- The Office of the Inspector General (OIG) recently released a report evaluating whether state agencies are able to adequately safeguard sensitive Medicaid systems and data. During reviews of information technology general controls at state Medicaid agencies, it identified certain high-risk security vulnerabilities along with advice for agencies to improve security measures.
Going into the audits, the OIG raised concerns about the integrity of the systems used to process Medicaid claims, as it explained in the report that without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data. It conducted a review of information system general controls at 10 state agencies from 2010 through 2012 and identified pervasive high-risk vulnerabilities. OIG said it identified the security of health information systems as a top challenge facing the Department and State agencies. And, according to the OIG, state agencies were generally compliant, recognizing the vulnerabilities and committing to addressing them.
The OIG reviewed 79 findings within the 10 State Medicaid agencies and grouped the findings into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls:
Entity-wide controls: OIG identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings.
Building a long-term healthcare compliance strategy Aetna CISO: Healthcare must take risks to lessen security risk Weak Healthcare Cybersecurity Employee Training Affects IT Security Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case X-ray film scam exposes 17k patients to possible data breach HIMSS14 session preview: Patient privacy trends (ISC)2 offers healthcare IT security and privacy training How will OCR fill HIPAA enforcement leadership openings? Conn. Hospital Implements Secure Text Messaging Solution HHS CISO, HITRUST commentary on healthcare security threats HHS: Monroeville, Pa. did not breach HIPAA regulations Colorado Neurodiagnostics notifies patients of data breach Are HIPAA breach fines stiffer for ePHI violations? mHealth privacy act draft puts pressure on developers NH-ISAC, Anomali Partner to Improve Secure Healthcare Data Sharing Home Health Provider to Pay $240K in HIPAA Violation Fines 5 HIPAA Data Breaches Lead to $3.5M OCR Settlement How HIPAA Regulations Support Quality Assessment Activities PHI Exposed on Emails to Anthem Blue Cross Members Evolving Cybersecurity Threats, Protecting Data Top HHS Challenges Utilizing Holistic Cybersecurity Measures Against Evolving Threats CCHF questions patient privacy in state data registries HIE privacy, security best practices: A review Why Cybersecurity Breaches Are on the Rise for Healthcare Building healthcare big data security best practices RI hospital missing unencrypted backup tapes Healthcare CSO on CHSI breach: Security technology decisions 12K Affected in ShopRite Supermarkets Data Security Incident Cybersecurity pros say Healthcare.gov still lacking security How the FTC Act, HIPAA Privacy Rule Impact Healthcare Orgs Health Application Vulnerabilities Top IT Executive Concern HHS Inspector General to headline HCCA conference keynotes GOP: HealthCare.gov security still not strong enough Using encryption at rest to enhance healthcare BYOD security Houston HealthConnect Talks Health Data Security at HIMSS University Hospitals notifies 7,100 patients of data breach Europol Warns Nation-States Behind More Ransomware Attacks Employees File Lawsuit Following Lincare Holdings Data Breach Possible Health Data Breaches From Fraud, Online Exposure Florida Health Plan Data Breach After Mailing Error Boston Public Health responds to patient privacy questions Healthcare Ransomware, Data Breaches Represent Top Industry Threats Excessive PHI Sharing Top Healthcare Cloud Security Concern How Parkway Works Toward HIPAA Compliance CHIME Calls for HHS to Prioritize Healthcare Cybersecurity Are You Ready for a HIPAA Security Risk Assessment? University of Virginia alerts 18,700 students of data breach Lessons Learned From the 2015 OCR HIPAA Settlements Achieving Healthcare Compliance, Security in Provider Settings HIMSS14 session preview: Meaningful use risk assessments ONC Releases Final 2015 Health IT Certification Criteria OCR Aims to Improve Smaller Data Breach Investigation Process Healthcare BYOD security considerations and concerns How Secure Communication Platform Benefits TX Health System Privacy and Security Tiger Team: New policy recommendations Healthcare Data Breach Leads to Identity Theft Guilty Plea What are the top 5 skills healthcare CISOs must have? Why Healthcare Data Security, Compliance Issues Go Untreated Understanding the Gray Areas in HIPAA Compliance Healthcare endpoint device security strategies: Data control How private should medical billing collection data be? NJ Psychologist to Fight HIPAA Violation Allegations Regional Medical Center