CMS’ Weak ID Verification System Poses a Risk to Americans

A recent Government Accountability Office (GAO) audit revealed that the process of remote ID verification used by the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) is obsolete and weak. Hence, it likely provides inadequate security against fraud.

The CMS website is used for finding government income-based financial assistance and personal health insurance. It uses knowledge-based verification to validate a person’s identity. People are required to validate their name, address and birth date. Then, they are asked questions, such as those related to their credit file, which only they could answer.

Although this process of knowledge-based ID verification can give a good level of protection, that is no longer the case considering the massive Equifax data breach. Hackers stole a lot of personal data from which answers to security questions may be obtained. Without a secure ID verification system, Americans are likely vulnerable to fraud.

There are a number of optional methods for ID verification that give more security against fraud, including submitting a photo of an ID document that is compared to the record on file. Alternatively, rather than using credit files, a person’s mobile phone records may be used. A number of federal agencies have tried to enhance their remote ID verification systems but have had trouble with enforcing new solutions.

GAO performed audits in six agencies after the Equifax breach to evaluate the reach of the new verification methods implemented. Two out of six agencies namely the General Services Administration (GSA) and the Internal Revenue Service (IRS) have now used the new forms of ID verification.

The Department of Veterans Affairs (VA) has partly switched, but still makes use of knowledge-based verification for certain people. The United States Postal Service (USPS) and Social Security Administration (SSA) are determined to get rid of knowledge-based ID verification, yet have no formal plan or timescale for the process.

Only the CMS is making use of knowledge-based ID verification with no plans to minimize or do away with knowledge-based ID verification down the road. Healthcare.gov simply uses email address verification, though that merely verifies that the user owns the email account used for creating the account.

There were a number of reasons why alternative systems of ID verification are not ideal, such as price, the insufficient workable solutions, and execution problems. One problem is not everybody owns a mobile gadget, so not everybody can do mobile-based verification.

The reason given for Healthcare.gov’s not switching was cost-effectivity; nevertheless, GAO stated that NIST guidance doesn’t allow federal agencies to utilize knowledge-based verification basically because of its cost effectiveness.

CMS additionally contended that NIST guidance was not enough. GAO decided that more can be accomplished and has required NIST to develop additional guidance that could be implemented by federal agencies to have a more secure ID verification system.

GAO has advised CMS to keep on exploring options because without plans to change the current ID verification, CMS and Healthcare.gov applicants will stay at a higher risk of ID fraud.

GAO has likewise required the Office of Management and Budget (OMB) to provide guidance to government agencies and report their progress in implementing more secure ID verification strategies.