CMS needs to step up and state-based marketplace security

Although CMS has taken steps to protect the security and privacy of data related to the data hub and data processed and maintained by state-based marketplaces, additional oversight procedures are needed to protect the sensitive information. According to a GAO report on the status of federal and state-based marketplace data security, system weaknesses remain in the form of insufficient procedures, inconsistent application of security protocols, and insecure networks.

Data security. Under the Patient Protection and Affordable Care Act (ACA), states that decide to establish their own marketplaces are responsible for the security of their information systems and the protection of personal information. CMS is responsible for oversight of the state systems as well as protection of information related to the federal marketplace and its data hub. The GAO conducted a review to (1) describe the extent of security incidents reported for, (2) assess the effectiveness of CMS controls to protect the data-hub, and (3) assess the effectiveness of the CMS Center for Consumer Information and Insurance Oversight (CCIIO) efforts regarding state-based marketplace information security.

Security incidents.
The GAO found that between October 6, 2013, and March 8, 2015, CMS reported 316 incidents impacting or key supporting systems. Although the incidents involved personally identifiable information and hackers’ attempts to compromise the system, the GAO did not find evidence that any of the incidents resulted in compromised data.

Security weaknesses.
The report indicates that although CMS developed required security program policies and procedures, established interconnection security agreements with its federal and commercial partners, and instituted required privacy protections, weaknesses persisted in the technical controls protecting the data flowing through the federal data hub. Specifically, the GAO determined that CMS: (1) did not appropriately restrict the use of administrative privileges for data hub systems, (2) failed to consistently implement security patches for data hub systems, and (3) did not securely configure the data hub’s administrative network.

State oversight.
CMS has made efforts to oversee the security and privacy controls implemented at the state-based marketplaces. However, the GAO found that CMS has not adequately documented the procedures that define its oversight responsibilities of state-based marketplace information security. Additionally, CMS only conducts annual monitoring of some state-based security controls. The agency does not engage in continuous monitoring or comprehensive annual testing.

Recommendations. To improve oversight and security procedures, the GAO recommended that CMS: (1) define procedures for overseeing state-based marketplace information security, (2) develop and document procedures for using the State Based Marketplace Annual Reporting Tool, and (3) require continuous monitoring of privacy and security controls in the state-based marketplaces. The GAO made recommendations in a separate report encouraging CMS to resolve technical information security weaknesses within the data-hub. HHS concurred with the GAO recommendations regarding the enhanced state-based marketplace oversight

SOURCE: GAO Report, No. GAO-16-265, March 23, 2016.

Visit our News Library to read more news stories.