO continues to believe its recommendations are valid, as discussed in the report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Health and Human Services To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that the system security plans for the FFM and data hub contain all the information recommended by National Institute of Standards and Technology.
Closed – Implemented
In January 2015 CMS provided us with updated system security plans for the FFM and Data Hub. Upon analysis of the provided documents, we determined that, in response to our recommendation, CMS had added the missing elements to the two system security plans. Consequently, CMS officials will be better able to make informed judgments regarding the risks involved in operating these two systems, and thereby better protect the systems' confidentiality, integrity and availability.
Department of Health and Human Services To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that all privacy risks associated with Healthcare.gov are analyzed and documented in their privacy impact assessments.
Closed – Implemented
In response to our recommendation, in September 2015, CMS prepared documentation showing that privacy risks were addressed as part of the overall risk assessment for the FFM and data hub. The documentation identifies the potential privacy risks to the program regarding the collection of PII and outlines how CMS mitigated these risks through the evaluation of the FFM system and processes. As a result, CMS has reasonable assurance that privacy risks have been assessed and that steps have been identified to ensure that the privacy of that data is protected.
Department of Health and Human Services To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to develop separate computer matching agreements with Office of Personnel Management and the Peace Corps to govern the data that is being compared with CMS data for the purposes of verifying eligibility for the advance premium tax credit and cost-sharing reductions.
Closed – Implemented
In response to our recommendation, in June 2016, CMS established computer matching agreements with OPM and the Peace Corps. The agreements outline the terms, conditions, and safeguards under which the agencies will provide records, information, or data to CMS with regard to the Patient Protection Act and Affordable Care Act. As a result, CMS has increased assurance that proper protections have been implemented for the PII being exchanged.
Department of Health and Human Services
Priority Rec.
To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to perform a comprehensive security assessment of the FFM, including the infrastructure, platform and all deployed software elements.
Closed – Implemented
In response to our recommendation, in October and November 2014, CMS performed testing of the FFM and its supporting systems that included the infrastructure, platform and all deployed software elements. The testing addressed the identification of open plans of action and milestones for controls inherited from common control providers, such as the infrastructure and platform layers, interrelated testing of application controls inherited from the infrastructure and platform layers, and the identification of causes for control deficiencies. As a result, CMS has enhanced assurance that that its security controls for the FFM are working as intended.
Department of Health and Human Services To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to ensure that the planned alternate processing site for the systems supporting Healthcare.gov is established and made operational in a timely fashion.
Closed – Implemented
In response to our recommendation, from June to July 2015, CMS completed two functional exercises of their warm disaster recovery site. The first exercise was focused on data replication technology and the second exercise focused on testing network connectivity and basic application functionality for consumers. CMS noted that both exercises performed as expected with no failures. As a result, CMS has increased assurance it is prepared to mitigate and recover from a disaster that threatens the availability of vital information.
Department of Health and Human Services To fully implement its information security program and ensure that PII contained in its systems is being properly protected from potential privacy threats, the Secretary of Health and Human Services should direct the Administrator of the Centers for Medicare & Medicaid Services to establish detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the FFM and its supporting infrastructure are effective.
Closed – Implemented
In response to our recommendation, in September 2015, CMS developed the Virtual Security Operations Center (vSOC) Standard Operating Procedures, Version 2.0.1, which describes daily routine activities, including roles and responsibilities, as part of its vSOC services. It also describes how the entities of the marketplace communicate for security services, such as the Executive Director for Marketplace Security, the Verizon Datacenter Marketplace Security, and the HP Datacenter Security. As a result, CMS has reasonable assurance that parties responsible for the FFM's security controls have well-defined security roles and responsibilities.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Access controlCybersecurityData collectionHealth insuranceInformation managementInformation securityInformation security managementInformation systemsInternal controlsInternet privacyPasswordsPolicies and proceduresPrivacy policiesSecurity policiesService disruptionSoftwareUnauthorized accessWebsite designWebsitesInformation sharing