U.S. CITIZENS ON TRACK TO LOSE MEDICAL PRIVACY WITH OBAMACARE
NWV News Writer Jim Kouri
Posted 1:00 AM Eastern
May 19, 2014
© 2014 NewsWithViews.com
This week’s news of the Obama Administration’s handling of healthcare for American war heroes and veterans begs the question from reporters: If there is fraud, abuse and alleged death of patients being investigated in a small healthcare bureaucracy as the VA hospitals, what can we expected from a huge power-grab that allowed the federal government to totally control the entire medical industry?
With the IRS taking a significant role in the health care law signed by President Barack Obama on national television, that part of the Obamacare plan continues to worry those who have little faith in government efficiency, especially when Americans' privacy issues are involved, according to conservative security experts who favor constitutional government.
Many security experts fear that Americans' patient information will be vulnerable to unauthorized access and distribution with perpetrators being outside hackers or IRS insiders.
Today's Internal Revenue Service relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes, process tax returns, and enforce the nation's tax laws. Add the new responsibilities of taxing health care under the guise of levying fines on those who violate Obamacare provisions as well as record keeping, and there now exists a greater likelihood of patient information being unlawfully accessed or accidentally released to third parties.
"Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction," said Sidney Franes, owner of FLT Security Services.
"Having a person's medical records along with other personal information is an identity thief's dream come true, especially the [computer] hackers," said Franes.
As part of its audit of IRS's financial statements, Congress requested the Government Accountability Office to assess the status of IRS's actions to correct or mitigate previously reported information security weaknesses, and whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information.
To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at six sites, said officials.
The GAO reported that the IRS has continued to make progress in correcting previously reported information security weaknesses that GAO reported as unresolved at the conclusion of its audit.
Specifically, IRS has corrected or mitigated 28 of the 89 weaknesses and deficiencies -- 21 of 74 previously identified information security control weaknesses and 7 of 15 previously identified program deficiencies, according to GAO officials.
For example, it has changed vendor-supplied user accounts and passwords and avoided storing clear-text passwords in scripts. It also enhanced its policies and procedures for configuring mainframe operations and established an alternate processing site for its procurement system.
While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them -- or about 69 percent -- remain unresolved or unmitigated, stated the GAO report.
The IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented or effectively mitigated the security weaknesses, the GAO report revealed.
According to IRS officials, they continued to address uncorrected weaknesses and, subsequent to GAO's site visits, had completed additional corrective actions on some of them. Despite these actions, newly identified and the unresolved information security control weaknesses in key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.
The IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS officials did not always enforce strong password management for properly identifying and authenticating users. It also failed the authorized user access tests that permit only the access needed to perform job functions. It also failed to log and monitor security events on a key system and did not physically protect its computer resources, the GAO analysts stated.
A key reason for these weaknesses is that IRS has not yet fully implemented its agency-wide information security program to ensure that controls are appropriately designed and operating effectively. Although IRS has made important progress in developing and documenting its information security program, it did not, among other things, review risk assessments at least annually for certain systems or ensure contractors receive awareness training.
Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services, the analysts pointed out in their report to Congress.
The new and unresolved weaknesses and deficiencies are the basis for GAO's determination that IRS had a material weakness in internal controls over financial reporting related to information security last year. The GAO advised the IRS that it should develop and implement policies and procedures for more securely configuring routers to encrypt network traffic, configuring switches to defend against attacks that could crash the network, and for notifying CSIRC of network changes that could affect its ability to detect unauthorized access.
© 2014 NWV - All Rights Reserved