- The Office of the Inspector General (OIG) recently released a report evaluating whether state agencies are able to adequately safeguard sensitive Medicaid systems and data. During reviews of information technology general controls at state Medicaid agencies, it identified certain high-risk security vulnerabilities along with advice for agencies to improve security measures.
Going into the audits, the OIG raised concerns about the integrity of the systems used to process Medicaid claims, as it explained in the report that without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data. It conducted a review of information system general controls at 10 state agencies from 2010 through 2012 and identified pervasive high-risk vulnerabilities. OIG said it identified the security of health information systems as a top challenge facing the Department and State agencies. And, according to the OIG, state agencies were generally compliant, recognizing the vulnerabilities and committing to addressing them.
The OIG reviewed 79 findings within the 10 State Medicaid agencies and grouped the findings into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls:
Entity-wide controls: OIG identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings.
Which healthcare providers are HIPAA covered entities? Creating a Culture of Data Privacy, Security in Healthcare ICS-CERT Flags BeaconMedaes Medical Device Security Issues VA Reports 41% Decrease in PHI Data Breaches in March 55K Potentially Affected by Virus Encrypting Pediatric Servers Improving Patient Data Security with Data-Centric Technology EHR Privacy, Security Part of New Bi-Partisan Group’s Goals HITRUST Updates Healthcare Cybersecurity Approach DirectTrust meets ONC HIE security accreditation goals Supervising IT security across a large healthcare network CVS rewards program requires customers to waive HIPAA rights Laptop containing patient information stolen from SIU Fitting the HIPAA security risk assessment tool into security plans Data breach costs decline, malicious attacks increase in US Medical Device Security Critical with FDA Interoperability Guide Health Source of Ohio file breach affects 8,800 patients Reviewing future health security projects: DLP, PCI compliance Mobile Security Key Focus in Recent NIST Resources Arizona urology clinic reports health data breach Potential Horizon BCBS Data Breach for 170K from Printing Error HHS Releases Overview on HIPAA Regulations Appeals Court Dismisses VA Data Breach Lawsuit 25% of Patients Did Not Access Data Over Patient Privacy Concerns HIPAA Security Rule v. Privacy Rule for covered entities 57% of Orgs Spend Money on Endpoint, Mobile Security Technologies State Rep Presses Nuance on NotPetya Malware Attack Va. OB-GYN Exposes PHI in Data Breach Delaware HIN undergoes successful risk assessment 73 Percent of Medical Professionals Share Passwords for EHR Access Understanding Ransomware and Healthcare Data Security Data Security Cited in ONC Health Data Exchange Framework Praise Why Healthcare Cybersecurity Cannot Ease Up in 2015 Memorial Hospital reports data breach Potential Patient Privacy Violations in Mass. Emails Cedars-Sinai experiences celebrity patient data breach Nebraska doctor’s office notifies 2,125 patients of breach Likely Ransomware Attack Exposes 85K Patient Records in CA Two Cases of Improper Disposal Cause Health Data Breaches Health Data De-identification Can Be Improved, Says Study Are State Health Data Breach Notification Laws Needed? OCR Clarifies PHI Disclosure Guidance in HIPAA Privacy Rule Cloud Adoption Slows from Lagging Cybersecurity Skills How EU Data Privacy Rule Could Impact US Healthcare Providers Securing different forms of internal clinical communication Healthcare Data Breaches Put PHI at Risk in Calif. and Ind. Update: Lakeshore Mental Health leaves patient data exposed OU Health Data Breach from Stolen Laptop Affects Over 9,000 Varying opinions on HHS Security Risk Assessment Tool HHS Releases Patient Right of Access Under HIPAA Fact Sheet Senate Leaders Call for Anthem Data Breach Notification Maintaining HIPAA compliance by tracking IT system changes Online Security Breach Exposes PHI of 5K Medicaid Patients AHIMA Releases Information Governance Principles for Healthcare What the HIPAA Omnibus Rule meant for healthcare in 2013 HIPAA Regulations Not Applicable in TN Supreme Court Case NIST Releases Updated Draft Version of Cybersecurity Framework Tiger Team analyzes HIE participation agreements Medical Management Data Breach Impacting Multiple States October VA Report Shows Improvement in PHI Data Breaches Indiana University Health notifies patients of data breach DHS Cyber Incident Response Plan Focuses on Infrastructure Risk Secure Texting Rules Clarified