Watchdog Finds More IRS Obamacare Flaws

Security Concerns Involve Insurer, Drug Firm Data
Watchdog Finds More IRS Obamacare Flaws

A watchdog agency has identified a second list of security weaknesses in the Internal Revenue Services' systems that support Obamacare.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

A new report, dated Sept. 29 but released on Dec. 2 by the Treasury Inspector General for Tax Administration, says improvements are needed to ensure the security of information provided to the IRS by health insurers and pharmaceutical manufacturers for the Affordable Care Act program.

In an earlier report, TIGTA listed steps the IRS needed to take to protect consumer tax information on ACA health insurance exchanges (see IRS Told To Beef Up Obamacare Scrutiny).

Under the Affordable Care Act, certain participating health insurers and pharmaceutical companies pay an annual fee to help support the health insurance program. The IRS calculates and collects the fees based on information these firms submit. The agency imposes an annual fee on any health insurance provider that provides health insurance during the calendar year with net premiums that exceed $25 million. For drug companies, fees are based on sales data. The annual fees are due to the IRS by Sept. 30 of each year.

Security control weaknesses identified in the TIGTA audit could affect the IRS's ability to reliably process the electronic reports submitted by insurers and drug companies that are used to accurately determine the applicable fees, according to the report.

The TIGTA review, conducted between November 2013 and May 2014, found that the IRS conducted security and other tests of the core system for handling the information from insurers and pharmaceutical companies. But it found that "improvements are needed to ensure the long-term success of the ... system."

TIGTA identified the specific system control weaknesses that the IRS needs to promptly addressed. Among the weaknesses noted in the report were issues related to patch management. However most of the specifics about the weaknesses were not disclosed in the publicly released version of the heavily redacted report.

Watchdog Recommendations

The watchdog agency made several recommendations to the IRS's chief technology officer to address the issues. Those recommendations aim to ensure that:

  • Procedures are developed to provide direction on how to mitigate vulnerability weaknesses;
  • Vulnerabilities identified are promptly corrected and resolved;
  • The ACA plan of action and milestones adequately addresses the vulnerabilities within the required time frames;
  • The IT implementation and testing organization of IRS effectively manages the testing processes executed by the external contractors.

The TIGTA report notes that the IRS agreed with the majority of TIGTA's recommendations and plans to implement corrective actions.

The controls highlighted in the report are commonly used by many federal agencies, but can be challenging to implement, says Mac McMillan, CEO of security firm CynergisTek. "The more alarming aspect of this report, though, is the fact that there is no plan to address all of these issues before this system goes into production, and in some cases no timeline projected at all or acceptance of the recommendation" he adds. "How secure does that make you feel?"

IRS Response

In a statement provided to Information Security Media Group, the IRS says it "has made substantial progress with IT systems modernization in recent years and continues to make improvements and address a wide range of issues. IRS modernization efforts have been focusing on building and deploying advanced information technology systems, processes and tools to improve efficiency and productivity and expand online service options for taxpayers."

The IRS also notes in the statement that it has "also taken aggressive steps to ensure the protection of federal tax information needed for administering the Affordable Care Act. The IRS emphasizes there have been no data breaches involving federal tax information shared with the exchanges or any other ACA-related systems."

The IRS also said it agrees with TIGTA's concerns noted in the report regarding budget constraints' impact on IT projects. "It is important to note that reductions in IRS's budget have stretched resources across the agency. Since 2010, the IRS budget has been reduced nearly $850 million. At the same time, we have 13,000 fewer employees today than we did in 2010," IRS says.

Congressional Scrutiny

The findings of the TIGTA audits come as various Congressional committees continue to scrutinize the issue of whether the federally facilitated website and systems had undergone thorough security testing and risk mitigation prior to Obamacare's initial open enrollment launch on Oct. 1, 2013.

On Nov. 19, some members of the House Committee on Science, Space and Technology's subcommittee on oversight grilled former U.S. CTO Todd Park during a hearing, trying to uncover if he had attempted to previously hide from Congress the level of his involvement in the troubled 2013 launch of or his knowledge of security shortcomings of the site (see Panel Probes CTO's Role).

Park testified to the committee at the recent hearing that his role in the launch of the Obamacare site and systems was minimal and that cybersecurity issues were handled by others. However, subcommittee chair, Rep. Paul Broun, R-Georgia, noted that the committee had not yet received all information that had been subpoenaed from the Obama administration prior to the Park hearing. That leaves open the possibility that Park might be called to testify at another hearing, Broun says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.