- The Centers for Medicare and Medicaid Services (CMS) is lax in its oversight of healthcare data security when it comes to Medicare beneficiaries, particularly for sharing data with researchers, warned a government watchdog agency.
Recent data breaches have highlighted the importance of securing health information, including Medicare beneficiary data. Such data are created, stored, and used by a variety of organizations, including healthcare providers, insurance companies, financial institutions, and researchers.
In a report released April 5, the US Government Accountability Office (GAO) concluded that CMS has failed to develop data security control guidance for researchers, increasing the risks that they have not applied controls that meet CMS standards.
The report was requested by the chairmen of the Senate Finance Committee, House Ways and Means Committee, and the House Energy and Commerce Committee.
CMS argued that researchers need flexibility to asses their unique security risks and determine appropriate controls. But that flexibility could put Medicare beneficiary data at risk, GAO warned.
At the same time, CMS has issued security control guidance for Medicare administrative contractors (MAC) that process and distribute Medicare benefits payments as well as for qualified entities that use claims data to evaluate performance of Medicare service providers and equipment suppliers.
MACs process more than 1.2 billion Medicare fee-for-service claims per year and interact with more than 1.5 million healthcare providers. They also handle customer service for beneficiaries and providers, financial and debt management, audit and appeals functions, and medical reviews.
To perform these functions, MACs connect directly to the CMS virtual data centers through the CMSNet network.
Researchers and qualified entities access Medicare data through the MS chronic conditions data warehouse/virtual research data center, which is a research database designed to make Medicare data more readily available.
While CMS has established an oversight program for the security of MAC data, it has not established a similar program to oversee security of data handled by researchers and qualified entities.
“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” warned GAO.
In addition, CMS has failed to consistently track low-risk security weaknesses identified in its annual independent assessment of MACs. These include security gaps in software configuration management, system security plans, and system inventories.
Without consistent tracking, it may be difficult for CMS to determine if all security gaps are being addressed in a timely manner, the GAO report explained.
To address these data security shortcomings, GAO recommended that 1) CMS develop additional guidance for researchers on implementing security controls, 2) consistently track results of independent assessments, and 3) institute an oversight program for researchers and qualified entities.
CMS concurred with GAO's recommendations and described actions it has planned or taken to address them.
Regarding the first recommendation, CMS said it “will consider the impact guidance would have on researchers and after such considerations, evaluate developing and distributing guidance that would define and implement minimum security controls that are consistent with NIST guidance.”
On the second recommendation, CMS has already “implemented a process to review, evaluate and risk rank all findings noted at each MAC. This process was implemented to ensure that each finding is risk ranked as consistently as objectively possible.”
As to the final recommendation, CMS “is considering implementing processes and procedures that would be necessary to ensure that qualified entities and researchers have implemented information security controls during their agreements with CMS,” the agency wrote.
“CMS will consider the impact these processes and procedures would have on qualified entities and researchers while developing them.”
Security problems with MACs are not new. An annual audit of MAC information security programs by the HHS Office of Inspector General and PricewaterhouseCoopers for found 145 security gaps at eight MACS in fiscal year 2016, an 8 percent increase for these same contractors in the previous fiscal year.
The audit found that security deficiencies remain at MACs in all Federal Information Security Management Act control areas tested. The control areas include periodic risk assessments; policies and procedures to reduce risk; system security plans; security awareness training; periodic testing of information security controls; remedial actions; incident detection, reporting, and response; continuity of operations for information technology systems; and privacy.
“Ineffective policies and procedures to reduce risk could jeopardize an organization’s mission, information, and IT assets,” the audit concluded. “Without adequate configuration standards and the latest security patches, systems may be susceptible to exploitation that could lead to unauthorized disclosure of data, data modification, or the unavailability of data.”