Editor’s Note: The complete report, GAO-16-265, is available here. Below is a brief excerpt.
. . .according to CMS officials, they have not yet terminated any state’s connection to the data hub because states have remediated deficiencies to their satisfaction in a timely manner.
Numerous significant security weaknesses have been identified in state-based marketplaces. For example, in the second quarter of fiscal year 2015, the 14 states 43 that maintained their own state-based marketplaces reported a total of 27 high open findings, 288 moderate open findings, and 259 low open findings from their own internal assessments. One state reported 20 of the 27 high open findings during that time period.
***
Although CMS continues to make progress in correcting or mitigating previously reported weaknesses within Healthcare.gov and its key supporting systems, the information security weaknesses found in the data hub will likely continue to jeopardize the confidentiality, integrity, and availability of Healthcare.gov. The information that is transferred through the data hub will likely remain vulnerable until the agency addresses weaknesses pertaining to boundary protection, identification and authentication, authorization, encryption, audit and monitoring, software updates, and configuration management.
Leave a Reply