In the 18 month period between October 2013 and March 2015, HealthCare.gov experienced 316 security-related incidents.
A Government Accountability Office report on the web portal for the federal health insurance marketplace reports the majority of these security incidents involved potential attackers electronically probing CMS systems looking for potential weaknesses. None of the incidents compromised sensitive data.
While there has been no data breach related to these security incidents, GAO identified three weaknesses in controls protecting the data that moves through the web portal.
1. Administrator privileges for data hub systems are insufficiently restricted.
2. The application of security patches is inconsistent.
3. The administrative network is insecurely configured.
The GAO also identified weaknesses in technical controls that could heighten the risk of a data breach. Actions to mitigate these weaknesses were outlined in a separate report that was not distributed to the public.
Additionally, GAO found "significant weaknesses" in controls at three state-based marketplaces, including insufficient encryption and inadequately configured firewalls. The three states have agreed with the results and have plans to addresses the weaknesses, according to the report.
More articles on cybersecurity:
HHS names members of Health Care Industry Cybersecurity Task Force
Chinese officials urge US to strengthen ties with Beijing for the sake of cybersecurity
'Healthcare is ground zero for cyberattacks': 5 thoughts from CHIME's Russell Branzell