The Internal Revenue Service needs to improve the security of the health care information submitted by health insurance providers and pharmaceutical makers and importers on information returns, according to a new government report.
The
The health care reform law requires the IRS to calculate and collect annual fees based on information form reports provided by health insurance providers and pharmaceutical manufacturers and importers. The annual fees are due by September 30 of each year.
The IRS conducted security and other tests to identify vulnerability weaknesses and verify that the AIR Release 1 system would function as designed, but TIGTA’s report said that improvements are needed to ensure the long-term success of the AIR system. TIGTA identified specific system control weaknesses that should be promptly addressed.
TIGTA’s recommendations included that the IRS’s chief technology officer ensure that procedures are developed to provide direction on how to mitigate vulnerability weaknesses. The vulnerability weaknesses that are identified should be promptly corrected and resolved, the report suggested. The IRS should also ensure that the ACA Plan of Action and Milestones adequately address the vulnerability weaknesses within the required time frames, said the report. In addition, the IRS’s IT implementation and Testing organization needs to effectively manage the testing processes executed by the external contractors, TIGTA recommended.
The IRS agreed with the majority of TIGTA’s recommendations and plans to implement corrective actions. In some cases, the IRS was able to take action during TIGTA’s audit by beefing up the involvement of IRS employees in overseeing the work of contractors.
“In observing test execution for the release, your audit team observed an instance where increased contractor oversight by IRS testing personnel was needed to ensure we receive the best possible outcomes from test execution,” wrote Stephen Manning of the IRS’s Chief Technology Officer’s unit. “Your team’s feedback was very timely. Immediately upon receiving it, we inserted additional IRS oversight on this contractor-staffed team and completely re-executed a portion of our testing prior to system deployment.”
However, the IRS partially agreed with one recommendation and disagreed with two recommendations in the report, which were heavily redacted in the version released to the public. TIGTA noted its concern about the IRS response to these recommendations in the report.
An IRS spokesman emailed a statement Tuesday to Accounting Today defending the agency’s security efforts. “The IRS has taken aggressive steps to ensure the protection of federal tax data needed for administering the Affordable Care Act, including the security of information reports,” said the IRS. “The IRS notes that the system mentioned in this report does not deal with receiving health insurance through a Marketplace, individual insurance coverage information or anything related to people filing their tax returns in early 2015. The system described in the report supports the effort to collect annual fees based on forms provided by health insurance providers and pharmaceutical manufacturers and importers. It is important to note there have been no data breaches involving information sharing in this system. TIGTA acknowledged our security practices and made several recommendations that will contribute to further identifying and preventing security risks. TIGTA's suggestions also helped us to increase contractor oversight to ensure that we received the best possible outcome during system testing.”