The marketplaces set up to provide health insurance to Americans under Obamacare are generally doing a good job of protecting personally identifiable information but can also improve security practices.

The health insurance marketplaces instituted by the Affordable Care Act and through which tens of millions of Americans have signed up for medical coverage, aren’t doing a bad job of securing sensitive personal information but they could certainly be doing a better job, according a new analysis.

In a review of three such exchanges — federal and federally facilitated exchanges in Kentucky and New Mexico — the Office of the Inspector for the Department of Health and Human Services broadly found that the marketplaces “generally protected personally identifiable information but could improve certain information security practices.”

More specifically, the Centers for Medicare and Medicaid Services (CMS) have decreased the risk posed to customer information by establishing a dedicated security team to monitor and fix vulnerabilities, perform weekly vulnerability scans of Federally Facilitated Marketplaces (FFM) and complete two security control assessments of the FFM. FFMs are marketplaces developed by the federal government for states that have opted not to build their own custom marketplace.

However, CMS has failed to implement automated security testing procedures and scanning tools designed to uncover vulnerabilities in their databases and websites; they did not maintain proper documentation to verify that they had encrypted a database property file containing user credentials in plain-text, as made clear in a previous report; Healthcare.gov was also unable to detect and defend against the OIG’s website vulnerability scanning and simulated cyber attacks.

The review also found one critical security vulnerability in Healthcare.gov and two critical bugs in databases supporting the FFMs. None of these three bugs was fully remediated by the time the review process ended. However, the CMS says it has since fixed all three bugs.

Kentucky’s health benefit exchange (KHBE) is doing a sufficient job of protecting personally identifiable information through the deployment of strong encryption. However, the state’s access controls are lacking as there are not proper controls in place to prevent privilege elevation by restricting user and group access to authorized roles and functions.

“These conditions existed because the Commonwealth was transitioning its information technology responsibilities among agencies and had not sufficiently established coordination between them,” the report found. “In addition, at the time of our review, the Commonwealth agencies supporting the KHBE had not sufficiently implemented certain policies and procedures to meet Federal requirements. As a result, the PII on 478,718 applications for approximately 610,891 individuals and 628 employers was at a greater risk of being exploited.”

The New Mexico Health Insurance Exchange (NMHIX) contained several vulnerabilities but was otherwise in compliance with federally mandated rules. The vulnerabilities included one encryption bug, two remote access flaws, a patch management issue and a Universal Serial Bus port and device vulnerability. Its website scanning tool discovered an additional 64 vulnerabilities in the site (two high, four medium and 64 low severity). The database scan found 74 bugs (1 high, 44 medium and 29 low severity). New Mexico has acknowledged and plans to fix all the bugs reported to them as part of this review.

The OIG for HHS performed its review by conducting a series of vulnerability scans between February and May, and a series of simulated attacks between April and May of this year. Its audit focused on the information security controls implemented by Healthcare.gov and on servers containing personally identifiable information, as well as a review of information security policies at the CMS. The audit also examined prior network security reports for both to see if the groups had followed through on security recommendations made after the performance of previous vulnerability scans.