Report Materials
Although CMS had implemented controls to secure the Multidimensional Insurance Data Analytics System (MIDAS) and consumer personally identifiable information (PII) data in the systems and databases we reviewed, we identified areas for improvement in its information security controls. The MIDAS is a central repository for insurance-related data intended to provide reporting and performance metrics to the Department of Health and Human Services for various initiatives mandated by the Patient Protection and Affordable Care Act. At the time of our fieldwork, CMS (1) had not disabled unnecessary generic accounts in its test environment; (2) had not encrypted user sessions; (3) had not conducted automated vulnerability assessments that simulate known attacks, which would have revealed vulnerabilities (e.g., password weaknesses and misconfigurations) specific to the application or databases that support the MIDAS; and (4) used a shared read-only account for access to the database that contained the PII.
In addition to the information security control vulnerabilities mentioned above, our database vulnerability scans identified 22 high, 62 medium, and 51 low vulnerabilities. We made related recommendations to address the issues we identified.
We shared with CMS information about our vulnerability scan findings immediately following the scan and informed CMS about other preliminary findings in advance of issuing our draft report. CMS began remediation efforts before the completion of our fieldwork. In written comments, CMS concurred with all of our recommendations. CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report. We have since reviewed the supporting documentation and verified CMS's remediation.
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.