Transcript for audio podcast: Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls
From the Office of Inspector General of Department of Health and Human Services
[Sheri Fulcher]: Hi, I'm Sheri Fulcher, a Regional Inspector General, here with Tom Salmon, an Assistant Inspector General for Audit Services. We're going to talk about OIG's work looking at the security of consumer information on the Federal healthcare.gov website, as well as two State health insurance Marketplaces: Kentucky and New Mexico. Tom, why did OIG do these reviews?
[Tom Salmon] We did these reviews to determine whether marketplaces protected sensitive applicant information. It's critical that personally identifiable information, which we call P-I-I, be secure.
[Sheri Fulcher] What did you focus on in these reviews?
[Tom Salmon] We reviewed safeguards designed to protect sensitive data used by the Marketplaces. We checked to see if the Marketplaces implemented these safeguards according to Federal requirements.
[Sheri Fulcher] How did you test the security safeguards?
[Tom Salmon] As explained in our summary report, we used a variety of testing methods. For example, we used specialized tools that help detect potential security risks and vulnerabilities. We also looked at security assessments done by the Federal and state agencies that oversee the marketplaces. We checked to see if these agencies fixed the vulnerabilities they identified.
[Sheri Fulcher] So what did you find?
[Tom Salmon] We found that, at the time of our reviews, the Federal and State marketplaces generally protected PII, but could improve some security controls to minimize vulnerabilities.
[Sheri Fulcher] Tell us about what you found at the Federal healthcare.gov website.
[Tom Salmon] The Centers for Medicare & Medicaid Services, or CMS, operates healthcare.gov. At the time of our review, we found that CMS had taken steps since the October 1 launch of healthcare.gov to lower the security risks associated with the Healthcare.gov systems and consumer data. However, we also found that CMS needed to improve its processes for testing the security of the Marketplaces.
[Sheri Fulcher] What about the security of the Kentucky and New Mexico marketplaces?
[Tom Salmon] We found that the responsible agencies implemented security controls to prevent Marketplace website vulnerabilities. But - they can still improve their security controls.
[Sheri Fulcher] Did CMS and the States agree with OIG's findings and recommendations?
[Tom Salmon] Overall, CMS, Kentucky and New Mexico agreed. OIG provided Federal and State officials with detailed information and recommendations to fix vulnerabilities.
[Sheri Fulcher] Anything else?
[Tom Salmon] Protecting consumer's personal information is crucial. OIG will continue to examine the security of information systems used by the new Affordable Care Act insurance marketplaces.
[Sheri Fulcher] Thank you Tom.
[Tom Salmon] Thank you.
Let's start by choosing a topic
