US Govt taking 'unnecessary risks' with Healthcare.gov

The US Government's health insurance website Healthcare.gov still contains a number of concerning security and privacy protection vulnerabilities one year after its launch, a government watchdog reported yesterday.

In its latest report [pdf] on the troubled system, the US Government Accountability Office found the website's information and privacy management processes contained weaknesses despite efforts by the agency running the website, the Centres for Medicare and Medicaid Services (CMS), to protect the security and privacy of data held by the site.

The GAO warned that the existing weaknesses, alongside issues with the implementation of security controls, produced "increased and unnecessary risks" of "unauthorised access disclosure or modification" of the personal information held by Healthcare.gov.

Many of the issues discovered by the GAO could be traced back to a problems with management, oversight and contracting, the Office said - as it first signalled in its July report, which investigated the website's bungled launch and found it was destined for disaster thanks to bad contract planning and oversight practices.

In this week's report, the GAO revealed the website did not always require users enter strong passwords, developers did not perform adequate security tests and lacked good privacy and security plans, software patches weren't consistently implemented, and an administrative network wasn't configured appropriately.

It also discovered weaknesses in boundary protection, identification, authentication, and authorisation, along with a lack of a back-up processing site should Healthcare.Gov systems go down.

"Collectively, these weaknesses put HealthCare.gov systems and the information they contain at increased and unnecessary risk of unauthorized access, use, disclosure, modification or loss.”

Millions of Americans submit personally identifiable information to the site, making its security a critical issue, the report stated.

The GAO made six recommendations to the US Department of Health and Human Services, including the implementation of better security and privacy controls to protect sensitive data, and 22 suggestions to fix weaknesses in IT security controls.

The DHHS has accepted three of the six recommendations and all of the 22 IT security control-related recommendations.

The report is the latest in a series of critiques of the website since its troubled launch late last year. 

The site was unusable for the majority of consumers attempting to sign up for health insurance plans for around two months after its launch. Following a significant rectification effort, the system was stabilised in January this year.

The issues forced cost overruns to the tune of US$840 million (A$904 million),

Despite the rectification efforts, a significant portion of the system's back-end is still not complete - specifically the financial management module, which will calculate financial interactions with users. It is forecast to be completed in December 2014 after missing its initial deadline of December last year.

The latest GAO report also follows the breach of the website's security last month, when a hacker managed to infiltrate the system and install malware on a test server.