The Department of Health and Human Services’ Office of the Inspector General (OIG) has recently published a report of its investigation into Washington State’s health insurance exchange.
The audit, which commenced in May 2015, was conducted to determine whether the exchange had adhered to federal requirements, including those stipulated in the Centers for Medicare & Medicaid Services in its Minimum Acceptable Risk Standards for Exchanges documents. Auditors looked at security controls implemented by the exchange, but not the exchange’s overall internal controls.
The audit was conducted as part of the OIG’s commitment to increase its oversight of the Affordable Care Act, which includes taking a closer look at insurance exchanges and how personal information of individuals is protected.
The report reveals that in spite of information security controls being put in place to keep health data secure, a number of vulnerabilities have been allowed to persist which place protected health information (PHI) at risk.
When security controls were applied, OIG discovered that federal requirements were not always followed. For instance, the Washington marketplace was discovered not to have conducted a vulnerability scan of its website and database, as required by Federal law. Additionally, the exchange’s plan of action and milestones did not comply with the minimum requirements of the CMS with regard to data security.
While no evidence was uncovered to suggest that any of the security vulnerabilities had actually been exploited, the OIG reported that malicious actors could potentially exploit the vulnerabilities to launch attacks on computer systems and networks, commit fraud, waste, or abuse. Such acts would have potential to cause considerable harm and could disrupt critical marketplace operations.
The OIG has recommended that the Washington exchange scan for security vulnerabilities. The exchange should also take steps to secure its website and database to prevent unauthorized individuals from exploiting the security vulnerabilities and gaining access to its systems and sensitive health data.