- Cybersecurity issues and information technology issues are both common in numerous areas that the Office of Inspector General (OIG) plans to focus on, according to the latest OIG semiannual report to Congress.
OIG wants to keep working on grants management, mental health services, managed care programs and value-based care, and the quality and safety of programs serving American Indian and Alaska Native beneficiaries, Inspector General Daniel Levinson wrote as part of the report.
The completeness, accuracy, and timeliness of data will also be a critical factor as OIG investigates its key areas of concern, Levinson added.
“Data and our growing data analytics capabilities played a significant role in these efforts,” he wrote. “We continue to cultivate a workforce with the skills and talents to excel in a data-driven oversight environment. This strategy is paying dividends for the American public.”
“By leveraging advanced analytic techniques to detect potential vulnerabilities and fraud trends, we are better able to target our resources at those areas and individuals most in need of oversight, leaving others free to provide care and services without unnecessary disruption.”
Utilizing data from April 2017 through September 2017, the OIG report also stressed the importance of collaboration across Federal agencies, as well as Federal, State, and local governments. Collaboration with the private sector is also beneficial “to advance shared interests in effective, efficient, economical programs,” Levinson maintained.
OIG conducted several investigations with regard to information security, where potential IT control weaknesses could have led to the exposure of individuals’ personal information.
For example, OIG reported in August 2017 that the New Mexico Human Services Department (HSD) had certain vulnerabilities in its Medicaid data security. Those vulnerabilities could put HSD operations at risk, OIG said.
HSD had migrated from a legacy eligibility system to the Automated System Program and Eligibility Network (ASPEN) in 2014. The investigation aimed to determine if the necessary security measures had been implemented.
“Although HSD adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed HSD’s operations at risk,” report authors wrote. “These vulnerabilities existed because HSD had not implement sufficient controls over its Medicaid data and information systems.”
OIG also published a report on the North Carolina State Medicaid agency (State agency) in August 2017.
In that case, OIG determined that the organization operating the State agency’s Medicaid claims processing systems had potential risk.
“We reviewed CSRA’s information system general controls relating to entity-wide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control,” OIG said. “The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of North Carolina’s Medicaid data.”
While those vulnerabilities had not been exploited, OIG explained that proper safeguards are necessary to protect systems from malicious third parties who want “to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks.”
OIG also noted its accomplishments in identifying significant risks, problems, abuses, deficiencies, remedies, and investigative outcomes relating to how HHS programs and operations were administered. This included the following areas:
- Fighting fraud in HHS programs
- Curbing the opioid epidemic
- Protecting vulnerable beneficiaries in nursing homes and non-institutional settings
- Protecting the health and safety of children in HHS programs
- Improving financial management and reducing improper payments in Medicare
- Overseeing programs aimed at improving quality and reducing costs
- Protecting the integrity of the Medicaid program
- Ensuring integrity and quality in programs serving American Indians and Alaskan Natives.
These findings somewhat overlap with the previous Semiannual Report to Congress, which included data from October 2016 to March 2017.
Improving data integrity and information security measures were critical to overall HHS success, OIG said in the earlier report.
“With the sheer amount of data and its complexity, however, the Department continues to face challenges in effectively using data to detect and prevent improper payments and to ensure safety and quality of care for program beneficiaries,” the agency wrote. “HHS also faces challenges to protect the privacy and security of the data it collects and maintains.”
Network and web application penetration testing were specifically cited for data privacy and security improvements, as they can “determine whether security controls are effective in preventing certain cyber-attacks, the likely level of sophistication an attacker needs to compromise systems or data, and the agencies’ ability to detect attacks and respond appropriately.”