Public Summary Report: Washington State Implemented Security Controls Over the Web Site and Database for Its Health Insurance Exchange but Could Improve Protection of Personally Identifiable Information

The Washington Health Benefit Exchange (Washington marketplace), Washington State's health insurance exchange, implemented security controls over its Web site and database, but improvements are needed to fully comply with Federal requirements and to increase protection of personally identifiable information (PII).

We reviewed the Washington marketplace's information security controls in place as of May 2015. We found that the Washington marketplace had implemented many security controls, including policies and procedures, to protect PII on its Web site and database. However, it did not always comply with Federal requirements. Specifically, the Washington marketplace had not adequately secured its Web site and database and had not performed a vulnerability scan in accordance with Federal requirements. In addition, the Washington marketplace's plan of action and milestones did not meet some of the Centers for Medicare & Medicaid Services' minimum requirements for protection of marketplace systems.

We recommended that the Washington marketplace implement our detailed recommendations to address the specific findings we identified. The Washington marketplace concurred with all of our recommendations and described actions that it had taken or planned to take to implement our recommendations.