Upgrades to security have improved the safety of confidential information on healthcare.gov according to the U.S. Government Accountability Office. The GOA published a report suggesting six recommendations as well to further improve security.
Security Concerns for HealthCare.gov
The U.S Government Accountability Office (GAO) recently found that although healthcare.gov is significantly more secure than at its launch in 2013, there are still major security concerns that continue to put sensitive information at risk. The GAO report, released on September 16, identified several weaknesses in the confidentiality, integrity and availability of the site.
The main Marketplace system of healthcare.gov serves as an enrollment portal for 34 states, while the Federal Data Services Hub connects the Marketplace system and other state and federal systems. The GOA report addressed security issues concerning both the Marketplace system and the Federal Data Services Hub.
Several federal agencies exchange information with healthcare.gov, including the U.S. Departments of Defense and Homeland Security, the Internal Revenue Service, and the Social Security Administration. Commercial bodies such as CMS contractors and health insurance plan administrators also share information with the site.
Included in the GOA report are six recommendations to improve the security and privacy of healthcare.gov:
- Ensure that the security plans for the Marketplace and Federal Data Services Hub contain the information recommended by the National Institute of Standards and Technology.
- Confirm that all privacy risks are analyzed and documented in privacy impact assessments.
- Develop separate computer matching agreements with multiple federal agencies to govern data used to verify eligibility for tax credit and cost-sharing reductions.
- Perform a complete security assessment of the Marketplace system, evaluating the infrastructure, platform and all deployed software elements.
- Ensure that the alternate processing site for the systems supporting healthcare.gov is operational as soon as possible.
- Establish detailed security responsibilities for contractors, including participation in security controls reviews, in order to make certain that communications between individuals and entities are as effective as possible.
Author: Lauren Daniels