Obamacare: The Latest Privacy, Security StepsHow HealthCare.gov and Two State Exchanges Are Addressing Concerns
With the third open enrollment season for Obamacare set to begin Nov. 1, some health insurance exchanges, including the federal HealthCare.gov website, are taking steps to bolster the privacy and security of consumer data.
For example, the federal government has added new privacy features to the HealthCare.gov health insurance exchange, which facilitates the electronic health insurance marketplaces for 34 states. Meanwhile, state-operated insurance exchanges in Connecticut and Maryland are taking measures to address security weaknesses that were recently spotlighted in state auditor reports.
HealthCare.gov features a new "privacy manager" tool that enables consumers to opt in or out of third-party tools, including advertising, analytics and social media, says Kevin Counihan, deputy administrator and director of the center of consumer information and insurance oversight at the Centers of Medicare and Medicaid Services, in an Oct. 9 blog. CMS, a unit of the Department of Health and Human Services, oversees the Affordable Care Act - also known as Obamacare - as well as the HealthCare.gov website and systems.
"If you choose to opt out, you'll still have access to everything on the site, but we won't use information from your visit to analyze the site's technical performance or use digital advertising to remind you about helpful information like deadlines," Counihan wrote.
In addition to the new privacy manager tool, CMS has also updated its HealthCare.gov privacy notice and now supports the "Do Not Track" browser setting for digital advertising, Counihan says.
"We'll automatically observe your preferences related to digital advertising from HealthCare.gov," he says. "The Internet is constantly changing, and we have an obligation to keep evolving alongside it. We'll keep re-evaluating our own privacy notice, the tools we use and how they intersect with the evolving landscape of privacy on the web. We are committed to protecting the information you entrust with us at HealthCare.gov."
CMS tells Information Security Media Group that the agency has also taken measures to address a variety of security concerns that were cited in an HHS' Office of Inspector General report that was released in September about CMS' Multidimensional Insurance Data Analytics System, or MIDAS (see OIG: Obamacare Data Repository Had Security Flaws).
MIDAS supports the HealthCare.gov health insurance exchange website and systems by acting as a central repository for capturing, aggregating and analyzing enrollment, plan selection, consumer and other marketplace data, HHS says. MIDAS provides reporting and performance metrics to HHS for Obamacare.
"CMS addressed all of the OIG's high findings by February 2015. In addition, all of OIG's additional recommendations were fully implemented by March 2015," according to a CMS statement.
"The privacy and security of consumers' information is a top priority," CMS says in it statement. "Operational and analytical databases are a part of any data-driven operation, and marketplace data is protected by stringent security measures that adhere to industry best practices and meet or exceed federal standards. While no system is immune from attempted attacks or intrusions, CMS continually maintains and strengthens the security of HealthCare.gov and its supporting systems. To date, no person or group has maliciously accessed personally identifiable information through HealthCare.gov or MIDAS."
HealthCare.gov has been under intense scrutiny by government watchdog agencies and Congress since its problematic rollout in the fall of 2013 during the first open enrollment season for Obamacare.
But HealthCare.gov isn't the only Obamacare insurance exchange site whose security has been questioned. Two recent state government audits also found security weaknesses in the state-operated health insurance exchanges in Connecticut and Maryland.
A Connecticut state auditor's report released on Oct. 6 made several recommendations on how the Access Health CT health insurance exchange should improve its data security.
"The Connecticut health insurance exchange should develop a management control system that holds the organization accountable for responding in a timely manner to reported deficiencies in the security of the exchange, in order to provide assurance that the PII in its possession is secure," the report recommends.
The recommendations were made as a result of auditors evaluating a June 2014 breach at the exchange involving the loss of a backpack containing four paper notepads with handwritten information on about 400 consumers. The lost information was found in a deli not far from the exchange's Hartford call center operated by a vendor, Maximus. A Maximus employee had reportedly forgotten the backpack after eating at the deli after work (see Small Breach, Big Lesson in Backpack).
The Connecticut auditor's report notes: "The subsequent investigation by the contractor and the exchange found that the call center contractor, Maximus, was not abiding by its policies and procedures." As part of the response by the exchange, a third-party security firm was hired to perform a security assessment of the exchange headquarters, two storefronts and certain contractor sites in January, the report notes.
Upon the request of the auditors, the exchange provided copies of the third-party assessment, which noted several deficiencies in the security of the exchange, the report notes. "In addition to several findings and recommendations related to the physical security of the buildings and information assets, the security expert included several observations related to the security environment," the report says.
Deficiencies discovered also included a lack of documentation related to the exchanges' security policies, and a lack of security training and awareness related to critical assets, high-risk or sensitive areas and physical security, the report says.
Access Health CT developed a corrective actions plan in response to the third-party security assessment. But the auditors found aspects of that plan weak for several reasons, including a lack of "supporting documentation such as a cost-benefit analysis," the report says.
"The Exchange was unable to provide us with a corrective action plan that directly and individually addressed each of the third-party security expert's findings and recommendations," the auditors noted.
Jim Wadleigh, Access Health CT CEO, tells ISMG that the personal information of consumers was never jeopardized in the incident involving the backpack. "Nevertheless, Access Health CT hired a third-party security firm to conduct a physical security assessment of its facilities and those of its call center vendor," he says. "The scope of this assessment did not include an assessment of the logical security of Access Health CT's integrated eligibility system and database. Access Health CT is continually assessed and required to meet federal data security standards set by the Internal Revenue Service and HHS for its integrated eligibility system and database. Measures taken include regular periodic penetration testing of the Integrated Eligibility system and database designed to prevent cyber-attacks."
Also, to meet its continuing federal data security obligations, Access Health CT is engaging a vendor to conduct a security audit of the state's new data center, he says. That will include "another physical security audit of Access Health CT's offices to validate its security and the effectiveness of the changes made pursuant to the corrective action plan in response to the findings and recommendations from the initial assessment," he says.
Issues in Maryland
Meanwhile, a recent fiscal compliance audit report released by the Maryland Department of Legislative Services of the Maryland Health Benefits Exchange found "numerous security and control issues were noted regard MHBE's information systems. Specifically, personally identifiable information was not appropriately safeguarded, the MHBE network was not properly secured and administrative access was excessive and not controlled, and assurance was lacking that critical data on contractor servers was secured."
The audit spanned the period of June 1, 2011, through July 23, 2014. While the audit examined decisions and processes of the MHBE during that timeframe, the MHBE insurance exchange itself did not go live until Oct. 1, 2013, the report notes.
The report makes recommendations for steps that MHBE should take to improve security and controls over its information systems. Those include performing an inventory of its systems and identifying all sensitive PII, determining if sensitive information is properly protected by encryption or other substantial mitigating controls, and using approved encryption methods to protect all sensitive data are not otherwise properly protected.
In a Sept. 23 statement included in the state auditors' report, MHBE Executive Director Carolyn Quattrocki says, "The agency was in the course of implementing some of [the auditors' security] recommendations at the time of the audit, and it is in the process of addressing the remainder of the recommendations."
MHBE did not immediately respond to ISMG's request for additional comment.