Alabama’s Medicaid Management Information System (MMIS) had an adopted security program, but there were still potential vulnerabilities stemming from lacking Medicaid data security, according to a recent OIG investigation.
“These vulnerabilities remained because Alabama neither implemented sufficient controls over its MMIS data and information systems nor provided sufficient oversight to ensure that HP, Alabama’s Medicaid fiscal agent, implemented contract security requirements,” OIG explained in its report.
The vulnerabilities had not been exploited, but had such an instance occurred, there may have been “unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations.”
Alabama must improve its Medicaid security program, aligning it with Federal requirements, OIG recommended. The state also needs to provide adequate oversight to its contractors and address other vulnerabilities OIG found in its audit.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
“We used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, Web sites, servers, and databases,” OIG explained.
Alabama agreed with OIG’s recommendations and also described the steps it was taking to address the recommendations. However, the state did not believe that the report’s title, “Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems,” was accurate.
“Alabama has always, and will continue to always, strive to secure its Medicare data and information systems,” the state responded, according to OIG.
“We acknowledged in our draft report that Alabama had adopted a security program to protect its Medicaid data and information systems,” the agency stated. “However, we identified significant vulnerabilities, which increased the risks of Medicaid data and information systems being exploited. Therefore, we did not change the title of our report.”
OIG had similar findings in an investigation into North Carolina’s state Medicaid agency earlier this year.
North Carolina’s agency contracts with CRSA, Inc. for operating the state’s Medicaid claims processing systems. CRSA’s computer operations controls related to the state Medicaid program claims processing for State fiscal year 2016 created potential risk, according to OIG.
“We reviewed CSRA’s information system general controls relating to entity-wide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control,” report authors explained. “The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of North Carolina’s Medicaid data.”
OIG explained in its 2017 Work Plan that it would be focusing on HHS’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014.
FISMA requires “that agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, or disseminated in general support systems and major applications,” OIG said.
EHRs bring great opportunity for improving patient care and creating more efficient practice management, but “the meaningful and secure exchange and use of electronic information and health IT as a top management challenge facing HHS,” the agency added.
“Going forward, OIG’s planning efforts will consider the significant challenges that exist with respect to health IT adoption; meaningful use; and interoperability across providers, across HHS, and between providers and patients,” OIG wrote.
Medicaid data, along with other forms of PHI, must be properly protected. Federal agencies, especially those that store and/or transfer these types of data, need to implement appropriate and reasonable safeguards.
This can include, but is not limited to, performing a comprehensive risk assessment, conducing regular employee security and privacy training, and implementing necessary technical safeguards (i.e. firewalls, anti-virus software, data encryption).
OIG’s semiannual report to Congress for 2017 also touched on these issues.
“With the sheer amount of data and its complexity, however, the Department continues to face challenges in effectively using data to detect and prevent improper payments and to ensure safety and quality of care for program beneficiaries,” report authors wrote. “HHS also faces challenges to protect the privacy and security of the data it collects and maintains.”
Network and web application penetration testing were listed as ways to help improve privacy and security specifically. OIG stated that penetration testing can “determine whether security controls are effective in preventing certain cyber-attacks, the likely level of sophistication an attacker needs to compromise systems or data, and the agencies’ ability to detect attacks and respond appropriately.”
Date: September 21, 2017