trending Market Intelligence /marketintelligence/en/news-insights/trending/nwk95vpIULn3cvFIyr81XA2 content esgSubNav
In This List

CMS must enhance health insurance marketplace information security, says GAO

Case Study

A Prestigious Global Business School Gains a Competitive Edge


S&P Capital IQ Pro | Unrivaled Sector Coverage


S&P Capital IQ Pro | Powering Your Edge


Beyond ESG with Climate Stress Testing: Getting Practical at Banks & Insurers

CMS must enhance health insurance marketplace information security, says GAO

The U.S. Government Accountability Office has recommended thatthe Centers for Medicare & Medicaid Services define procedures for overseeingthe security of state-based marketplaces and require continuous monitoring of statemarketplace security controls, according to a March 23 release.

The recommendations follow the identification by GAO of weaknessesin technical controls protecting the data flowing through the Federal Data ServicesHub, including insufficiently restricted administrator privileges for data hub systems,inconsistent application of security patches and insecure configuration of an administrativenetwork. GAO noted that the CMS reported 316 security-related incidents, betweenOctober 2013 and March 2015, affecting and its supporting systems.

GAO also identified additional weaknesses in technical controlsthat could place sensitive information at risk of unauthorized disclosure, modificationor loss. In a separate report, with limited distribution, GAO recommended 27 actionsto mitigate the identified weaknesses.

GAO said that improvements are needed in CMS' oversight of thesecurity and privacy of data processed and maintained by state-based marketplaces.GAO noted that the CMS has not defined specific oversight procedures or what follow-upcorrective actions should be performed if deficiencies are identified. CMS alsodoes not require sufficiently frequent monitoring of the effectiveness of securitycontrols for state-based marketplaces, only requiring testing once every three years.

The Department of Health and Human Services concurred with GAO'srecommendations.