- The Office of the Inspector General (OIG) recently released a report evaluating whether state agencies are able to adequately safeguard sensitive Medicaid systems and data. During reviews of information technology general controls at state Medicaid agencies, it identified certain high-risk security vulnerabilities along with advice for agencies to improve security measures.
Going into the audits, the OIG raised concerns about the integrity of the systems used to process Medicaid claims, as it explained in the report that without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data. It conducted a review of information system general controls at 10 state agencies from 2010 through 2012 and identified pervasive high-risk vulnerabilities. OIG said it identified the security of health information systems as a top challenge facing the Department and State agencies. And, according to the OIG, state agencies were generally compliant, recognizing the vulnerabilities and committing to addressing them.
The OIG reviewed 79 findings within the 10 State Medicaid agencies and grouped the findings into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls:
Entity-wide controls: OIG identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings.
Providers cite state HIE privacy hurdles in GAO report How HIPAA and the military Privacy Act intersect Reported Kansas PHI Data Breach Could Involve Info of 11K EHRA: National patient identity matching strategy needed Stronger Cybersecurity Encouraged with Presidential Order EHNAC accredits HASA for secure data exchange capabilities HHS fines Skagit, Wash. $215K in first county HIPAA settlement AHA Calls for Revisions in Healthcare Data Privacy Rule Managing a health data breach with a response plan Possible Health Data Breaches From Fraud, Online Exposure Patient privacy expert: Healthcare going back to the basics Long Beach Memorial Medical Center announces data breach 3.15M Records Exposed by 142 Healthcare Data Breaches in Q2 2018 HITRUST and HHS discuss first CyberRX exercise results Social worker tells Baltimore OAG of data patient breach FDA seeks comment on cybersecurity in medical devices Information Sharing Key in Improving Healthcare Cybersecurity OCR Clarifies PHI Disclosure Guidance in HIPAA Privacy Rule UW Medicine notifies 90,000 patients of data breach Why Open Source Security Matters for Healthcare Orgs Reviewing Concentra Health and QCA HIPAA breach CAPs The healthcare USB storage device security conundrum Dealing with a health data breach: Six safeguard trends HIMSS Stresses Proactive Healthcare Cybersecurity Measures Public Server Exposure Creates PHI Data Security Worries for 200K Can Patient Privacy Violations Occur with EHR Tracking? Will CMS Improve Patient Data Security with SSNRI? ONC Joint HIT Committee Discusses HIPAA Regulation Report A look at HIPAA physical safeguard requirements Patient Safety, PHI Security Key in HHS Cybersecurity Role FTC Reverses Ruling, Says LabMD Lacked Data Security Measures Temple physicians office alerts 3,780 patients of data breach Brand New Day Data Breach from Vendor System Access Healtheway Director talks data exchange opt-in, opt-out policies FDA Updates Medical Device Regulation, Risk Classification Siemens Flags Cybersecurity Vulnerabilities in RAPID Blood-Gas Analyzers OCR HIPAA Settlement Costs New York Hospital $2.2M Palomar Health notifies 5,000 patients of health data breach Prevent Healthcare Phishing with Employee Security Training SAMBA Mailing Error Creates Data Security Concern for 13.9K DHHS Has Second Email Health Data Breach in Two Months Healthcare data breach trends: Preparing and reporting Health data encryption: Software architecture best practices Mobile-thinking providers must scrutinize security options How HIPAA Compliance Can Help Against Ransomware Attacks New Stealthy Russian Hacking Tool Targets Government Agencies Six legal tips for HIPAA omnibus compliance Build a Strong Security Baseline with the HIPAA Security Rule Microsoft introduces threat intelligence sharing platform White House Launches New Cybersecurity Agency GOP: HealthCare.gov security still not strong enough Symantec wants role in healthcare identity federation future NIST Releases Updated Draft Version of Cybersecurity Framework ONC releases implementation guidelines for Direct exchange Study Shows OCR HIPAA Compliance, Breach Recovery Lacking ONC Report: Trust Strengthens for EHR Privacy and Security Sutter lawsuit plaintiffs plan to go to Calif. Supreme Court $2.3M OCR Settlement Reached for 21st Century Oncology Data Breach Maintaining Healthcare Data Security while Moving Facilities Mount Sinai St. Luke’s Sued Following HIPAA Violation HIPAA Business Associate Agreements: What Needs to be Included? HIMSS14 session preview: