GAO: HealthCare.gov still not fully secure

HealthCare.gov is still not fully secure two months out from its second launch date, federal investigators said in a report Tuesday.

The nonpartisan Government Accountability Office (GAO) said that while health officials have strengthened parts of the website's security, they failed to implement best practices across the entire system, leaving small weaknesses that place sensitive information "at risk."


"Until it addresses shortcomings in both the technical security controls and its information security program, the Centers for Medicare and Medicaid Services is exposing HealthCare.gov-related data and its supporting systems to significant risks of unauthorized access, use, disclose, modification and disruption, the report stated.

The report is likely to dominate a House Oversight Committee hearing scheduled for Thursday, where Republicans have urged CMS Administrator Marilyn Tavenner to testify.

Lawmakers are concerned about news that a hacker breached part of HealthCare.gov this summer, though no consumer information was apparently viewed or taken.

Tuesday's 78-page document described a series of technical steps it said CMS did not take while constructing and repairing the sprawling online system at HealthCare.gov.

CMS did not require or enforce strong password controls for systems supporting the site, implement consistent security patches or properly configure the administrative network, GAO said.

Investigators attributed the failures to poor communication and agenda setting between CMS and the federal contractors responsible for the site.

A spokesman for the Department of Health and Human Services said officials have already acted on many of the GAO's recommendations, adding that the summer breach of HealthCare.gov was discovered quickly by industry standards.

"Protecting consumers’ personal information is a top priority. When Americans use HealthCare.gov, their data is protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards," said Kevin Griffis in a statement.

“To continuously raise the bar on the website’s security and meet evolving threats, it requires constant monitoring and re-evaluation. Feedback from the GAO, the department’s Inspector General and outside, independent security experts is part of that process."

In its comments on the GAO report, HHS disagreed that security testing on the site had not been comprehensive enough. It said the system undergoes a variety of inspections on a daily, weekly and quarterly basis.

Republicans lawmakers began to jump on the report Tuesday night as evidence that the Obama administration remains unprepared for Nov. 15, when the second enrollment period will begin.

"Almost a full year after the initial failed launch, numerous security weaknesses remain and private taxpayer information is still at risk," said Senate Finance Committee Ranking Member Orrin HatchOrrin Grant HatchMellman: What happened after Ginsburg? Bottom line Bottom line MORE (R-Utah) in a statement.

"This is simply unacceptable. It is my hope the administration demands CMS address the website’s vulnerabilities as quickly and efficiently as possible."