Healthcare.gov hit with 316 security incidents and Republican lawmakers are taking HHS and CMS to task

A Government Accountability Office report points to security weaknesses and to Health and Human Services’ incomplete information about how many people are impacted when breaches happen.
By Bernie Monegain
03:53 PM
Share

Republican committee leaders in the Senate and House are taking Health and Human Services Secretary Sylvia Burwell and Centers for Medicare and Medicaid Services acting Administrator Andy Slavitt to task for 316 security incidents on HealthCare.gov.

“To assist us in fulfilling our oversight responsibilities, ‎please send a list and description of every security incident involving HealthCare.gov since October 2013, including how many individuals’ records were compromised, whether the incident involved personally identifiable information, and whether the affected individuals were notified,” lawmakers including Tennessee Republican Senator Lamar Alexander, Utah Republican Senator Orrin Hatch and Michigan Republican Rep. Fred Upton wrote in a letter dated March 23.

The lawmakers asked Burwell and Slavitt for more information about the incidents that the Government Accountability Office highlighted in a March 2016 “Report to Congressional Requesters.”

[Also: OCR unleashes second wave of HIPAA audits: Will it diminish patients' privacy and security expectations?]

The nonpartisan government watchdog noted in the report that between October 2013 and March 2015 HealthCare.gov had 316 security incidents, including 41 that involved personally identifiable information.

“Please also send the HHS Breach Response Team’s charter and Standard Operating Procedures, its annual reports since 2013, the CMS breach response plan, and the after-action reports for each security incident,” the lawmakers added. “If HHS did not inform affected individuals, we urge you to change that policy immediately.”

GAO found Healthcare.gov weaknesses in technical controls protecting the data flowing through the data hub, including: insufficiently restricted administrator privileges, inconsistent application of security patches, and insecure configuration of an administrative network. The GAO report also identified weaknesses in technical controls that could place sensitive information at risk of unauthoried disclosure, modification, or loss, and found that HHS does not have complete records of how many people these incidents impacted or whether impacted individuals were notified.

The investigation also determined that CMS does not require sufficiently frequent monitoring of the effectiveness of security controls for state-based marketplaces, only requiring testing once every three years, as well as other significant weaknesses in the controls at three selected state-based marketplaces, including insufficient encryption and inadequately configured firewalls.

[Like Healthcare IT News on Facebook]

GAO ultimately recommended that CMS define procedures for overseeing state-run exchanges and require continuous monitoring of security controls. HHS concurred with the recommendations.

In addition to Alexander, Hatch and Upton, lawmakers signing the letter to HHS and CMS were: House Ways and Means Committee Chairman Kevin Brady, R-Texas; House Oversight and Government Reform Committee Chairman Jason Chaffetz, R-Utah; Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa; Senate Commerce Committee Chairman John Thune, R-SD; and Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigation Chairman Rob Portman, R-Ohio.

Twitter: @HealthITNews