Privacy and compliance practices Calif. Patients Say HIEs Worsen Patient Data Privacy Verizon’s 2013 trends send health security message Iowa County Government Employee Alleges HIPAA Violation Healthcare security considerations during cloud implementation Senator Urges Prompt Data Breach Disclosure in Recent Bill What Does 2016 Hold for Healthcare Data Security, Storage? Using Threat Intelligence to Improve Healthcare Cybersecurity Anthem Vendor Reports Potential Data Breach Affecting 18K Unauthorized Server Access Creates Data Security Concern for 47K DoS, DDoS Attack Prevention Measures for Covered Entities Is PHI Security Strong Enough in the Workplace? Patient privacy questions pop up at health-screening kiosks Lessons Learned From the 2015 OCR HIPAA Settlements Can SSL Decryption Prevent Healthcare Data Breaches? VA accused of using HIPAA to block waiting list disclosures MA Reaches Settlement Following Medicaid Data Breach Heartbleed bug lessons learned: Having a remediation plan CA Supreme Court Rejects Physician Patient Privacy Claim Prioritizing patient data security in healthcare IT contracts Reps Urge Congress to Consider Data Breach Security Bill BYOD Use on the Decline Due to Health Data Security Risks CIS, MDISS Collaborate On Medical Device Security Guidance Does Employee Access Hinder Patient Data Security? Handling healthcare SMS security between different devices Va. Data Breach Legislation Update Accounts for Payroll Data U.S. Digital Service team “playbook” includes data security mHIMSS study highlights Philadelphia hospital data security Is HIE Security Affected with Health Record Integration? CareFirst Health Data Breach Affects 1.1M Individuals AHA Supports Secure Messaging Modifications in MU Program Texas psychiatric hospitals suffer 5 breaches in 6 months Successful organizational health IT security strategies Physical Therapy Facility Reports Data Security Incident NIST, HHS announce September HIPAA Security Rule conference EHR Association provides Stage 2 Meaningful Use security tips Keeping Strong HIE Security Through Interoperability Push Why IT security pros need health information privacy skills Google lays out new HIPAA compliant BAA terms
An entity-wide information security management program is the foundation of a security control structure and a reflection of senior management’s commitment to addressing security risks. The entity-wide information security management program should establish a framework and continuous cycle of assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.
There were 34 entity-wide control findings at the 10 State agencies and grouped these findings into 7 security control areas: System Security Plan (Eight Findings), Encryption (Eight), Contingency Planning (Five), Configuration Management (Five), Inventory Tracking (Three), Risk Assessments (Three) and Security Configuration Baselines (Two).
Access controls: These included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access.
Access controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Access controls should be formally developed, documented, disseminated, and periodically updated to provide reasonable assurance that information security resources are protected against unauthorized modification, disclosure, loss, or impairment.
There were 25 OIG findings related to access controls: Logical Access Rights (Eight Findings), Identification and Authentication (Six), Remote Access (Six) and Physical Security (Five).
Network operations controls: OIG identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
Network operations controls thus consist of the policies and procedures used to maintain, manage, and secure the devices that connect to networks. Policies and procedures that keep devices up to date and configured properly and the monitoring of the network activity and its devices for security and maintenance issues are critical to the overall security and reliability of the network.
OIG said it identified 20 network operations control findings at 8 of the 10 State agencies that it audited and grouped these findings into four security control areas: Network Device Management (Nine Findings Identified), Patch Management (Six Findings), Antivirus Deployment (Three Findings) and Logging and Monitoring (Two Findings).
Officials from several State agencies said resource constraints helped make information system security a lower priority and, as for the reasons for the vulnerabilities, they said there was a lack of formal policies and procedures.
This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States’ MMIS. The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies’ management should make information system security a higher priority. We are continuing to conduct work in this area.