Which do you want first on federal health insurance exchange sites initiated through the Affordable Care Act? The good news, or the bad news?
It turns out that the feds employed white hat hackers to test the data security of exchanges, according to a report from the HHS Office of the Inspector General (OIG) following an audit of Healthcare.gov data security practices and risk mitigation that took place from last February to last June.
The good news is, after reviewing the work, OIG found that personal data U.S. patients give the site is generally secure. The bad news? The hackers uncovered an unspecified “critical vulnerability” in a scan of the Healthcare.gov web application, which CMS said would be quickly patched.
Moreover, two more server vulnerabilities, known to CMS, hadn’t been fully addressed at the time of the audit. CMS was in the process of remediating these vulnerabilities at the time of the audit, but hadn’t completed the plan. Prior to the audit, CMS had notified OIG of the steps it was taking to patch the holes. Of the two server vulnerabilities, a less critical vulnerability that didn’t put users’ personal data at risk was getting addressed via a contractor. A more critical vulnerability had been patched by CMS itself between the time of the audit and last week, when the OIG published its report.
The vulnerabilities were not described in detail in the report, as a security precaution. The OIG report follows reports of a Healthcare.gov test-farm breach, a story broken by the Wall Street Journal. CMS said that no personally identifiable information was exposed in the incident. In a separate but unrelated announcement, CMS recently said that most of its Healthcare.gov patient-matching issues have been resolved.