The OIG recently released findings that Washington’s Health Benefit Exchange (the “Washington Exchange”) needs to be improved to fully comply with federal requirements and to protect personally identifiable information (PII). The full report is available here.
The Washington Exchange’s website offers residents side-by-side comparisons of qualified health plans; tax credits or other financial help to pay for health insurance premiums and copayments; and customer support online. In addition, the Washington Exchange uses a database to store PII. According to the OIG’s report, as of June 30, 2015, the Washington marketplace had received more than 1.1 million unique applications from individuals and more than 750 unique applications from employers.
The OIG reviewed the Washington marketplace's information security controls in place as of May 2015 and found many security controls were implemented, including policies and procedures, to protect PII on its web site and database. However, the OIG found that security did not always comply with the CMS requirements for state health insurance exchanges (Minimum Acceptable Risk Standards for Exchanges including NIST SP 800-53). Specifically, the Washington Exchange had not adequately secured its web site and database and had not performed a vulnerability scan in accordance with federal requirements. In addition, the Washington Exchange's plan of action and milestones did not meet some of the CMS minimum requirements for protection of exchange systems. Fortunately, the OIG did not find any evidence that the vulnerabilities it identified had been exploited, although unsecured systems could have resulted in the disclosure of PII.
The OIG recommended that the Washington Exchange implement detailed recommendations to address the findings that it identified related to the website and database, the vulnerability scan, and the plan of action milestones. The Washington marketplace concurred with all of the OIG’s recommendations and described actions that it has taken or plans to take to implement those recommendations.
This is just the most recent example of weak electronic security in health insurance exchanges. For example, in a report released earlier this year, the Government Accountability Office (GAO) identified security gaps in some of the technical safeguards implemented by CMS for the federal health exchange web site, Healthcare.gov. Along with insufficiently restricted administrator privileges for data hub systems, the GAO found that there was also inconsistent application of security patches. The GAO also found insecure configuration of an administrative network. The federal website is subject to multiple federal laws and regulations; NIST SP 800-53 was used to evaluate security of the data hub.
While the federal standards for health insurance exchanges do not apply to all entities maintaining PII, the reports highlight steps that can be taken to improve information security of databases and data hubs:
-
Conduct periodic vulnerability scanning to identify and mitigate security vulnerabilities;
-
Apply security patches to avoid technical safeguard failures;
-
Restrict administrator privileges to the minimum necessary; and
-
Use secure network configurations.
Reporter, Lara Compton, Los Angeles, +1 (213) 443-4369, lcompton@kslaw.com.
