Healthcare.gov Review Finds Significant Security Weaknesses

The federal government's website aimed at signing people up for healthcare insurance coverage continues to be riddled with significant security weaknesses, according to a report issued Tuesday by the U.S. Department of Health and Human Services Inspector General.

The report found the Centers for Medicare & Medicaid Services, which operates the Healthcare.gov website, had established a dedicated security team and had been performing weekly vulnerability scans to underlying systems. But it failed to detect and defend against the IG office's simulated attacks and vulnerability scans, did not yet have a tool to scan and identify website vulnerabilities and did not have a way to test underlying databases for configuration weaknesses.

The security team also failed to provide documentation that it had adequately encrypted user account credentials. In addition, a critical website flaw, which could give an attacker the ability to retrieve and modify sensitive data was not adequately addressed at the time of the review, but was scheduled to be fully remediated by the end of the June, according to the report. Two critical database vulnerabilities were also not fully remediated during the assessment.

[Related: Tech Exec: Accenture HealthCare.gov Contract Is A High Stakes Do Over]

The IG office conducted its audit from February to June and included a thorough review of the underlying processes and security policies in place to protect Healthcare.gov. The website was launched last October as the marketplace operated by the federal government under the Affordable Care Act to provide health insurance options to U.S. citizens and business owners from states that don't have state-operated health insurance exchanges.

The website's debut was stymied by sluggishness, technical glitches and security flaws. The website, which was initially built by CGI Federal, a subsidiary of CGI Group, faced intense criticism for the technical problems.

The Department of Health and Human Services awarded a one-year, $45 million contract to the federal unit of Accenture in January to fix the troubled website. That deal was recently extended to 2015. An Accenture spokesperson referred CRN to the company's federal spokesperson who was unavailable for comment at the time of this report.

Solution providers said the progress identified, from getting a security team in place and documented policies and procedures, is a positive sign. Identifying and addressing vulnerabilities is a difficult process to undertake because making a single repair requires thorough testing to ensure that coding updates don't negatively impact applications or cause serious downtime.

"Patching vulnerabilities is not as easy as it sounds," said one solution provider software security expert, who wished to remain unidentified. "It's a lengthy process that requires a systematic approach, especially in the complexity of tying applications to the different state-run health care databases. You could have a ripple effect of errors if code updates aren't done right."

Other solution providers said personally identifiable information governed by the Health Insurance Portability and Accountability Act (HIPAA) creates heightened sensitivity between the solution provider and the client.

The process of identifying system vulnerabilities and configuration weaknesses needs to be undertaken regularly and can often be a difficult undertaking, said Tom Richer, chief sales officer at New York City-based managed service provider Computer Resources of America.

In addition to identifying weaknesses, an assessment needs to prioritize remediation of the flaws that pose the greatest risk. Careful monitoring over the vulnerability management program is paramount to its success, Richer said.

"In healthcare, data security and privacy is at the forefront of every supported process that we manage and we have to be sensitive to all our client's security requirements because every organization is governed by HIPAA to a certain extent," Richer said.

In its response to the Inspector General's Office, the Centers for Medicate & Medicaid Services said it implemented plans to address the report's findings and had also implemented security controls to mitigate risks to user account credentials.

In a separate audit of health insurance exchanges operated by Kentucky and New Mexico, the IG office found Kentucky had not sufficiently restricted user and group access to authorized roles and functions within the support organization and had not met federal requirements for system security planning, risk assessment pen testing and flaw remediation and incident response capabilities.

An audit revealed 65 vulnerabilities to New Mexico's health-care exchange website, including two critical remote access flaws and a patch management error. A review of New Mexico's underlying health exchange database uncovered 74 vulnerabilities that could put sensitive data at risk. None of the underlying database errors were critical.

PUBLISHED SEPT. 24, 2014