GAO questions security on eve of major hearing


The Centers for Medicare and Medicaid Services has not done enough to secure and the personal information belonging to millions of Americans stored on the system remains at unnecessary risk, a new government audit revealed.

“CMS did not take all reasonable steps to limit” the risks posed by such a complex system as the main federal health exchange, wrote Greg Wilshushen and Nabajyoti Barkakati in a report issued Tuesday by the Government Accountability Office, the investigative arm of Congress. “Security and privacy plans were missing relevant elements, and security testing was incomplete. A number of control weaknesses pose unnecessary and increased security risks to the [federally facilitated marketplace], interconnected systems, and information.”

Until CMS addresses shortcomings in both the technical security controls and its information security program, the agency is exposing data and its supporting systems to significant risks of unauthorized access, use, disclosure, modification, and disruption, according to the GAO.


The 78-page report details a laundry list of security weaknesses posed to the main health exchange less than two months before its scheduled second open enrollment period. Beginning with CMS granting the authority to operate in September 2013 when it allegedly wasn’t fully secured and state exchanges began connecting to a vulnerable data hub, the report explains the existing marketplace concerns, such as inadequately addressing security management controls in accordance with the National Institute for Standards and Technology before launching and the failure of CMS to make sure contributors to shared an understanding of how the site’s security controls worked.

The report is likely to raise a lot of discussion at a planned hearing Thursday before the House Oversight and Government Reform Committee, where CMS Administrator Marilyn Tavenner is expected to testify on the July breach. And if she testifies, it’s likely she will disagree with much of GAO’s findings.

In a response to a draft report, CMS concurred with many of GAO’s findings, although the agency’s Assistant Secretary for Legislation Jim Esquea wrote that when was given the authority to operate, the data hub had “no high findings.”

“An independent security control assessor tested each piece of the [federally facilitated marketplace] that went live on October 1, 2013, prior to that date with no open high findings,” Acquea responded. “All high, moderate, and low security risk findings for the portions of the website that launched October 1 were either fixed or had strategies and plans that met industry standards in place to fix the findings.”

Furthermore, he said all states faced strict security control standards before they could connect to the hub.


Health and Human Services officials argued earlier this month that the July hack was not targeted and put no personally identifiable information at risk. Despite that, the hack coupled with this report of perceived vulnerabilities will give opponents plenty of material to work with. Wednesday morning, a host of Senate and House Republicans penned a letter to Tavenner questioning whether open enrollment in the midst of security flaws is such a good idea.

“In order to enroll beneficiaries in the exchange, collects, obtains and retains massive amounts of personally identifiable information about millions of Americans,” the lawmakers wrote. “This information includes Social Security numbers, personal addresses, income and employment records, and tax return records. It is extremely important that CMS and the other federal agencies involved in the exchanges properly protect and maintain this sensitive information. However, yesterday’s GAO report and the recent hacking of indicate that CMS is failing to perform this fundamental obligation.”

Read the rest of the GOP letter here.

Latest Podcasts