The HHS Office of the Inspector General found one "critical vulnerability" in the security of information on HealthCare.gov, the government's health insurance website, according to a report it released Tuesday.

The OIG conducted what it calls a "white-hat" review of security controls and completed a Web application vulnerability scan of the website.

The work, which included simulated attacks, was conducted from February 2014 to June 2014.

OIG focused its audit on information security controls over certain operations and systems. It found significant room for improvement. At the time of the review, OIG discovered that the Centers for Medicare & Medicaid Services had not: 

• Implemented a process to use automated tools to test database security configuration settings on all of its supporting databases;
• Implemented an effective enterprise scanning tool to test for website vulnerabilities;
• Maintained adequate documentation to verify that a finding from one of its FFM security control assessment reports related to a database property file containing user credentials had been sufficiently closed by encrypting the file with a Federal Information Processing Standard (FIPS) 140-2-approved cryptographic module, and
• Detected and defended against our website vulnerability scanning and simulated cyber attacks directed at the HealthCare.gov Web site.

Also, auditors said they remain concerned about the use of encryption technology that is not certified to meet certain government standards.