in Joint Commission Newsletter Feds Need to Do Better Job With EHR Data Security, Privacy How Tufts Prepared for Health IT Security Certification Primary Health Care PHI Data Security Incident Affects 10K St. Anthony’s nursing home reports 2,600-patient data breach Texas Health Services Authority, HITRUST form CSF pact 70K Notified in Tufts Health Plan Data Breach in Vendor Error Utilizing Network Security to Prevent Ransomware Attacks OCR Warns of Phishing Scam to HIPAA Covered Entities Utah extends identity checks for health data breach victims Examining IU School of Medicine HIPAA safeguards Patient files Carol Milgard Breast Center privacy complaint Health Data Privacy, Security Barrier to mHealth Adoption Tampa General Hospital Data Breach Settlement Reached Breaking Down HIPAA Rules: Data Breach Notification CareFirst Health Data Breach Affects 1.1M Individuals Office of the Medicaid Inspector General reports N.Y. breach Mitigating Risk for Stronger Healthcare Cybersecurity Privacy, security concerns of enabling patient access to PHI Recognizing, isolating a healthcare organization’s latent risks Health data breach response plan: Seven steps Healthcare Ransomware Attacks Fuel Protection Market Growth NH-ISAC, MDISS Collaborate for Medical Device Cybersecurity How Expensive are Cybersecurity Attacks, Data Breaches? How Compliance, Data Security Needs Shift with Big Data Push Protecting Sensitive Data With Restricted Employee Access Nemours Chief Privacy Officer focuses on training, awareness Health Data Breaches Lead to Lawsuits for Florida Hospital Cybersecurity hackers target Boston Children’s Hospital Preparing for 2013 mandatory OCR HIPAA audits Symantec, VMware Named Best in KLAS for Data Security Solutions HITRUST honing Common Security Framework for 2013 OIG finds Indian Health Services network security flaws National Clinical Research Network: Privacy considerations What Happened with mHealth Security, Mobile Privacy in 2016? Key Takeaways From the Premera Data Breach Tiger Team seeks third-party EHR VDT privacy, security input Successful organizational health IT security strategies 2013 HIMSS Security Survey highlights internal risks
An entity-wide information security management program is the foundation of a security control structure and a reflection of senior management’s commitment to addressing security risks. The entity-wide information security management program should establish a framework and continuous cycle of assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.
There were 34 entity-wide control findings at the 10 State agencies and grouped these findings into 7 security control areas: System Security Plan (Eight Findings), Encryption (Eight), Contingency Planning (Five), Configuration Management (Five), Inventory Tracking (Three), Risk Assessments (Three) and Security Configuration Baselines (Two).
Access controls: These included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access.
Access controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Access controls should be formally developed, documented, disseminated, and periodically updated to provide reasonable assurance that information security resources are protected against unauthorized modification, disclosure, loss, or impairment.
There were 25 OIG findings related to access controls: Logical Access Rights (Eight Findings), Identification and Authentication (Six), Remote Access (Six) and Physical Security (Five).
Network operations controls: OIG identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
Network operations controls thus consist of the policies and procedures used to maintain, manage, and secure the devices that connect to networks. Policies and procedures that keep devices up to date and configured properly and the monitoring of the network activity and its devices for security and maintenance issues are critical to the overall security and reliability of the network.
OIG said it identified 20 network operations control findings at 8 of the 10 State agencies that it audited and grouped these findings into four security control areas: Network Device Management (Nine Findings Identified), Patch Management (Six Findings), Antivirus Deployment (Three Findings) and Logging and Monitoring (Two Findings).
Officials from several State agencies said resource constraints helped make information system security a lower priority and, as for the reasons for the vulnerabilities, they said there was a lack of formal policies and procedures.
This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States’ MMIS. The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies’ management should make information system security a higher priority. We are continuing to conduct work in this area.