- The Office of the Inspector General (OIG) recently released a report evaluating whether state agencies are able to adequately safeguard sensitive Medicaid systems and data. During reviews of information technology general controls at state Medicaid agencies, it identified certain high-risk security vulnerabilities along with advice for agencies to improve security measures.
Going into the audits, the OIG raised concerns about the integrity of the systems used to process Medicaid claims, as it explained in the report that without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data. It conducted a review of information system general controls at 10 state agencies from 2010 through 2012 and identified pervasive high-risk vulnerabilities. OIG said it identified the security of health information systems as a top challenge facing the Department and State agencies. And, according to the OIG, state agencies were generally compliant, recognizing the vulnerabilities and committing to addressing them.
The OIG reviewed 79 findings within the 10 State Medicaid agencies and grouped the findings into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls:
Entity-wide controls: OIG identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings.
AHIMA Breach Management Toolkit: Small provider uses PHI Incidents Decrease 65% in March for VA ONC interoperability roadmap cites privacy, security needs Why Data Security is Crucial for mHealth Benefits Smiths Medical Releases Firmware Update for Medical Device Security 41% of Health Data Breaches Stem from Unintended Disclosure Health Data Breaches Stem From Cyber Attack, Exposed Binders How biometrics can supplement health data encryption OCR, WEDI review HIPAA Omnibus Breach Notification rules NIST Releases Draft Guide on Mobile Device Security LSU-S aims to revise EHR security policies Why Prompt Health Data Breach Notification is Essential UCLA Faces Lawsuit After Health Data Breach Prioritizing Data Privacy, Security in the Healthcare C-Suite NYeC receives accreditation from DirectTrust.org, EHNAC Prioritizing BYOD Security, MDM in Evolving Healthcare Sector HIPAA Omnibus Rule compliance tips for healthcare law firms ONC Urges Mobile Application Security, Regulatory Adherence Device Theft Could Compromise PII in Tenn. and Ind. Health data breaches: Gearing up for the before and after New HITRUST Privacy Controls Assist Healthcare Integration How an ACO should maintain health data privacy and security Slight PHI Data Breach Decrease in January VA Report Why Healthcare Secure Messaging, BYOD Should Be Considered Erie County DSS investigating health data breach Health Information Security a Decreasing Concern in EHR Use CHIME, HITRUST Comment On Cybersecurity Act Passing Reactions to the Premera Blue Cross Breach St. Charles Privacy Incident Leads to DA Criminal Investigation N.M. Senate Committee Passes Data Breach Notification Bill Key Reminders For Your HIPAA Security Risk Assessment Prioritizing patient data security in healthcare IT contracts How Health Data Security Benefits from Industry Sharing Hospital Data Security Top CIO Priority for Mobile Workflow HIPAA Compliance Will Be Reviewed in OIG 2015 Work Plan Why Protecting PHI Must Be Top a Priority for the IRS Rehabilitation Facility Reports Patient Data Files Unattended Visionworks Hit with Second Data Breach in One Month Central Utah Clinic notifies patients of 2012 data breach New WannaCry Malware Strain Affects FirstHealth Computer Network UT Physicians informs patients of data breach Picking a GRC vendor: Healthcare considerations Ark. BCBS Sends Data Breach Notification After Computer Theft One month until HIPAA omnibus compliance: Current trends River Falls Medical Clinic announces patient data breach Tiger Team to hold virtual hearing on HIE query access HHS OIG Phone Scam Raises Patient Data Privacy Concerns Theft at DFSS in Chicago could lead to health data breach NIST, HHS announce September HIPAA Security Rule conference Bon Secours Health System sends breach notification letters National Cybersecurity Strategy Suggested in New Report Medical practice notifies 3,000 patients of data breach Majority of Americans Say Health Data Sharing Acceptable What protections will secure exchanging of patient health data? Health Data Security, Privacy Concerns Hinder IT Outsourcing University Urology of Tenn. releases data breach statement Mass. HHS CIO talks MassHIway privacy and security HIPAA Audits, Ransomware, Mobile Security Top 2016 Headlines FDA announces medical device and cybersecurity workshop FSMB offers physician social media privacy guidelines Health IT Security, FHIR Focus of ONC Secure API Server Challenge Are Healthcare Security Issues Creating Industry Barriers? Preparing