Health Care

GAO identifies security flaws in Vermont Health Connect

Lawrence Miller

Lawrence Miller, chief of Health Care Reform for the Shumlin administration, told reporters Wednesday during a news conference at the Statehouse that he provided Gov. Peter Shumlin with incomplete information about the performance of Vermont Health Connect and its primary contractor, Optum. File photo by John Herrick/VTDigger

Vermont Health Connect has historically suffered from serious cybersecurity flaws, and federal regulators are still not doing enough to make the state correct them in a timely manner.

Those were two conclusions of a U.S. Government Accountability Office review released in March. The watchdog report was focused on the federal website but included cybersecurity assessments of three states’ health insurance exchanges.

Those three states are Vermont, Kentucky, and California, according to a spokesperson for the Government Accountability Office. The study itself identified problems in three states, but did not say which problem was within each state. The office originally released the names of the states to the Associated Press under a Freedom of Information Act request.
Lawrence Miller, the chief of health care reform for Gov. Peter Shumlin, said in an interview Vermont was the third state in listed in the report—meaning Vermont had problems with “weak encryption for protecting authentication and communication, increasing the risk that an attacker could compromise the confidentiality or integrity of the system.”

The report said the confidentiality weakness occurred because Vermont “did not enforce the use of high-level encryption on its Windows servers,” and did not configure its servers using “compliant algorithms” called the Federal Information Processing Standards.

That means that California and Kentucky were the states that either had vulnerabilities that could allow a hacker to get usernames and passwords for users, or vulnerabilities that would allow a hacker to gain access to databases, although it’s unclear which state had which problem.

Miller said the problems the GAO identified with Vermont’s system are outdated. Between October 2013 and March 2015 when the report research was conducted, Vermont Health Connect was still using a hosting contract with CGI Technology Systems. A company called OptumInsight is the new hosting company.

Miller said the report has no value in assessing Vermont Health Connect’s current status. “I think it is illustrative though of the nature of security problems on the federal exchange and other state exchanges, … and I feel confident that Vermont Health Connect is among the most secure systems that the state operates,” he said.

“These were risks that we had identified, that we were managing, that we were monitoring, Miller said. “There’s never been any evidence of any malicious breach. We were very aggressive about security monitoring upgrades, consistent with CMS and IRS requirements. We never would’ve been able to come back up if we hadn’t met the standards that they expected.”

Vermont has spent about $200 million in federal money to build out Vermont Health Connect. The federal report says the Government Accountability Office identified which states to study based on whether they received a significant amount of federal funding. And it focused on ways that regulators at the U.S. Centers for Medicare and Medicaid Services are failing to control cybersecurity.

“CMS has not fully documented procedures that define its oversight responsibilities,” the study says. “Further, while CMS has set requirements for annual testing of a subset of security controls implemented within the state-based marketplaces, it does not require continuous monitoring or annual comprehensive testing.”

“Until CMS documents its oversight procedures and requires continuous monitoring of security controls, it does not have reasonable assurance that the states are promptly identifying and remediating weaknesses and therefore faces a higher risk that attackers could compromise the confidentiality, integrity, and availability of the data contained in state-based marketplaces,” the report said.

The report says that federal regulations say the Centers for Medicare and Medicaid Services “should identify internal control responsibilities,” as well as “each unit’s responsibility for designing and implementing those controls” and “the appropriate level of detail to allow management to effectively monitor the control activities and define day-to-day procedures.”

Miller, in testimony in front of the House Health Care Committee in March and April, disclosed 14 ways the state is seeking to stabilize Vermont Health Connect. He said the state has sought bidders to fix glitches in the system. The Centers for Medicare and Medicaid Services is currently reviewing bids from three different companies.

Additionally, a November report from state auditor Doug Hoffer found 121 security weaknesses with Vermont Health Connect. Three were high-risk, and 63 were moderate-risk. Miller’s team said in a hearing that month that the amount of security risks fell well within the federal government’s regulations.

Mark Johnson contributed to this story.

Don't miss a thing. Sign up here to get VTDigger's weekly email on Vermont hospitals, health care trends, insurance and state health care policy.


Erin Mansfield

About Erin

Erin Mansfield covers health care and business for VTDigger. From 2013 to 2015, she wrote for the Rutland Herald and Times Argus. Erin holds a B.A. in Economics and Spanish from the State University of New York at Stony Brook, where she also attended journalism school. Erin has worked in public and private schools across Vermont and interned in the U.S. Senate. She has been published by the Columbia Journalism Review and the Society of Professional Journalists. She grew up in Killington.

Email: [email protected]

Follow Erin on Twitter @erin_vt

Send us your thoughts

VTDigger is now accepting letters to the editor. For information about our guidelines, and access to the letter form, please click here.


Recent Stories

Thanks for reporting an error with the story, "GAO identifies security flaws in Vermont Health Connect"