- A Department of Health and Human Service Office of Inspector General audit of two Arizona Managed Care Organizations found significant, security vulnerabilities in its information systems, which call into question the integrity of the systems used to process Medicaid managed care claims and may be putting patient data at risk.
What’s worse: The flaws found suggest that other Arizona MCO information systems may also be at risk.
OIG audited the two MCOs to determine whether the agencies adequately protected the managed care data and information systems in compliance with HIPAA.
Officials investigated the MCO’s access controls and configuration management and found 19 security flaws in system general controls, in both access control and configuration management. Configuration management accounted for 14 of those vulnerabilities, including network device configuration.
For example, the network device firewall lacked a secure timeout session configuration, with one MCO placing the default at 30 minutes. In a timeframe that long, a hacker could “access the system using an authenticated administrator session that had not been properly ended.”
In fact, officials said an unauthorized user could have obtained those settings and “performed malicious activities.”
“Because network devices are integral to ensuring the security of the claims processing system, failure to adequately secure these devices exposes a network and its resources to attacks on the confidentiality, integrity, and availability of sensitive information,” officials wrote.
Both MCOs acknowledged the flaw and updated the timeout settings, according to officials.
However, OIG also found that the MCOs lacked a policy to ensure patches were applied to workstations in a timely manner. This issue is incredibly common in the healthcare sector, given many rely on legacy platforms and patching some platforms can impact the function of the device.
In fact, it was a patching failure that caused the U.K. National Health Service to fall victim to the global WannaCry attack in May 2017.
“The vulnerabilities were collectively—and in some cases, individually—significant, and could have potentially compromised the integrity of the Medicaid data at the MCOs.”
But the MCOs problem stemmed from employee issues, where patching workstations required a system restart to finish the application and employees were failing to do so. MCO officials said they are looking into ways to force a system reboot to remediate the issue.
OIG also found issues with server security, antivirus management and database management, along with website security.
“Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could result in unauthorized access to, and disclosure of, sensitive information, as well as disruption of critical operations at the two MCOs,” officials wrote.
“As a result, the vulnerabilities were collectively—and in some cases, individually—significant, and could have potentially compromised the integrity of the Medicaid data at the MCOs,” they added.
OIG recommended the MCOs conduct a documented risk assessment and determine how the “disparate Federal security requirements” impacts the cybersecurity risk for patient data. The MCOs should also determine the corrective actions that could address the oversight gap.
Further, all state agencies should be notified with the results of OIG’s findings, to ensure the other state MCOs can apply necessary applications and to “enhance nation-wide awareness of cybersecurity weaknesses.”
The Centers for Medicare and Medicaid Services did not agree with the recommendation to perform a risk assessment, but agreed to inform all other state MCOs about the OIG audit findings.
“CMS stated that a risk assessment is already a requirement under the jurisdiction of the HHS Office for Civil Rights, and it would be duplicative of existing risk assessment efforts,” officials wrote.
“Since this issue resides in the Medicaid program and OCR is not responsible for the disparate application of Federal security requirements, OIG believes CMS is in the best position to ensure data security regulations are consistently applied to protect Medicaid beneficiaries’ data, regardless of where the data resides,” they added.