News Feature | September 26, 2014

HealthCare.gov Gets Low Marks In GAO Assessment

Christine Kern

By Christine Kern, contributing writer

HealthCare.gov Poor Security Report From GAO

The Government Accountability Office finds the HealthCare.gov website needs to boost its security.

Healthcare.gov, the health insurance website serving more than five million Americans, has significant security flaws that put users' personal information at risk, according to a report by the Government Accountability Office.

GAO, the investigative arm of Congress, found the Obama administration took a major risk going live with HealthCare.gov last fall when the system was still not fully tested. Some testing was incomplete as of June.

In response to the 78-page GAO report, the ranking Republican member of the Senate Health, Education, Labor and Pensions Committee, Senator Lamar Alexander (R-TN) issued a news release stating, "The president and his administration launched HealthCare.gov knowing that the personal information of Americans who bought insurance through the website was not safe. Their personal information was not safe then, and it is not safe now. Someone should be held accountable for this kind of gross mismanagement, and security must be fixed immediately before a major hacking attack does massive damage."

According to the GAO report, the Obama administration must resolve more than 20 specific security issues related to who can get into the system, who can make changes in it, and what to do in case the complex network fails. The HealthCare.gov website collects sensitive personal information including names, birth dates, Social Security numbers and family income.

While multiple federal and state agencies as well as many contractors have access, the report found no common understanding of security requirements among all the participants. The agency running HealthCare.gov "had not always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches and properly configured an adminstrative network," the report said.

"Until it addresses shortcomings in both the technical security controls and its information security program, the Centers for Medicare and Medicaid Services is exposing HealthCare.gov-related data and its supporting systems to significant risks of unauthorized access, use, disclose, modification and disruption.”

Responding for the administration, HHS spokesman Aaron Albright said that the changing nature of threats makes website security an evolving process and that officials have already acted on many of the recommendations.

The GAO outlined six broad areas where more work needs to done, from basics like following recommended best practices for government agencies, to a comprehensive test of all elements of the system, to establishing a backup site for the HealthCare.gov and its supporting networks.

HealthCare.gov was hacked this summer, but no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites from the federal insurance portal. A spokesman for the Department of Health and Human Services said officials have already acted on many of the GAO's recommendations, adding that the summer breach of HealthCare.gov was discovered quickly by industry standards.

"Protecting consumers’ personal information is a top priority. When Americans use HealthCare.gov, their data is protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards," said Kevin Griffis in a statement. “To continuously raise the bar on the website’s security and meet evolving threats, it requires constant monitoring and re-evaluation. Feedback from the GAO, the department’s Inspector General and outside, independent security experts is part of that process."