- While the Centers for Medicare and Medicaid Services (CMS) has effective security controls in place to prevent cybersecurity attacks, some data security vulnerabilities were found in its wireless networks, according to a recent Office of Inspector General report.
Four vulnerabilities in security controls over CMS’ wireless networks were discovered in the OIG investigation. There was no evidence that the vulnerabilities had been exploited, but OIG explained that they could result in unauthorized PII access and disclosure.
Critical operations could also be disrupted, and “the confidentiality, integrity, and availability of CMS’s data and systems” could have been compromised.
“We recommended that CMS improve its security controls to address the wireless network vulnerabilities we identified,” the report’s authors wrote. “When implemented, these recommendations should further strengthen the information security of CMS’s wireless networks.”
For the investigation, OIG conducted penetration tests at CMS. Certain wireless cyber attacks were conducted, using tools and techniques that attackers typically use to gain unauthorized access to wireless networks and sensitive data.
In response, CMS agreed with the findings and said that it has already addressed several of the noted issues and is in the process of addressing the rest.
“To secure against any potential vulnerabilities, CMS vigilantly monitors, tests. and strengthens its systems against cyber-attacks,” CMS Acting Administrator Andy Slavitt said in a letter. “In addition, CMS has procedures and processes in place to quickly identify, mitigate, and remove threats, in accordance with the Federal Information Security Management Act (FISMA) requirements and guidelines issued by the United States Computer Emergency Readiness Team (US-CERT).”
Slavitt added that CMS uses security prevention technology to protect its network and “identify rogue wireless access points, which OIG reported worked effectively during their testing.”
The CMS Employee Wireless network requires two-factor authentication; the internal network can then only be accessed through a virtual private network (VPN) over the wireless connection. The Guest Wireless Network which provides only public Internet access at CMS buildings, is isolated from the internal network and the CMS Employee Wireless network . Both wireless networks are continuously monitored and automatically block threats using a security prevention technology.
Earlier this year, OIG found 129 total healthcare data security gaps for Medicare administrative contractors (MACs) in 2014. This was an 8 percent increase from 2013.
MACs are private healthcare insurers that enter into contracts with the Centers for Medicare and Medicaid Services (CMS) to process Medicare Part A and Part B claims and Durable Medical Equipment claims in specific locations. The claims are for Medicare Fee-For-Service beneficiaries.
CMS is required to hire an independent organization to evaluate the information security programs of each MAC, while the assessments ensure Medicare data and PHI are appropriately secured and protected.
“Without a comprehensive program for periodically testing and monitoring information security controls, management has no assurance that appropriate safeguards are in place to mitigate identified risks,” OIG said in the report.
Each MAC had from three to five security gaps associated with risk management policies and procedures, for a total of 36 reported events in that area.
“Ineffective policies and procedures to reduce risk could jeopardize an organization’s mission, information, and IT assets,” OIG said in its report. “Without adequate configuration standards and the latest security patches, systems may be susceptible to exploitation that could lead to unauthorized disclosure of data, data modification, or the unavailability of data.”