{"id":20687,"date":"2015-09-25T08:03:04","date_gmt":"2015-09-25T15:03:04","guid":{"rendered":"http:\/\/spijue.wpengine.com\/news\/audit-finds-slipshod-cybersecurity-at-healthcare-gov\/"},"modified":"2015-09-25T08:03:04","modified_gmt":"2015-09-25T15:03:04","slug":"audit-finds-slipshod-cybersecurity-at-healthcare-gov","status":"publish","type":"post","link":"https:\/\/www.juneauempire.com\/news\/audit-finds-slipshod-cybersecurity-at-healthcare-gov\/","title":{"rendered":"Audit finds slipshod cybersecurity at HealthCare.gov"},"content":{"rendered":"

WASHINGTON<\/strong> \u2014 The government stored sensitive personal information on millions of health insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices.<\/p>\n

The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general\u2019s office. But the episode raises questions about the government\u2019s ability to protect a vast new database at a time when cyberattacks are becoming bolder.<\/p>\n

Known as MIDAS, the $110-million system is the central electronic storehouse for information collected under President Barack Obama\u2019s health care law.<\/p>\n

It doesn\u2019t handle medical records. But according to a government privacy impact statement, it does include names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial account information of customers on HealthCare.gov and state insurance marketplaces.<\/p>\n

\u201cIt sounds like a gold mine for ID thieves,\u201d said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. \u201cI\u2019m kind of surprised that this information was never compromised.\u201d<\/p>\n

The flaws uncovered by auditors included issues of security policy \u2014 where mistakes can have bigger consequences \u2014 as well as 135 database vulnerabilities, of which nearly two dozen were classified as potentially severe or catastrophic.<\/p>\n

Among the policy mistakes: User sessions were not encrypted, contrary to standard practice on financial websites. \u201cNot doing so is inexcusable for such sensitive data,\u201d said Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy & Technology, an Internet rights group.<\/p>\n

MIDAS is an internal system operated by the federal Centers for Medicare and Medicaid Services, the agency that administers the health care law. The acronym stands for Multidimensional Insurance Data Analytics System. Officials say it\u2019s an electronic backbone, essential to the smooth operation of the health care law\u2019s insurance markets.<\/p>\n

Currently about 10 million people are covered through HealthCare.gov and state marketplaces offering taxpayer-subsidized private policies. But MIDAS also keeps information on many others, including former customers. Their data is retained for years.<\/p>\n

Before HealthCare.gov went live in 2013, Obama administration officials assured Congress and the public that individuals\u2019 information would be used mainly to determine eligibility for coverage, and that the government intended to store the minimum amount of personal data possible. Things don\u2019t seem to have turned out that way.<\/p>\n

Among the technical problems uncovered by the audit:<\/p>\n

\u2014Using a shared read-only account for access to the database that contained individuals\u2019 personal information. Gillula said such a shared account creates a serious vulnerability because if data is stolen, it\u2019s much more difficult to tell who was looking at what information, and when.<\/p>\n

\u2014Failure to disable \u201cgeneric accounts\u201d used for maintenance or other special access during testing, an oversight that can foster complacency about security practices when a system becomes operational.<\/p>\n

\u2014Failure to conduct certain automated vulnerability scans that mimic known cyberattacks and could reveal weaknesses in MIDAS and the systems supporting it.<\/p>\n

\u2014Database weaknesses. A total of 135 such vulnerabilities \u2014 oftentimes software bugs\u2014 were discovered by the inspector general\u2019s vulnerability scans. Of these, 22 were classified as high risk, meaning they could have potentially severe or catastrophic fallout, and 62 as medium risk.<\/p>\n

\u201cMIDAS collects, generates and stores a high volume of sensitive consumer information, and it is critical that it be properly secured,\u201d the inspector general\u2019s report reads. A summary omitting specific details of the vulnerabilities was posted on the IG\u2019s website this week.<\/p>\n

In a written response to the audit, Medicare administrator Andy Slavitt said that \u201cthe privacy and security of consumers\u2019 personally identifiable information are a top priority\u201d for his agency. Slavitt said all of the high vulnerabilities were addressed within a week of being identified, and that all of the IG\u2019s recommendations have been fully implemented.<\/p>\n

The Medicare agency is conducting weekly vulnerability assessments of MIDAS, and an annual security review, Slavitt said.<\/p>\n

However, the episode indicates how some technical and security issues from the program\u2019s chaotic rollout in 2013 may still linger. Back then, the consumer-facing side of HealthCare.gov went live without a completed security certification.<\/p>\n

Gillula, the technology expert, said he doesn\u2019t question the administration\u2019s intentions. \u201cI\u2019m sure they wanted to do the right thing,\u201d he said. \u201cBut regardless of what they wanted, did they accomplish it? There certainly were some gaps.\u201d<\/p>\n

___<\/p>\n

Online:<\/p>\n

HHS Inspector General\u2019s report \u2014 http:\/\/tinyurl.com\/pycaesf<\/p>\n

MIDAS privacy impact statement \u2014 http:\/\/tinyurl.com\/nl79328<\/p>\n","protected":false},"excerpt":{"rendered":"

WASHINGTON \u2014 The government stored sensitive personal information on millions of health<\/a> insurance customers in a computer system with basic security flaws, according to an official audit that uncovered slipshod practices. The Obama administration said it acted quickly to fix all the problems identified by the Health and Human Services inspector general\u2019s office. But the […]<\/p>\n","protected":false},"author":107,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_stopmodifiedupdate":false,"_modified_date":"","wds_primary_category":4,"footnotes":""},"categories":[4],"tags":[65],"yst_prominent_words":[],"class_list":["post-20687","post","type-post","status-publish","format-standard","hentry","category-news","tag-nation-world"],"_links":{"self":[{"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/posts\/20687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/users\/107"}],"replies":[{"embeddable":true,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/comments?post=20687"}],"version-history":[{"count":0,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/posts\/20687\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/media?parent=20687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/categories?post=20687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/tags?post=20687"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/www.juneauempire.com\/wp-json\/wp\/v2\/yst_prominent_words?post=20687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}