Topics
Reimbursement
Senators urge action on physician payment cut before end of lame duck session
Senators urge action on physician payment cut
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Anesthesiologist sentenced to 190 years for IV bag tampering
Anesthesiologist sentenced to 190 years for IV bag tampering
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Apr 11, 2016 More on Risk Management

California, Kentucky, Vermont marketplaces identified as vulnerable to hackers

Weaknesses include insufficient encryption and inadequately configured firewalls, government report says.

Susan Morse, Executive Editor

As cyberattacks of healthcare systems become more frequent and call attention to the question of whether sensitive data is secure, the Government Accountability Office has released a report identifying significant weaknesses at three selected state-based marketplaces: California, Kentucky and Vermont.

The weaknesses include insufficient encryption and inadequately configured firewalls that could allow hackers to gain access to consumer data, according to the March 23 GOA report.

The three states were not identified in the report, but the GAO confirmed them by request in response to a story reported by the Associated Press.

Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything, AP reported.

The three states were selected for the study by the GOA.

[Also: Hospitals in California, Indiana hit with ransomware attack]

Weaknesses in all three states were identified in security and privacy controls as well as in technical controls related to access, cryptography, and configuration management, the report said.

For example, one state did not encrypt connections to the authentication servers supporting its system. They were configured to accept unencrypted connections, the GOA said.

As a result, an attacker on the network could observe the unencrypted transmission to gather usernames and password hashes, which could then be used to compromise those accounts, the GAO said.

One state did not filter uniform resource locator (URL) requests from the internet through a web application firewall to prevent hostile requests from reaching the marketplace website, it said.

As a result, hostile URL requests could potentially scan and exploit vulnerabilities of the portal and potentially gain access to remaining systems and databases of the marketplace, the report said.

One state did not enforce the use of high-level encryption on its Windows servers to require the use of compliant algorithms. As a result, the servers could employ weak encryption for protecting authentication and communication, increasing the risk that an attacker could compromise the confidentiality or integrity of the system, according to the report.

[Also: Experts: Data, devices, employees pose biggest challenges to hospital cybersecurity]

In total, the GOA identified 24 potential mitigation activities to address weaknesses in the three states' security and privacy programs and 66 potential mitigation activities to improve the effectiveness of their information security.

"The three states generally agreed with the potential mitigation activities and have plans to address them," the report said.

The GOA originally reported concerns to the three states in September 2015, it said.

The Centers for Medicare and Medicaid Services did not require sufficiently frequent monitoring of the effectiveness of security controls for state-based marketplaces, only requiring testing once every three years, the GOA said.

The GAO recommended that CMS define procedures for overseeing the security of state-based marketplaces and require continuous monitoring of state marketplace security controls.

The Department of Health and Human Services concurred with the  recommendations, the GAO said.

At the federal side, Healthcare.gov, CMS reported 316 security-related incidents between October 2013 and March 2015, the GOA report said.

The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient, the GOA said.

[Also: Methodist Hospital recovering from 5-day ransomware attack, claims it did not pay up]

There is no evidence that an outside attacker successfully compromised sensitive data, such as personally identifiable information, the GOA said.

CMS has taken steps to protect the security and privacy of data, the GOA said.

Over the past two years, the GAO has issued a number of reports highlighting challenges that CMS has faced in implementing and operating the health insurance marketplaces' IT systems.

In September 2014, the GOA noted that Healthcare.gov and the related systems had been deployed despite incomplete security plans and privacy documentation, incomplete security tests, and the lack of an alternate processing site to avoid major service disruptions, the GAO said.

As of December 2015, CMS had taken steps to address the problems, it said.

Twitter: @SusanJMorse

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.