A key database behind Healthcare.gov was riddled with more than 100 security vulnerabilities, but the agency responsible for its upkeep has since corrected the issues, according to a newly published audit from the Department of Health and Human Services’ inspector general.
The IG discovered 22 high-risk, 62 medium-risk and 51 low-risk vulnerabilities in the Center for Medicare and Medicaid Services’ Multidimensional Insurance Data Analytics System, the database better known as MIDAS that holds consumers’ insurance-related personally identifiable information tied to various initiatives in the Patient Protection and Affordable Care Act.
During the audit, conducted between August and December 2014, the IG also discovered a few broader issues that led to security vulnerabilities: CMS failed to delete generic accounts in its test environment, encrypt user sessions or conduct “automated vulnerability assessments that simulate known attacks,” and it “used a shared read-only account for access to the database that contained the PII,” according to the report published this week.
According to the report, CMS remediated the issues prior to the IG delivering its report.
In his response to the audit, CMS Administrator Andy Slavitt underlined how seriously his agency took the matter and how quickly it responded.
“CMS worked with the OIG during the security testing and within a week of the findings being identified, CMS had addressed all the high [risk] vulnerabilities identified,” Slavitt wrote. “CMS had addressed a majority of the remaining findings within 30 days of identification. All of OIG’ s findings in this report were addressed by February 2015. In addition, all of the recommendations in this report were fully implemented prior to the draft report being issued.”
This isn’t the first time an audit has uncovered security flaws tied to Healthcare.gov systems. A year ago, white-hat hackers in the IG’s office tried to breach the greater Healthcare.gov system and found what they called “critical vulnerabilities.”
There was also a confirmed hack on a dormant Healthcare.gov test server shortly before that audit a year ago. Nonetheless, “No person or group has maliciously accessed personally identifiable information from HealthCare.gov or its related systems,” Slavitt maintained in his response to this latest report.