Public Summary Report: Connect for Health Colorado Generally Protected Personally Identifiable Information on Its Health Insurance Exchange Web Sites and Databases but Could Continue To Improve Information Security Controls

Connect for Health Colorado (C4HCO), Colorado's health insurance exchange, implemented security controls over its Web sites and databases, but improvements are still needed to fully comply with Federal requirements and to increase protection of personally identifiable information (PII).

We reviewed C4HCO's information security controls in place as of November 2014. We found that C4HCO had not updated the system security plan's supporting policies or ensured that vulnerabilities identified during prior scans were mitigated in a timely manner. Additionally, our database security scans identified numerous weaknesses regarding user access administration and inadequate security settings. Moreover, C4HCO had not performed incident response testing. In written comments on our draft report, C4HCO concurred with our detailed recommendations and described corrective actions that it had taken or planned to take.

Before issuing our draft report, we shared information with C4HCO officials on the vulnerabilities we had identified and on our preliminary findings. C4HCO, working in conjunction with its systems integrator, began remediation efforts before we completed our fieldwork. After we issued our final report but before we published this public summary, C4HCO gave us evidence to support its remediation efforts. Based on the evidence provided, C4HCO has successfully remediated the issues we found related to the system security plan and incident response testing and has partially remediated the issues we found related to the application production databases and vulnerability mitigation.