IRS Told to Beef Up Obamacare Scrutiny

Gov Info Security reports:

“A watchdog agency says the Internal Revenue Service needs to put into place additional procedures to ensure that Obamacare health insurance exchanges properly safeguard consumer tax information.

Under the Affordable Care Act – also known as Obamacare – the IRS is authorized to disclose limited tax information to health insurance exchanges. That data is used in determining eligibility for individuals to receive federal subsidies to help cover the cost of insurance.

That federal tax information, or FTI, is made available from the IRS to the exchanges via a federal hub operated by the Department of Health and Human Services’ Center for Medicare and Medicaid Services. The federal hub routs the FTI data from the IRS to the exchanges when a consumer applies for health coverage and related financial assistance under the Affordable Care Act. But the hub does not retain the data.

The recent report by the watch dog agency, the Treasury Inspector General for Tax Administration, assessed whether the IRS Office of Safeguards had implemented sufficient policies and procedures to ensure that health insurance exchanges are adequately protecting FTI received from the IRS.

The review found that “the IRS must do more to ensure that federal tax information submitted to the ACA exchanges is protected and prevent its unauthorized disclosure,” says J. Russell George, a TIGTA inspector.

In a statement provided to Information Security Media Group, the IRS says it has “taken aggressive steps to ensure the protection of federal tax information shared with the health insurance exchanges. The IRS emphasizes there have been no data breaches involving federal tax information shared with the exchanges, and TIGTA did not find any specific or elevated risk to federal tax information maintained by the exchanges during the audit.

Report Findings

The TIGTA report says the IRS failed to require the exchanges to submit an initial independent security assessment report, or SAR, that could have helped the IRS to evaluate risk levels and the status of required security controls of the exchanges. “The current documentation on which the IRS Office of Safeguards bases its approval decision for release of FTI does not provide sufficient evidence that required controls have been implemented,” TIGTA says in its report.

While CMS required the health insurance exchanges to conduct an independent assessment of the security controls prior to issuing the initial authority to connect to the hub for the Oct. 1, 2013, launch of Obamacare open enrollment, CMS subsequently altered its guidance to allow the exchanges more time. The change by CMS allowed exchanges to complete independent testing and submit their SARs by March 31, 2014, or within six months of granting authority for the exchanges to connect to the federal hub, the TIGTA report notes.

Report Recommendations

The TIGTA report recommends that before IRS grants release of FTI to insurance exchanges, it should require those agencies to conduct an independent assessment of the security controls in their information systems and submit the assessment reports to IRS Office of Safeguards. The report notes that IRS agreed with this recommendation, and that the agency will implement the change by Jan. 1, 2015.

The IRS will also develop policies and procedures to evaluate the exchanges’ independent security assessment and conduct a risk-based assessment or a modified on-site review prior to initial release of FTI, the IRS notes in its reply to the report. The policies will detail “risk-based criteria for release of data as well as actions taken to mitigate vulnerabilities before approval of the data exchange,” the IRS states.

The report also recommends that the IRS “should prioritize according to risk” on-site reviews of new systems.

“Going forward, the IRS will remain vigilant in this area, and the TIGTA recommendations will help make our process even stronger,” according to the IRS statement provided to ISMG.

Other Criticism

The issue of whether the federally facilitated HealthCare.gov had undergone thorough security testing and risk mitigation prior to the ACA’s initial open enrollment launch on Oct. 1, 2013 also has been a point of contention with some members of Congress.

In addition to multiple hearings over the last year by Congress focused on the state HealthCare.gov security, a report issued in September by the Government Accountability Office made 28 to improve the security of HealthCare.gov before the next open enrollment period for Obamacare begins Nov. 15. Among those recommendations was the completion of end-to-end security testing (see GAO: HealthCare.gov Has Security Flaws).

CMS administrator Marilyn Tavenner testified on Sept. 18 at House Committee on Oversight and Government Reform hearing that the GAO recommendations, including security testing of HealthCare.gov, would be completed before the next open enrollment launch in November (see HealthCare.gov Security Fixes Promised).