Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls

The Government Accountability Office is making six recommendations to implement security and privacy management controls to help ensure that the systems and information related to Healthcare.gov are protected. The Department of Health and Human Services concurred but disagreed in part with GAO’s assessment of the facts for three recommendations. However, GAO continues to believe its recommendations are valid, as discussed in the report.

1. Ensure that the system security plans for the Federally Facilitated Marketplace and data hub contain all the information recommended by the National Institute of Standards and Technology.
2. Ensure that all privacy risks associated with Healthcare.gov are analyzed and documented in their privacy impact assessments.
3. Develop separate computer matching agreements with the Office of Personnel Management and the Peace Corps to govern the data that is being compared with the Centers for Medicare & Medicaid Services data for the purposes of verifying eligibility for the advance premium tax credit and cost-sharing reductions.
4. Perform a comprehensive security assessment of the FFM, including the infrastructure, platform and all deployed software elements.
5. Ensure that the planned alternate processing site for the systems supporting Healthcare.gov is established and made operational in a timely fashion.
6. Establish detailed security roles and responsibilities for contractors, including participation in security controls reviews, to better ensure that communications between individuals and entities with responsibility for the security of the FFM and its supporting infrastructure are effective.