With the Patient Protection and Affordable Care Act creating health insurance exchanges across the country so business and individuals can shop for insurance, data security must be an essential aspect. Without the necessary health insurance exchange security measures, individuals could have their information inadvertently exposed.
A recent Office of Inspector General report further underlines this fact, as it found that Washington state’s health insurance exchange was lacking in certain areas of security.
The Washington Health Benefit Exchange did implement numerous security controls, including policies and procedures, to protect PII on its website and database. However, the Washington marketplace did not always comply with Federal requirements, according to OIG.
The website and database were not “adequately secured,” and a vulnerability scan – a Federal requirement had not been performed.
“Although we did not find evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations,” the report explained. “As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of the marketplace.”
Furthermore, OIG stated that without the necessary safeguards in place, then the systems are not protected from those who have malicious intent and hope to potentially “commit fraud, waste, or abuse or launch attacks against other computer systems and networks.”
The report summary did not specify its recommendations, as the related information was highly sensitive. However, the Washington marketplace stated that it concurred with all recommendations. The state also submitted the actions that it would take to implement the OIG recommendations.
Unfortunately, the Washington marketplace investigation is not a unique case, and there have been previous examples of lacking health insurance exchange security.
For example, Healthcare.gov, the website for statewide health insurance marketplaces, fell victim to 316 security incidents between October 2013 and March 2015. Of those, 41 involved PII being potentially compromised.
Following the information being released in a Government Accountability Office report, members of Congress wrote a letter requesting more information to Secretary of the Department of Health & Human Services Sylvia Burwell and Acting Administrator for the Centers for Medicare & Medicaid Services Andy Slavitt.
While most of the security incidents were minor, GAO did find security gaps in some of the technical safeguards implemented by CMS. Along with insufficiently restricted administrator privileges for data hub systems, there were also inconsistent application of security patches.
The GAO investigation also found insecure configuration of an administrative network.
Oregon also had multiple data security issues with its earlier health insurance exchange program, Cover Oregon. In 2014, Oregon had a total of 18 security breaches in a six month period.
One incident involved a woman who claimed that she applied for health coverage through Cover Oregon and then received documents in the mail containing the names and birth dates of two other applicants.
Cover Oregon had been working with Oracle Corp. to create an exchange program for the state, but after several missed deadlines, individuals had to use a hybrid paper-online application process.
“We take the security and privacy or our customers very seriously and have policies and trainings in place to protect personally identifiable information of our consumers,” Cover Oregon spokeswoman Ariane Holm stated.
After the security issues, Oregon announced that it was transitioning away from working with Oracle America and hoped to create the state’s health insurance exchange program. The state planned to use the same system being used by Kentucky.
Oregon Medicaid Director Judy Mohr Peterson explained in a hearing of the House Interim Committee on Health Care that officials looked at eight different state programs before choosing Kentucky.
Date: June 08, 2016