Healthcare.gov: Actions Needed to Enhance Information Security and Privacy Controls

Citation
Government Accountability Office, Healthcare.gov: Actions Needed to Enhance Information Security and Privacy Controls (GAO-16-265) (Mar. 23, 2016) (full-text).

Overview
The Patient Protection and Affordable Care Act of 2010 required the establishment of health insurance marketplaces in each state to allow consumers to compare, select, and purchase health insurance plans. States establishing their own marketplaces are responsible for securing the supporting information systems to protect sensitive personal information they contain. CMS is responsible for overseeing states' efforts, as well as securing federal systems to which marketplaces connect, including its data hub.

The GAO was asked to review security issues related to the data hub, and CMS oversight of state-based marketplaces. Its objectives were to (1) describe security and privacy incidents reported for Healthcare.gov and related systems, (2) assess the effectiveness of security controls for the data hub, and (3) assess CMS oversight of state-based marketplaces and the security of selected state-based marketplaces. The GAO reviewed incident data, analyzed networks and controls, reviewed policies and procedures, and interviewed CMS and marketplace officials.

GAO recommends that CMS define procedures for overseeing the security of state-based marketplaces and require continuous monitoring of state marketplace security controls.