GAO: CMS needs to change its ID verification process

The Centers for Medicare and Medicaid Services is taking a risk by continuing to use a knowledge-based verification process to remotely verify individuals’ identities seeking access to its Healthcare.gov service.

That’s the assessment of the Government Accountability Office, which contends that CMS and Healthcare.gov applicants will remain at an increased risk of identity fraud.

“Data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions,” states a GAO audit. “The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.”

However, despite the fact that alternative methods are available that provide stronger security, CMS has no plans to reduce or eliminate knowledge-based verification for remote identity proofing, according to auditors.

While the agency employs a two-step email verification process to reduce the risks associated with knowledge-based verification, auditors contend that this process confirms only the email address that was used to create the account, but it does not confirm the identity of the individual who is applying for the account.

“CMS uses knowledge-based verification to remotely verify individuals’ identities prior to granting them access to its Healthcare.gov service,” the GAO notes. “CMS has not implemented alternative methods to better ensure the effectiveness of the remote identity proofing processes used for its Healthcare.gov service.”

CMS Headquarters

Also See: OIG finds cybersecurity risks within HHS divisions’ systems

Auditors recommended that the CMS Administrator “should develop a plan with time frames and milestones to discontinue knowledge-based verification, such as by using Login.gov or other alternative verification techniques.”

Nonetheless, the Department of Health and Human Services—on behalf of CMS—disagreed with the GAO’s recommendation because the agency did not believe that the available alternatives to knowledge-based verification were feasible for the individuals it serves.

“However, a variety of alternative methods exist, and GAO continues to believe CMS should develop a plan for discontinuing the use of knowledge-based verification,” contend the auditors.

For reprint and licensing requests for this article, click here.