- The Office of the Inspector General (OIG) recently released a report evaluating whether state agencies are able to adequately safeguard sensitive Medicaid systems and data. During reviews of information technology general controls at state Medicaid agencies, it identified certain high-risk security vulnerabilities along with advice for agencies to improve security measures.
Going into the audits, the OIG raised concerns about the integrity of the systems used to process Medicaid claims, as it explained in the report that without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data. It conducted a review of information system general controls at 10 state agencies from 2010 through 2012 and identified pervasive high-risk vulnerabilities. OIG said it identified the security of health information systems as a top challenge facing the Department and State agencies. And, according to the OIG, state agencies were generally compliant, recognizing the vulnerabilities and committing to addressing them.
The OIG reviewed 79 findings within the 10 State Medicaid agencies and grouped the findings into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls:
Entity-wide controls: OIG identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings.
How EHR system gaps impact pediatricians, patient privacy OIG to Focus on HHS Information Security, Penetration Testing OHSU breach triggers sufficient risk assessment questions Why Saint Mary’s Hospital Opted for Secure Messaging MIT research may influence future of health data encryption Health Data Breaches Accounted for 37% of all 2014 Incidents HHS Releases Healthcare Ransomware, HIPAA Guidance VA Healthcare Data Breach Exposes Info of 7,000 Veterans Larry Ponemon on securing regulated data in healthcare: Q&A Healthcare Cybersecurity Urged in HITRUST Simulation Attack How Weak Mobile Health App Privacy, Security Affects Patients Will Healthcare Interoperability Issues Follow DeSalvo Departure? The Changing Roles of Healthcare Cybersecurity Leadership Healthcare Data Breach Leads To State Court Case Allina Health Privacy Incident Possibly Exposes Patient Info Provisioning users with healthcare IAM dashboards VA Cybersecurity Woes Continue, 16 Consecutive Audit Fails 2016 OCR HIPAA Settlements Target Risk Analyses, Total $23.5M ONC Privacy and Security panelists discuss security methods Focusing on Patient Data Privacy in Health Data Exchange HRSA Data Security Controls Need Improvement, Says OIG Are Small Healthcare Facilities Prepared for Data Breaches? Ephrata Community Hospital notifies patients of data breach Healthcare digital certificate security best practices GAO challenges CMS on cost of removing Medicare SSNs Going On the Offensive in Healthcare Cybersecurity Privacy & Security Tiger Team discuss HIE security advice HITRUST sustains, responds to web server hacking incident Anthem Vendor Reports Potential Data Breach Affecting 18K Network access control an asset to system security Will Health Data Privacy, Security Issues Improve in 2016? Understanding Ransomware and Healthcare Data Security Senators, AHIMA Voice HIT Security, Interoperability Concerns ONC Reviews HIE Security, Interoperability under HIPAA Charles Stellar Named WEDI Interim President, CEO Survey reveals healthcare data security priorities, concerns Glens Falls Hospital patients file suit over data breach OCR set sights on permanent HIPAA auditing program HIMSS and CHIME Pen Letter to HHS on Healthcare IT’s Future Foreign countries hack VA system and expose vulnerabilities Don’t forget about protecting patients with PSQIA AHA Discusses Mental Health Legislation, HIPAA Regulations Tiger Team reviews Stage 3 Meaningful Use privacy and security UMass informs 1,600 patients of data breach OCR HIPAA Audits Delayed Once Again Addressing healthcare mobile security from a legal standpoint Healthcare Cloud Security Concerns Not Impediment to Usage Utah Dept. of Health Medicaid Data Security Risks Found Do EHR Interoperability Requirements Raise Security Risks? Supreme Court Dismisses Medical Identity Theft Lawsuit HIPAA Violation, Records Dump Expose Patient Data How does cloud computing factor into health data breaches? Stolen Patient Records in Calif. Mean Possible Data Breach Methods to becoming a HIPAA business associate Nuance Restores 75% of Clients After NotPetya Malware Attack Why Health IT Security Needs a ‘Lifecycle Process’ Should healthcare organizations be wary of FTC regulations? Ensuring Health Data Exchange Complies with HIPAA, FTC Act Rehabilitation Facility Reports Patient Data Files Unattended HIPAA Privacy Rules Considered in Recent Mental Health Bill Patient identity matching: Addressing privacy questions New