Against Current Healthcare Cybersecurity Threats Healthcare network access data found on file-sharing website HHS requests comment on HIPAA’s role in mental health reports Should HIPAA reach extend to SMS? DHS Mobile Device Security Study Urges Federal Improvements How to Create a Secure Mobility Strategy 3 Tips for Creating Healthcare Security Change, Process Controls FTC Report Calls for Better Privacy and Security Practices OCR ‘Laser Focused’ on HIPAA Violation Complaints, Enforcement Flowers Hospital data breach suit: Plaintiffs to amend complaint Healthcare cloud computing security needs for 2013 Why EHR Privacy, Transparency Are Crucial to Healthcare Symantec wants role in healthcare identity federation future ONC picks DirectTrust.org for HIE privacy, security standards Health System, Pharma Firm Report Cybersecurity Incidents How Automation Aids Data Security, Improves Patient Satisfaction Maximizing ONC, HHS Security Risk Assessment Tool’s uses Desktop virtualization to safeguard endpoint devices, PHI HIPAA security risk assessment tool: Small provider needs Data Security Concerns Arise After Theft, Unauthorized Access Potential Healthcare Data Breaches in NY and Calif VA September Report Shows 292% Increase in PHI Disclosure Small health providers using audit logs for HIPAA compliance ONC Joint HIT Committee Discusses HIPAA Regulation Report Reviewing File Transfer Protocol Healthcare Cybersecurity Risks Tiger Team seeks third-party EHR VDT privacy, security input Senator Urges Prompt Data Breach Disclosure in Recent Bill OCR Aims to Improve Smaller Data Breach Investigation Process Healthcare Cybersecurity Knowledge Gaps in Phishing Awareness Privacy & Security Tiger Team preps for HITPC meeting Holy Cross Hospital reports 9,900-patient data breach HIPAA Privacy Rule: Reminders to Avoid Enforcement Penalties Hacking Accounts for 98% of Healthcare Data Breaches in 2015 Mobile Security Concerns Continue to Nag Health IT Leaders PHI Data Breach Announced Following Audit Healthcare security password changes: LinkedIn user comments Phishing Attack May Impact PHI of 3.4K at CA Treatment Center Maintaining Health Data Privacy in HIEs, Data Exchange
An entity-wide information security management program is the foundation of a security control structure and a reflection of senior management’s commitment to addressing security risks. The entity-wide information security management program should establish a framework and continuous cycle of assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.
There were 34 entity-wide control findings at the 10 State agencies and grouped these findings into 7 security control areas: System Security Plan (Eight Findings), Encryption (Eight), Contingency Planning (Five), Configuration Management (Five), Inventory Tracking (Three), Risk Assessments (Three) and Security Configuration Baselines (Two).
Access controls: These included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access.
Access controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Access controls should be formally developed, documented, disseminated, and periodically updated to provide reasonable assurance that information security resources are protected against unauthorized modification, disclosure, loss, or impairment.
There were 25 OIG findings related to access controls: Logical Access Rights (Eight Findings), Identification and Authentication (Six), Remote Access (Six) and Physical Security (Five).
Network operations controls: OIG identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
Network operations controls thus consist of the policies and procedures used to maintain, manage, and secure the devices that connect to networks. Policies and procedures that keep devices up to date and configured properly and the monitoring of the network activity and its devices for security and maintenance issues are critical to the overall security and reliability of the network.
OIG said it identified 20 network operations control findings at 8 of the 10 State agencies that it audited and grouped these findings into four security control areas: Network Device Management (Nine Findings Identified), Patch Management (Six Findings), Antivirus Deployment (Three Findings) and Logging and Monitoring (Two Findings).
Officials from several State agencies said resource constraints helped make information system security a lower priority and, as for the reasons for the vulnerabilities, they said there was a lack of formal policies and procedures.
This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States’ MMIS. The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies’ management should make information system security a higher priority. We are continuing to conduct work in this area.