Citation[]
Government Accountability Office, Healthcare.gov: Actions Needed to Enhance Information Security and Privacy Controls (GAO-16-265) (Mar. 23, 2016) (full-text).
Overview[]
The Patient Protection and Affordable Care Act of 2010 required the establishment of health insurance marketplaces in each state to allow consumers to compare, select, and purchase health insurance plans. States establishing their own marketplaces are responsible for securing the supporting information systems to protect sensitive personal information they contain. The Centers for Medicare & Medicaid Services (CMS) is responsible for overseeing states' efforts, as well as securing federal systems to which marketplaces connect, including the Federal Data Services Hub.
The GAO was asked to review security issues related to the Federal Data Services Hub, and CMS oversight of state-based marketplaces. Its objectives were to (1) describe security and privacy incidents reported for Healthcare.gov and related systems, (2) assess the effectiveness of security controls for the Federal Data Services Hub, and (3) assess CMS oversight of state-based marketplaces and the security of selected state-based marketplaces. The GAO reviewed incident data, analyzed networks and controls, reviewed policies and procedures, and interviewed CMS and marketplace officials.
GAO recommends that CMS define procedures for overseeing the security of state-based marketplaces and require continuous monitoring of state marketplace security controls.