GAO Audit Pointed Out CMS’ Weak ID Verification System

A Government Accountability Office (GAO) audit recently conducted showed that the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) uses a remote ID verification process that is poor and outdated. Consequently, it likely gives limited security against fraud.

The CMS site can help users find government financial assistance that is income-based and personal medical care insurance. It utilizes knowledge-based verification to check the identity of a person. People need to verify their name, birth date and address. Then, they need to answer questions which only they could answer. Sample questions include those connected to their credit file.

Though this knowledge-based ID verification process provides enough protection, it is not necessarily the case considering the huge Equifax data breach. Cyber criminals got hold of plenty of personal information that can be used to pull together answers to security questions. Americans are at risk of fraud without a secure ID verification process.

There are more secure options for ID verification such as using a copy of an ID document to compared with the record on file. And instead of using credit files, someone’s cell phone records may be employed. Some federal agencies have attempted to improve their remote ID verification process but failed to enforce it.

After the Equifax breach, GAO conducted audits in six agencies to assess the prospective of new verification methods. Two agencies – General Services Administration (GSA) and the Internal Revenue Service (IRS) are not using new ID verification process.

The Department of Veterans Affairs (VA) has partially upgraded, but still use knowledge-based verification for some individuals. The Social Security Administration (SSA) and the United States Postal Service (USPS) are serious in not using knowledge-based ID verification any more, but lack a formal plan or schedule for doing so.

The CMS alone is using knowledge-based ID verification without any plan to limit or do without knowledge-based ID verification. Healthcare.gov merely uses email verification, which only verifies the user’s ownership of the email account used for account creation.

Some of the reasons for not using an alternative systems of ID verification are: price, inadequate doable solutions, and implementation problems. One more difficulty is the fact that not all people owns a mobile device, which is required for mobile-based verification.

CMS also pointed out the insufficiency of the NIST guidance. Therefore, GAO required NIST to create additional guidance to help federal agencies implement a more secure ID verification system.

GAO has suggested to CMS and Healthcare.gov to explore alternate options to lower the risk of ID fraud, which is very likely without changing the current ID verification. GAO also required the Office of Management and Budget (OMB) to give guidance to federal agencies and follow-up on their progress in taking steps to use more secure ID verification strategies.