- The Office of Inspector General (OIG) determined in a recent investigation that New York did implement health insurance exchange data security measures in its web site and database, but improvements must still be made to ensure that PII stays secure.
Specific policies and procedures were implemented to protect PII on the health insurance exchange web site and in the state database, but New York did not always remain compliant with Federal requirements, according to OIG.
The vulnerabilities were collectively significant, and were individually significant enough in some cases to have “potentially compromised the confidentiality, integrity, and availability of the marketplace,” OIG explained in its report on the investigation.
“Exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations,” the report’s authors wrote. “In addition, without proper safeguards, systems were not protected from individuals and groups with malicious intent to obtain access in order to commit fraud, waste, or abuse or launch attacks against other computer systems and networks.”
OIG recommended that the New York marketplace improve its PII security and also ensure that its website is secure so it remains in accordance with Federal law. However, OIG said that it could not reveal more specifics in the report because of the sensitive nature of the data involved.
“The New York marketplace disagreed with one of the findings and in some instances disagreed with the scanning tool’s assignment of the risk level because the New York marketplace determined that the findings did not pose any risk to the protection of PII,” OIG stated.
For the investigation, OIG started its fieldwork in March 2016 and reviewed the marketplace’s information security controls.
Our review of applicable Federal requirements included reviewing certain Centers for Medicare & Medicaid Services (CMS) requirements in the Minimum Acceptable Risk Standards for Exchanges Document Suite. These requirements and standards include those related to security plans and risk assessments, vulnerability scanning and penetration testing, patch management and flaw remediation, Plan of Action and Milestones, and incident response.
The marketplace’s overall internal controls were not reviewed, OIG added.
Similar results were found in Minnesota’s Health Insurance Marketplace earlier this year. OIG explained in an October 2016 report that while the state had recently implemented security controls across its health insurance exchange (MNsure), there were still information security weaknesses that could affect PII security.
“Web applications (Web sites) and database systems that are not properly secured create vulnerabilities that could be exploited by unauthorized persons to compromise the confidentiality of PII,” the report’s authors wrote. “One of the top challenges in the U.S. Department of Health and Human Services, Office of Inspector General’s list of management challenges facing the Department is ensuring the security of the marketplaces.”
OIG also found that MNsure did not always comply with Federal and State information technology requirements when it implemented security controls, policies, and procedures. For example, procedures for analyzing and sharing information about vulnerabilities were not formalized, according to OIG. MNsure also had vulnerabilities related to penetration testing and website monitoring procedures.