While the administration "has taken important steps to apply security and privacy safeguards to HealthCare.gov and its supporting systems, significant weaknesses remain that put these systems and the sensitive, personal information they contain at risk of compromise," Gregory Wilshusen, GAO's director of information security, said in testimony prepared for the House Oversight and Government Reform Committee.
The committee released his testimony Tuesday. GAO's accompanying 78-page report was released later.
The website collects sensitive personal information including names, birth dates, Social Security numbers and family income.
Multiple federal and state agencies as well as many contractors have access. Yet the report found there's no common understanding of security requirements among all the players.
The agency running HealthCare.gov "had not always required or enforced strong password controls, adequately restricted access to the Internet, consistently implemented software patches and properly configured an administrative network," the report said.
Responding for the administration, HHS spokesman Aaron Albright said that the changing nature of threats makes website security an evolving process and that officials have already acted on many of the recommendations.
In its public assessment, the GAO outlined six broad areas where more work needs to done. They ranged from basics like following recommended best practices for government agencies, to a comprehensive test of all elements of the system, to establishing a backup site for the HealthCare.gov and its supporting networks.
In an accompanying report that was not publicly released, Wilshusen said the agency listed 22 specific technical recommendations to fix security flaws. He said the administration agreed with all the specific recommendations, although not with some of the broader suggestions.
One major disagreement is whether security testing should involve the entire system simultaneously — as GAO recommends— or whether each component can be tested and certified separately, as the administration has done.
HealthCare.gov was hacked this summer, but no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites from the federal insurance portal.
Federal computer systems get hundreds of cyberattacks every day, but this was believed to be the first successful one involving HealthCare.gov.
The healthcare site had numerous technical problems when it was launched last fall and was initially unworkable for most consumers. Among the issues that concerned the administration's own technical experts at the time was that security testing could not be completed because the system was undergoing so many last-minute changes.
The part of HealthCare.gov that serves as the entry way for consumers eventually passed security certification, but the GAO revealed that security testing continued well into this year on other important components that deal with health plan information and financial management. The administration said that's because those components were still in stages of development.
The report also confirmed security problems in state computer systems linking to the federal network, reported earlier this year by The Associated Press.
Created by President Barack Obama's law, HealthCare.gov is the online gateway to subsidized private insurance for people who don't have access to a health plan on the job.
The site currently serves 36 states, and more may be added when open enrollment starts Nov. 15. The remaining states run their own insurance exchanges.
One of those states, Vermont, announced Tuesday that its technically troubled site has been taken down to fix numerous issues, including several security problems.
The Oversight and Government Reform Committee was scheduled to hold a hearing Thursday on the GAO report and the outlook for the second year of HealthCare.gov.