The U.S. Government Accountability Office has recommended thatthe Centers for Medicare & Medicaid Services define procedures for overseeingthe security of state-based marketplaces and require continuous monitoring of statemarketplace security controls, according to a March 23 release.
The recommendations follow the identification by GAO of weaknessesin technical controls protecting the data flowing through the Federal Data ServicesHub, including insufficiently restricted administrator privileges for data hub systems,inconsistent application of security patches and insecure configuration of an administrativenetwork. GAO noted that the CMS reported 316 security-related incidents, betweenOctober 2013 and March 2015, affecting Healthcare.gov and its supporting systems.
GAO also identified additional weaknesses in technical controlsthat could place sensitive information at risk of unauthorized disclosure, modificationor loss. In a separate report, with limited distribution, GAO recommended 27 actionsto mitigate the identified weaknesses.
GAO said that improvements are needed in CMS' oversight of thesecurity and privacy of data processed and maintained by state-based marketplaces.GAO noted that the CMS has not defined specific oversight procedures or what follow-upcorrective actions should be performed if deficiencies are identified. CMS alsodoes not require sufficiently frequent monitoring of the effectiveness of securitycontrols for state-based marketplaces, only requiring testing once every three years.
The Department of Health and Human Services concurred with GAO'srecommendations.