An audit of the Colorado Connect for Health exchange released by the U.S. Department of Health and Human Services this month said the inspector general found security issues weren't properly addressed in some cases and possibly exposed the personal information of residents participating in the exchange.
“According to this report, the problems in Colorado have to do with noncompliance with federal guidelines,” Hadley Manning, director of health policy at the Independent Women's Forum, recently told Patient Daily. “The system had not been updated properly, and the response from the exchange management was too slow. Incident-response testing hadn't taken place, and the user-access security settings were deemed inadequate.”
Manning also explained that the exchange, which opened in October 2013, had security concerns that were not addressed until November 2014, more than a year later.
“However, security concerns are not limited to Colorado's exchange, and there's some evidence that the problems are more widespread,” Manning said. “The exchanges share a data hub that connects several different government agencies to help determine eligibility for subsidies and tax credits offered in the exchanges, and this hub has created security and privacy concerns.”
Manning further explained that these exchanges are full of personal information, including Social Security numbers, and employment and income information, which are an attractive target for hackers and others who steal and misuse data.
“Another reason the protection of data in the exchanges has not been optimal is the timetable: the exchanges and related websites were not ready to debut when they did, in October 2013,” she said. “But a rush to open the exchanges resulted in late or sloppy security testing that continues to raise questions in the minds of consumers and watchdogs alike. This was not just the case in Colorado, but across the nation.”
Manning argues that the obvious first step in Colorado -- or any other state facing security concerns -- would be to comply with federal guidelines. Security teams need to be aware and respond quickly to known vulnerabilities, in addition to regularly testing websites and databases to check security settings. This would prepare for incidents and threats to privacy, she said.
“A better, broader response would be to change the entire system of exchanges -- there's really no need to have our individual health insurance plans sold through an exchange,” Manning said. “Subsidies and tax credits could be delivered directly to consumers, who could use that money to purchase a health plan of their choice.”
Manning believes that such exchange systems create more complications than they solve.
“Instead of government-run data hubs and websites, private companies could simply enroll these consumers directly into health plans,” Manning said. “The exchange system unnecessarily complicates these purchases and injects privacy concerns where there's no need.”