Interoperability Program Set to Improve EHRs and HIE BIDMC CIO presents healthcare security plan Healthcare security password changes: LinkedIn user comments Healtheway, NYeC HIE security infrastructure and strategies 3 Ways to Break Through the Healthcare Cloud Security Fear HHS overhauls Security Rule with HIPAA omnibus provisions How Parkway Works Toward HIPAA Compliance A healthcare vendor contract’s required security policies Mitigating common healthcare cloud IT security issues AHA Calls for Strong Healthcare Cybersecurity Measures Report: Healthcare endpoints facing myriad cyber attacks Scrutinizing healthcare data encryption options Partners HealthCare CISO, CIO Q&A: Security threat awareness Trickle-down effects of new HIPAA omnibus BA definition Healthcare cybersecurity, compliance: Avoidable breaches Data Breaches Lead to Growing Health Data Security Market Healthcare attorney watches clients’ HIPAA needs evolve Why Healthcare Ransomware Attacks Can Be More Damaging HHS preparing to offer HIPAA omnibus guidance: Update How a NY Health Org. Integrated Secure Health Data Exchange Tiger Teams seeks to conclude accounting of disclosures talks Peeling away the layers of health data breach response Farzad Mostashari at HIMSS13: HIE security is paramount Why Healthcare Security Measures Must Evolve with Technology MU audit finds hospital missing security risk assessment A Basic Review of Health Data Encryption New Image Sharing Program Keeps PHI Safe TigerText’s HIPAA guarantee: Provider, vendor ramifications PHI for nearly 4,500 patients found during Calif. drug bust Public cloud survey cites security perception as an obstacle Health Data Breaches Account for 21% of Total Incidents CAHIE to Head NATE’s Secure Direct Messaging and HIE Program Healthcare BYOD trends analyzed in Cisco study Why Data Breach Prevention Will Steer HIMSS15 Will CMS Improve Patient Data Security with SSNRI? Utah health privacy bill passes through state Senate 2014 HIMSS Analytics Cloud Survey cites security decisions Coalfire launches HIPPAcentral compliance platform Google privacy case highlights lack of technical safeguards
An entity-wide information security management program is the foundation of a security control structure and a reflection of senior management’s commitment to addressing security risks. The entity-wide information security management program should establish a framework and continuous cycle of assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.
There were 34 entity-wide control findings at the 10 State agencies and grouped these findings into 7 security control areas: System Security Plan (Eight Findings), Encryption (Eight), Contingency Planning (Five), Configuration Management (Five), Inventory Tracking (Three), Risk Assessments (Three) and Security Configuration Baselines (Two).
Access controls: These included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access.
Access controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Access controls should be formally developed, documented, disseminated, and periodically updated to provide reasonable assurance that information security resources are protected against unauthorized modification, disclosure, loss, or impairment.
There were 25 OIG findings related to access controls: Logical Access Rights (Eight Findings), Identification and Authentication (Six), Remote Access (Six) and Physical Security (Five).
Network operations controls: OIG identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
Network operations controls thus consist of the policies and procedures used to maintain, manage, and secure the devices that connect to networks. Policies and procedures that keep devices up to date and configured properly and the monitoring of the network activity and its devices for security and maintenance issues are critical to the overall security and reliability of the network.
OIG said it identified 20 network operations control findings at 8 of the 10 State agencies that it audited and grouped these findings into four security control areas: Network Device Management (Nine Findings Identified), Patch Management (Six Findings), Antivirus Deployment (Three Findings) and Logging and Monitoring (Two Findings).
Officials from several State agencies said resource constraints helped make information system security a lower priority and, as for the reasons for the vulnerabilities, they said there was a lack of formal policies and procedures.
This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States’ MMIS. The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies’ management should make information system security a higher priority. We are continuing to conduct work in this area.