A Government Accountability Office report found that HHS and CMS, among other federal agencies, have failed to properly protect users' data.
For the report, GAO reviewed various federal agencies and critical infrastructure systems to determine any cybersecurity shortcomings. GAO looked at work related to privacy, critical federal functions and cybersecurity incidents before 2016, and it reviewed recent cybersecurity policy and strategy documents as well as industry reports.
The office made 3,000 recommendations, which it categorized into four areas: establishing a comprehensive cybersecurity strategy and performing effective oversight; securing federal systems and information; protecting cyber critical infrastructure; and protecting privacy and sensitive data.
Specifically at HHS and CMS, the watchdog group said a lack of guidance and proper oversight put Medicare beneficiary data at risk.
"HHS had not fully addressed key security elements in its guidance for protecting the security and privacy of electronic health information," the report states. "CMS had not fully protected the privacy of users’ data on state-based marketplaces."
While GAO noted most of its recommendations have been implemented, about 1,000 have not. It warns that until these vulnerabilities are addressed, federal agencies' information and systems are susceptible to cyberattacks and other threats.
Click here to download the complete report.