- The New Mexico Human Services Department (HSD) has certain vulnerabilities in its Medicaid data security, which could put HSD operations at risk, according to a recent OIG investigation.
HSD migrated from a legacy eligibility system to the Automated System Program and Eligibility Network (ASPEN) in 2014. OIG wanted to determine if HSD had implemented necessary security measures for its Medicaid data and information systems.
“HSD designed ASPEN to improve New Mexicans’ access to services through the Internet and to provide HSD field staff with more efficient and technically advanced tools,” report authors explained. “HSD completed the implementation of ASPEN in June 2014 and moved it into operation in July 2014.”
OIG reviewed HSD policies and procedures, interviewed staff, and reviewed supporting documentation. The agency also used audit software-scanning programs to “identify potential security-related configuration vulnerabilities on websites and HSD eligibility systems databases.”
The HSD Medicaid data and information systems were not adequately secured per Federal requirements, the investigation revealed.
“Although HSD adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed HSD’s operations at risk,” report authors stated. “These vulnerabilities existed because HSD had not implement sufficient controls over its Medicaid data and information systems.”
The vulnerabilities may have led to data being exploited, which could have resulted in unauthorized access to sensitive information. HSD’s critical operations may also have been disrupted, according to OIG.
Specific vulnerability details were not included in the public report because of the sensitive nature of the information.
OIG did make detailed recommendations on how to improve the HSD eligibility system security program.
“HSD stated that it concurred with all of our findings and described corrective actions that it had taken or plans to take,” report authors concluded. “However, HSD did not concur with one of our recommendations and described a compensating control and that they elected to accept all risks related to the compensating control.”
Earlier this year, OIG has similar findings in an audit at the Virginia Medicaid Management Information System (MMIS).
Virginia’s Medicaid data and information systems were not adequately secured, which could have led to potential data exposure.
MMIS also utilizes NIST’s Recommended Security Controls for Federal Information Systems and Organizations as its security standard, according to OIG. Virginia requires that security standard throughout the entire state.
OIG recommended the following areas be improved for Virginia to strengthen its Medicaid security:
- Systems and information integrity controls
- Risk management process
- Access and authentication controls
- Audit and accountability controls
- System and communications protection controls
- Configuration management controls
Virginia concurred with OIG’s findings, and discussed its specific approach to take action in making necessary security improvements.
NIST’s guidelines outline low-, moderate-, and high-impact security controls for organizations. This includes system and information integrity policy and procedures.
Organizations must have “a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance,” according to NIST. There must also be “procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.”
“The procedures can be established for the security program in general and for particular information systems, if needed,” NIST states. “The organizational risk management strategy is a key factor in establishing policy and procedures.”
Online security controls are becoming increasingly critical for healthcare providers, especially with more information being stored and transmitted through online networks.
In June 2017, the Mississippi Division of Medicaid (DOM) announced that it had experienced a potential PHI data breach from accidental online exposure. Approximately 5,220 individuals may have been impacted.
DOM discovered that an online form was accidentally emailed without being encrypted. DOM used an online service to create forms that were then posted to the DOM website.
The information involved may have included names, dates of birth, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer, condition, Social Security numbers, and Medicare and/or Medicaid identification numbers.
Once received though, the emails and accompanying information were stored in a secured way.
“Once the error was discovered, the online forms were immediately removed from the website and use of the online form service was terminated,” DOM stated. “The agency is also in the process of strengthening technological safeguards, in addition to revising policies and procedures addressing privacy and security regulations.”
The data was likely exposed between May 2, 2014, and April 10, 2017, DOM added. However, “the typical Internet user would not know how to capture it during transmission,” DOM Security Officer Keith Robinson explained.
“The data storage was secured both at the originating source and the destination [DOM], reducing the risk of the data being compromised,” Robinson said.