Securing Health Insurance Exchanges

The Patient Protection and Affordable Care Act (ACA) provides for each state to have health insurance Exchange. These state based Exchanges (SBE) allows individuals and businesses to buy health insurances at affordable cost. Exchanges allow people to go online and get information on coverage options which allows them to make educated decisions on the coverages they want to obtain.With the establishment of these state based Exchanges, it is imperative to establish strong public trust on them so that these Exchanges can be trustworthy with all the personal identifiable information (PII) and personal health information (PHI). Such trust can only be achieved with strong security controls to be implemented on these Exchanges. These security controls will provide confidentiality, integrity and availability of sensitive information that are being processed and stored on Exchanges. The Center for Medicaid and Medicare Services (CMS) is responsible for developing security standards called Minimum Acceptable Risk Standards for Exchanges (MARS-E). The goal of MARS-E is provide Exchange stakeholders with a guidance that can be used when implemented IT infrastructure for Exchanges. CMS has developed annual security attestation procedures for state-based ACA administering entity (AE) Systems. This document provides guidance and report template for annual security attestation of mandated MARS-E security controls. As per CMS, the basis for the annual security attestation is the MARS-E Security Assessment Control CA-2. This control requires that all MARS-E security controls attributable to a specific system or application be assessed over a three-year period with a subset of the controls assessed annually during the annual security attestation process. Additionally, MARS-E Continuous Monitoring Control CA-7, requires organizations to implement a continuous monitoring program that includes reporting of the security state of the information system to appropriate organizational officials within every 365 days. The enforcement of these controls supports the identification of significant security vulnerabilities by recognizing non-compliant control areas in a timely manner. The assessment and resulting attestation report provided to CMS helps identify and address endemic security issues and provides a detailed understanding of the current security posture associated with the broader Affordable Care Act (ACA) program.

Recently SeNet International has successfully conducted an annual MARS-E assessment on a state-based AE system for the state of Idaho department of health and welfare (IDHW). We then put together a comprehensive security attestation report as per the requirements of CMS. SeNet used assessment methodology of interview, test and examine as described in NIST 800-53 rev 4 guideline to conduct MARS-E security control assessment.