The inspector general found that the administration "has taken actions to lower the security risks associated with HealthCare.gov systems" and consumers' personal information.
But the auditors said they "remain concerned" about the use of encryption technology that is not certified to meet certain government standards. Encryption refers to the encoding of data traveling back and forth between consumers and HealthCare.gov to make it more secure.
In its formal response, the administration said it has taken other actions to resolve the encryption issue.
The inspector general's office tried to break into HealthCare.gov in April and May. Experts used a technique called "vulnerability scanning" and also conducted simulated attacks.
"Scanners simulate an outside malicious attack on the system and may identify ... vulnerabilities that could put a system's security at risk," the report explained. "Scanners use the same techniques as hackers, so the scanners test the security from an outside perspective."
HHS itself also runs similar scans regularly, part of its own security program.
The hackers from the inspector general's office found one "critical" vulnerability, described as a flaw that would let an attacker take over the system and execute commands, or download and modify information.
But the office said that when its "white-hat" experts attempted to mimic what a malicious hacker might try next, they were blocked by the system's defenses.
Separately, the review also found two critical vulnerabilities in databases that support the website.
Specific descriptions of the flaws were not released, but apparently none has been exploited by hackers.
HealthCare.gov serves 36 states, while the remaining states run their own enrollment websites.
The federal site had numerous technical problems when it was launched last fall and for weeks it was unworkable for most consumers.
At the time, technical experts within HHS were concerned that full security testing could not be completed because the system was undergoing so many last-minute changes. Nonetheless, Medicare administrator Marilyn Tavenner issued a six-month security authorization for the site, keyed to an action plan for reducing risks.
HealthCare.gov was hacked this summer, but the administration said no consumer information was stolen. Instead, hackers installed malicious software that could have been used to launch an attack on other websites.
"We have not had any malicious attacks on the site that have resulted in personal identification being stolen," Tavenner told Congress last week.
The inspector general's office also probed security for two state-run healthcare websites, the Kentucky exchange and New Mexico's small-business portal.
It found that Kentucky, seen as a national model, sufficiently protected consumers' personal information. But there were some weaknesses in who had access to the system.
"White-hat" hacking of New Mexico's site revealed 64 vulnerabilities.
The office said it will keep monitoring security on HealthCare.gov and state sites.