Health Insurance Marketplaces Generally Protected Personally Identifiable Information but Could Improve Certain Information Security Controls

This summary report provides an overview of the results of three reviews of the security of certain information technology at the Federal, Kentucky, and New Mexico Health Insurance Marketplaces. These reviews generally examined whether information security controls were implemented in accordance with relevant Federal requirements and guidelines and whether vulnerabilities identified by prior assessments were remediated in a timely manner.

Although CMS had implemented controls to secure Healthcare.gov and consumer personally identifiable information (PII) on the Federal Marketplace, we identified areas for improvement in its information security controls. Kentucky had sufficiently protected PII on its Marketplace Web sites and databases in accordance with Federal requirements. However, opportunities to improve the Kentucky Marketplace's database access and information security controls remain. Although New Mexico management had implemented security controls, policies, and procedures to prevent vulnerabilities in its Web site, database, and supporting information systems, its information technology policies and procedures did not always conform to Federal requirements to secure sensitive information stored and processed by the New Mexico Marketplace.

We recommended that the Marketplaces' management address the findings identified in its reports.

On September 4, 2014, CMS issued a statement regarding an intrusion on a server that supports testing of Healthcare.gov but does not contain consumer personal information. The intrusion occurred after the period of our audit and involved technology outside our audit scope.