Bayonet Point sends breach letters OIG: NC Medicaid Eligibility Data Security Measures Must Improve Ransomware Attack Hits KY Hospital, Patient Files Encrypted What Lessons Can be learned from Recent Health Data Breaches? Maryland Court Dismisses CareFirst Data Breach Lawsuit Key Ransomware Prevention Measures in Recent Executive Order How HIPAA Rules Can Aid Evolving Technology, Not Hinder It Utilizing Administrative Safeguards to Prevent Insider Threats Former HealthCare.gov Official Subpoenaed Over Health Security Issues Healthcare Information Sharing Need Stressed in Recent Hearing Why Healthcare Cybersecurity Cannot Ease Up in 2015 Will patient consent ultimately decide the future of HIE? Cybersecurity Attack Affects MO Behavioral Health Facility Henry Ford Health System PHI Data Breach Affects 18K Fitting the HIPAA security risk assessment tool into security plans Potential Health Data Breach Hits Dermatology Facility Will HIPAA Compliance be Affected by Ebola? HHS Revises Rules for More Patient Privacy in Drug Abuse Care Breaking down EHR module security standards Data breaches of EHRs underscore need to upgrade systems and adapt to changing times How HIPAA omnibus rule impacts business associates: Q&A Stronger Healthcare Cyber Hygiene Can Improve Patient Safety Brown Offers ‘Hands-On’ Approach to Cybersecurity Threats Prioritizing CMS social, behavioral EHR collection proposal HITRUST Aids Small Orgs in Healthcare Cybersecurity Threats Reviewing future health security projects: DLP, PCI compliance Update: HHS wins case over access to Exeter hospital hepatitis C records Allscripts Ransomware Attack Impacts Limited Number of Applications People Are Top Health Data Security Risk, Says Halamka Supervising IT security across a large healthcare network Onco360 Email Data Security Incident Impacts 53K Patients Kentucky Health Center Ensures PHI Security After Email Gaffe How will HIPAA Risk Analysis tool factor into OCR audits? Prime Healthcare, OCR agree to $275K data breach resolution Understanding Health Data Security and Print Infrastructure House Subcommittee Talks Connected Device Cybersecurity Issues Legacy health app support, next-gen designs can boost security OCR outlines recent privacy education, outreach efforts
An entity-wide information security management program is the foundation of a security control structure and a reflection of senior management’s commitment to addressing security risks. The entity-wide information security management program should establish a framework and continuous cycle of assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.
There were 34 entity-wide control findings at the 10 State agencies and grouped these findings into 7 security control areas: System Security Plan (Eight Findings), Encryption (Eight), Contingency Planning (Five), Configuration Management (Five), Inventory Tracking (Three), Risk Assessments (Three) and Security Configuration Baselines (Two).
Access controls: These included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access.
Access controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Access controls should be formally developed, documented, disseminated, and periodically updated to provide reasonable assurance that information security resources are protected against unauthorized modification, disclosure, loss, or impairment.
There were 25 OIG findings related to access controls: Logical Access Rights (Eight Findings), Identification and Authentication (Six), Remote Access (Six) and Physical Security (Five).
Network operations controls: OIG identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
Network operations controls thus consist of the policies and procedures used to maintain, manage, and secure the devices that connect to networks. Policies and procedures that keep devices up to date and configured properly and the monitoring of the network activity and its devices for security and maintenance issues are critical to the overall security and reliability of the network.
OIG said it identified 20 network operations control findings at 8 of the 10 State agencies that it audited and grouped these findings into four security control areas: Network Device Management (Nine Findings Identified), Patch Management (Six Findings), Antivirus Deployment (Three Findings) and Logging and Monitoring (Two Findings).
Officials from several State agencies said resource constraints helped make information system security a lower priority and, as for the reasons for the vulnerabilities, they said there was a lack of formal policies and procedures.
This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States’ MMIS. The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies’ management should make information system security a higher priority. We are continuing to conduct work in this area.