US

Federal Report: HealthCare.gov Is Still Not Secure

HealthCare.gov remains insecure from cyberattacks almost one year after the federal Obamacare website went live, according to a General Accountability Office report released Tuesday evening.

The Obama administration was running far behind schedule in building the website in 2013 and ran out of time to complete building security systems and make sure customers’ extensive personal information would be safe. Despite top officials’ knowledge that HealthCare.gov was insecure, the administration launched it on time last October anyway. (RELATED: Obama Admin Knew HealthCare.gov Was Vulnerable To Malicious Attacks And Launched It Anyway)

A year later, the GAO reports some progress in improving the website’s security, but it’s far from complete. Centers for Medicare and Medicaid Services officials failed to establish security controls and “unnecessarily place sensitive information at risk of unauthorized disclosure, modification or exfiltration.”

Security assessments and comprehensive checks weren’t complete when HealthCare.gov launched — but the Obama administration trumpeted a belated Security Control Assessment in January that approved the website’s controls. But according to the GAO, that assessment wasn’t comprehensive at all.

“The security control assessments for the [federally-facilitated marketplace] did not include tests of the full suite of security controls specified by NIST and CMS. The contractor that conducted these assessments reviewed only the security controls that CMS selected,” the GAO concluded.

As of June, CMS still hadn’t completed comprehensive security testing, which the report warns could compromise patient data and HealthCare.gov’s ability to function. In July, the website was breached by a cyberattack, although federal officials didn’t discover the intrusion until this earlier this month.

That attack didn’t grab any Americans’ personal information, but used HealthCare.gov to target other websites, according to federal officials. But the GAO charges that customer data continues to be at risk.

“HealthCare.gov had weaknesses when it was first deployed, including incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions,” the GAO report found. “It has not fully mitigated all of them.”

Part of the risk is the broad extent of the information HealthCare.gov contains. The Federal Data Services Hub is a computer system which connects seven federal agencies and communicates private information between a long list of federal agencies — IRS, Homeland Security, Social Security, even the Peace Corps — as well as state governments and all Obamacare exchanges. 

Federal officials allowed four states, Mississippi, Utah, Oklahoma and West Virginia, to connect to the data hub last October without resolving problems with their security. And today, the security plans CMS officials gave GAO for its investigation don’t reveal which agencies that tap into the system have had their own security tested and approved.

HealthCare.gov’s also still missing part of its security plan. For 125 out of 312 inherited security controls, HealthCare.gov’s security plan lists no actual details about the security itself. CMS also still hasn’t completed security checks on its connections with Equifax, the private company that does the income verification checks for premium subsidies.

Once again, the fault for this appears to come back to the Obama administration’s failed management of the project. The GAO faulted a lack of communication for the ongoing problems, as was the case with HealthCare.gov’s failed front-end operations. 

In one instance, CMS told the GAO that one subcontractor was in charge of firewalls, but didn’t include it in the company’s work statement. Staff at the company believed firewalls were entrusted to a different company entirely. The project was imperiled largely by management failures.

“CMS did not and has not yet ensured a shared understanding of how security was implemented for the FFM among all entities involved in its development…until these weaknesses are fully addressed, increased and unnecessary risks remain of unauthorized access, disclosure, or modification of the information collected and maintained by HealthCare.gov and related systems, and the disruption of service provided by the systems.”  

The GAO will present its findings to the House Oversight and Government Reform Committee on Thursday. The committee hopes to hear from current Obamacare administrator Marilyn Tavenner.

Follow Sarah on Twitter