- The Centers for Medicare and Medicaid Services (CMS) needs to improve its risk management oversight and security controls to ensure the availability of the Medicare enrollment database (EDB), concluded an HHS Office of Inspector General (OIG) audit released Sept. 18.
EDB is the primary source of Medicare enrollment information for the entire population of beneficiaries. It estimated that it would cost CMS $47 million per day if a cyberattack shut down the EDB.
For the report, the OIG reviewed CMS’s policies and procedures, interviewed staff, reviewed system security documentation, and conducted visits to contingency planning sites to determine whether EDB security controls were adequate.
The office’s objective was to determine whether CMS implemented security controls within the EDB to protect the confidentiality, integrity, and availability of Medicare enrollee data, in accordance with federal requirements.
OIG said it provided a restricted report to CMS that included five recommendations. CMS concurred with all the recommendations and stated the current system is being integrated into a larger Medicare system.
This is not the first time that CMS has been criticized for inadequate data security in its Medicare program. The GAO issued a report in April citing security control issues when Medicare beneficiary data is shared with researchers.
Researchers and qualified entities access Medicare data through the chronic conditions data warehouse/virtual research data center, which is a research database designed to make Medicare data more readily available.
CMS has not established a program to oversee the security of data handled by researchers and qualified entities accessing the data center, GAO found.
CMS argued that researchers need flexibility to assess their unique security risks and determine appropriate controls. But that flexibility could put Medicare beneficiary data at risk.
“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” warned GAO.
In addition, CMS has failed to consistently track low-risk security weaknesses identified in its annual assessment of Medicare administrative contractors (MACs). These include security gaps in software configuration management, system security plans, and system inventories.
MACs process more than 1.2 billion Medicare fee-for-service claims per year and interact with more than 1.5 million healthcare providers. They also handle customer service for beneficiaries and providers, financial and debt management, audit and appeals functions, and medical reviews.
To perform these functions, MACs connect directly to the CMS virtual data center through the CMSNet network.
Without consistent tracking, it is hard for CMS to determine if all security gaps are being addressed in a timely manner, the GAO report said.
To address these data security shortcomings, the government watchdog recommended that 1) CMS develop additional guidance for researchers on implementing security controls, 2) consistently track results of independent assessments, and 3) institute an oversight program for researchers and qualified entities.
Last month, OIG dinged Maryland for inadequate data security control of its Medicaid program. The office found significant vulnerabilities in the state’s Medicaid Management Information System because it did not implement enough security controls over the data and IT systems.
OIG reviewed Maryland’s MMIS policies and procedures, interviewed staff, and examined supporting documentation. It also used vulnerability assessment scanning software to determine whether security vulnerabilities existed in MMIS supporting network devices, websites, servers, and databases.
“Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations,” OIG observed.
“These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland’s Medicaid program,” it added.
OIG oversees the use certain federal programs by states, including Medicaid. State agencies are required to employ appropriate security for computer systems used in administering Medicaid and other federal entitlement benefits and conduct biennial reviews of that security.