MONTPELIER >> Vermont Health Connect has historically suffered from serious cybersecurity flaws, and federal regulators are still not doing enough to make the state correct them in a timely manner.
Those were two conclusions of a U.S. Government Accountability Office review released in March. The watchdog report was focused on the federal HealthCare.gov website but included cybersecurity assessments of three states' health insurance exchanges.
Those three states are Vermont, Kentucky, and California, according to a spokesperson for the Government Accountability Office. The study itself identified problems in three states, but did not say which problem was within each state. The office originally released the names of the states to the Associated Press under a Freedom of Information Act request.
Lawrence Miller, the chief of health care reform for Gov. Peter Shumlin, said in an interview Vermont was the third state in listed in the report—meaning Vermont had problems with "weak encryption for protecting authentication and communication, increasing the risk that an attacker could compromise the confidentiality or integrity of the system."
The report said the confidentiality weakness occurred because Vermont "did not enforce the use of high-level encryption on its Windows servers," and did not configure its servers using "compliant algorithms" called the Federal Information Processing Standards.
That means that California and Kentucky were the states that either had vulnerabilities that could allow a hacker to get usernames and passwords for users, or vulnerabilities that would allow a hacker to gain access to databases, although it's unclear which state had which problem.
Miller said the problems the GAO identified with Vermont's system are outdated. Between October 2013 and March 2015 when the report research was conducted, Vermont Health Connect was still using a hosting contract with CGI Technology Systems. A company called OptumInsight is the new hosting company.
Miller said the report has no value in assessing Vermont Health Connect's current status. "I think it is illustrative though of the nature of security problems on the federal exchange and other state exchanges, and I feel confident that Vermont Health Connect is among the most secure systems that the state operates," he said.
"These were risks that we had identified, that we were managing, that we were monitoring, Miller said. "There's never been any evidence of any malicious breach. We were very aggressive about security monitoring upgrades, consistent with CMS and IRS requirements. We never would've been able to come back up if we hadn't met the standards that they expected."
Vermont has spent about $200 million in federal money to build out Vermont Health Connect. The federal report says the Government Accountability Office identified which states to study based on whether they received a significant amount of federal funding. And it focused on ways that regulators at the U.S. Centers for Medicare and Medicaid Services are failing to control cybersecurity.
"CMS has not fully documented procedures that define its oversight responsibilities," the study says. "Further, while CMS has set requirements for annual testing of a subset of security controls implemented within the state-based marketplaces, it does not require continuous monitoring or annual comprehensive testing."
"Until CMS documents its oversight procedures and requires continuous monitoring of security controls, it does not have reasonable assurance that the states are promptly identifying and remediating weaknesses and therefore faces a higher risk that attackers could compromise the confidentiality, integrity, and availability of the data contained in state-based marketplaces," the report said.
The report says that federal regulations say the Centers for Medicare and Medicaid Services "should identify internal control responsibilities," as well as "each unit's responsibility for designing and implementing those controls" and "the appropriate level of detail to allow management to effectively monitor the control activities and define day-to-day procedures."
Miller, in testimony in front of the House Health Care Committee in March and April, disclosed 14 ways the state is seeking to stabilize Vermont Health Connect. He said the state has sought bidders to fix glitches in the system. The Centers for Medicare and Medicaid Services is currently reviewing bids from three different companies.
Additionally, a November report from state auditor Doug Hoffer found 121 security weaknesses with Vermont Health Connect. Three were high-risk, and 63 were moderate-risk. Miller's team said in a hearing that month that the amount of security risks fell well within the federal government's regulations.