OIG Flags Security Flaws in Two States' Health Info SystemsExperts Say Shortcomings Are Also Common Among Healthcare Providers
A federal watchdog agency's reviews of the security of Minnesota's state operated health insurance exchange under the Affordable Care Act and Colorado's Medicaid eligibility and claims processing systems reveal a variety of security weaknesses that potentially put sensitive consumer data at risk.
Issues identified include poor risks assessments, inadequate web application security, weak USB safeguards and a lack of uniform procedures and policies to deal with vulnerabilities.
Some experts say the types of weaknesses identified in both states by the Department of Health and Human Services' Office of Inspector General are similar to those found at many healthcare providers and their business associates - as well as entities in other industries.
"Many organizations struggle with solid vulnerability management and keeping current with maintaining the integrity of their systems," says Mac McMillan, CEO of the security consultancy CynergisTek. "Many of the hacks we see today take advantage of vulnerabilities not addressed or miscues in administration. So these are real issues."
Keith Fricke, partner and principal consultant at tw-Security, notes: "These are common weaknesses that are not unique to the healthcare industry. They pose threats to all types of data. Managing vulnerabilities, especially in operating systems, web servers, database servers and other software programs is challenging."
OIG notes in its report reviewing MNSure, the Minnesota state-operated health insurance exchange, that because Obamacare marketplaces handle consumers' personally identifiable information, security of their data and systems is "paramount."
OIG found that although MNsure had implemented security controls, policies and procedures intended to prevent vulnerabilities in its website, database and other supporting information systems, "it did not always comply with federal and state information technology requirements when it implemented those security controls, policies and procedures, which increased MNsure's risk that PII could have been exposed."
The watchdog agency found that MNsure "had not formalized procedures for analyzing and sharing information about vulnerabilities and had vulnerabilities related to penetration testing and website monitoring procedures. Additionally, our website and database vulnerability scans identified numerous weaknesses."
Although OIG did not identify evidence that the vulnerabilities had been exploited, "exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations," the report says.
"The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the integrity of the marketplace. In addition, without properly implemented policies and procedures, systems were not protected from individuals and groups with malicious intent to obtain access to commit fraud, waste or abuse or to launch attacks against other computer systems and networks."
OIG recommended that MNsure implement four detailed measures to address the findings identified. The watchdog agency noted, however, that because of the sensitive nature of the findings, it did not list the recommendations in the public summary report.
MNSure concurred with one of OIG's four recommendations, partially concurred with one recommendation, and did not concur with two others, OIG notes in the report. "MNsure described actions that it has taken or plans to take to implement our recommendations," the report notes.
In a statement, a spokeswoman tells Information Security Media Group: "MNsure remains a highly secure system that Minnesotans should feel confident using to enroll in high-quality, affordable health insurance. MNsure and Minnesota IT Services have addressed nearly all of the audit's findings and have additional, mitigating controls in place to ensure the security of citizen data in the MNsure system."
OIG's Colorado Findings
The objective of OIG's review of Colorado's Department of Health Care Policy and Financing was to determine whether it had implemented adequate information system general controls over the Colorado Medicaid eligibility determination and claims processing systems in accordance with federal requirements.
OIG says that during its review of controls put into place by July 2015, it found that HCPF had not implemented adequate information system general controls over the eligibility determination and claims processing systems. "The vulnerabilities that we identified increased the risk to the confidentiality, integrity and availability of Colorado's Medicaid data," OIG says.
"In evaluating HCPF's risk assessment, database security, website security and USB device security for its Medicaid eligibility determination and claims processing information systems, we identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices," OIG writes.
Although the watchdog agency says that it did not find evidence that the vulnerabilities had been exploited, "exploitation could have resulted in unauthorized access to and disclosure of sensitive information, as well as disruption of critical Colorado Medicaid operations."
The vulnerabilities could potentially lead to compromise of Colorado's Medicaid eligibility and claims processing systems, OIG says.
OIG recommended that HCPF implement detailed measures to address the vulnerabilities that the agency identified related to HCPF's risk assessment policies and procedures, database administration and security, web site security, and USB port and device security for its Medicaid eligibility determination and claims processing information systems.
OIG notes that Colorado HCPF, in written comments on the draft report, concurred with the recommendations and described corrective actions that it had taken or planned to take.
Colorado HCPF provided ISMG with a copy of its response to OIG, in which it notes that it will work with the Colorado Governor's Office of Information Technology to implement the OIG recommendations. "OIT is in the process of updating the cybersecurity policies effective September 2016 and is currently updating the HIPAA risk assessment to be completed by October 2016," HCPF wrote. "Additionally, OIT's database services team has been engaged and is providing support to the HCPF applications. OIT has recently acquired tools for scanning databases to perform vulnerability scans on an ongoing basis. These scan results will be reviewed on an ongoing basis and resolved."
HCPF also notes that it's developing a formal action plan to ensure that the risks and vulnerabilities identified will be mitigated in a timely manner.
While the OIG reports reviewed specific information systems security in two states, all organizations need to stay on their toes in dealing with emerging threats and vulnerabilities, Fricke says.
For instance, while some commercial tools can scan for vulnerabilities, those products often produce voluminous reports, he notes. "It takes a trained eye to know which of the scanning tool's findings pose the greatest risks."
Fricke recommends several measures that healthcare organizations can take to address issues such as those identified in the OIG reports.
"Keep up on the advisories issued regarding recently discovered vulnerabilities in operating systems, web and database servers, firewall products and commonly used software programs," he urges. "Inexpensive vulnerability scanning tools are available. Acquire one and scan your systems, find the vulnerabilities, and put a plan in place to patch them after testing the patches. Also, think about compensating controls."
He says organizations should restrict access to file transfer protocol services to only those users or computers needing access. "Many organizations have intrusion prevention systems but may not have activated its ability to block SQL injection attacks," he notes. "These attacks are commonly used to gain unauthorized access to databases that are not properly configured to present such attacks. The IPS [intrusion prevention system] becomes a compensating control."
OIG isn't the only watchdog agency to find security flaws on state or federally facilitated health insurance exchanges under Obamacare. A Government Accountability Office report issued last month said undercover testing for the 2016 coverage year found that the online healthcare marketplaces' eligibility determination and enrollment processes were vulnerable to fraud (see GAO: Obamacare Enrollment Fraud Vulnerabilities Persist).
That incident involved an MNsure worker who mistakenly attached a document containing private information on 2,400 insurance brokers and agents to an unencrypted email sent to two individuals who were not authorized to view the information.