Healthcare.gov is riddled with security flaws, report finds

Ugh, not again.

Mar 1, 2020, 9:17 pm*

Tech

 

Aaron Sankin

The initial rollout of the online exchanges mandated by the Affordable Care Act was an infamously bumpy ride for the Obama administration. While the president’s signature domestic legislative achievement seems to be going considerably more smoothly than in the days when a constant drumbeat of news stories predicted technical glitches would sink healthcare reform for good, some major problems remain.

A report released on Tuesday by the U.S. Government Accountability Office slammed the Centers for Medicare and Medicaid Services (CMS) for failing to take adequate steps to ensure the security of Healthcare.gov, the federal health insurance exchange site used by millions of Americans.

“A system with this degree of complexity and involving such a sizable number of interconnections can pose many security and privacy risks. CMS did not take all reasonable steps to limit those risks,” reads the report, which noted that the government had, in many cases, taken sufficient steps to protect user data. “Security and privacy plans were missing relevant elements, and security testing was incomplete.”

The report pointed out a whole host of problems with the site. The authors argued that the core issue is that, while managing the exchange is a complex task involving a large number of government agencies and private firms, there is no centralized, universal set of cybersecurity standards. As a result, security vulnerabilities had a tendency to pop up all over.

“Specifically,” the report charges, “CMS had not: always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches, and properly configured an administrative network.”

Republican lawmakers, nearly all of whom make opposition to the Affordable Care Act a central plank of their campaign platforms, were quick to use the report as cudgel to bash the White House and its Democratic allies.

“The president and his administration launched HealthCare.gov knowing that the personal information of Americans who bought insurance through the website was not safe,” GOP Senator Lamar Alexander said in a statement to Reuters. “Their personal information was not safe then, and it is not safe now.”

“This report reinforces that CMS continues to fail the American public by not taking appropriate actions to ensure the security of HealthCare.gov,”  concurred Sen. Orrin Hatch to the Wall Street Journal.

The Affordable Care Act pushed each state government to set up and run its own online insurance exchange where citizens could purchase health insurance; however, the establishment of these marketplaces wasn’t mandatory. If states decided to to do nothing, an option 34 of them found more attractive than the alternative, the people living in those states would have to buy insurance through Healthcare.gov, the exchange operated by the federal government.

Security at Healthcare.gov is essential because, in order to apply for insurance—something all Americans are now required to have by law—users of the site need to enter a significant amount of personal information ranging from names and birth dates to social security numbers and household income. In addition, the back-end of the site is woven into not only other government sites from the Social Security Administration to the Internal Revenue Service to the Department of Homeland Security, but also a complex network of private insurance companies that will actually be providing the coverage. Major security breaches at Healthcare.gov have the potential to put some of the data on the other sites its touches at risk.

The GAO gave six broad recommendations on how CMS should move forward, which included establishing detailed secure procedures for contractors and performing a comprehensive security audit of the site’s infrastructure, platform, and software elements. A second report, which received limited distribution, included 22 more recommendations on how to fix very specific holes in the site’s security.

Officials form the Department of Health and Human Services, of which CMS is a part, largely agreed with those recommendations, but they argued that the GAO’s suggestion of simultaneously testing the security of the entire system as a whole wasn’t workable and that the agency’s current approach of testing each section of the site individually was sufficient.

This report is not the first time the security of Healthcare.gov has been called into question.

Earlier this year, hackers broke into a Healthcare.gov server and remotely installed software on it that could be used in a denial-of-service attack aimed at taking other websites offline. Government officials have maintained that no personal data was compromised. However, last year a security researcher found a major vulnerability with the site’s password reset function that could have allowed a hacker to discover user names and passwords with a little social engineering. The security hole was quickly patched.

The GAO’s report will be presented at a hearing before House of Representatives Oversight and Government Reform Committee about the site’s performance next week.

Photo by Pete Souza/Wikimedia Commons 

Share this article
*First Published: Sep 17, 2014, 2:13 pm