- The Massachusetts Medicaid Management Information System (MMIS) was not adequately protected, which could have compromised the integrity of the state’s Medicaid program, according to a recent Office of Inspector General (OIG) report. These IT weaknesses were found in the State Medicaid program (MassHealth).
“MassHealth did not safeguard MMIS data and supporting systems in accordance with Federal requirements,” OIG explained in its report. “Specifically, MassHealth had vulnerabilities related to security management, configuration management, system software controls, and Web site and database vulnerability scans.”
Had the vulnerabilities been exploited, there may have been “unauthorized access to, and disclosure of, sensitive information, as well as disruption of operations critical to MassHealth.”
Furthermore, the confidentiality, integrity, and availability of MassHealth’s MMIS could have been compromised.
For its investigation, OIG reviewed how MassHealth implemented Federal requirements and National Institute of Standards and Technology (NIST) guidelines within several areas, including system security plan, risk assessment, data encryption, Web applications, vulnerability management, and database applications.
As OIG noted, MMIS mainly supports Medicaid claims processing, recovery of claims’ reimbursement from third parties, managed care, the provider self-service portal, and healthcare authorization services.
MMIS also supports more than 1.67 million beneficiaries, and processed approximately $13.8 billion in fiscal year 2015, the report stated.
“We recommended that MassHealth implement our detailed recommendations to address the findings that we identified related to security management, configuration management, system software controls, and Web site and database vulnerability scans,” the report’s authors wrote.
In response, MassHealth “did not explicitly” agree or disagree with OIG’s findings. MassHealth also listed corrective actions that already took or planned to take to remediate found vulnerabilities, according to OIG.
“MassHealth questioned the number of computers associated with one finding,” the report read. “MassHealth did not provide supporting documentation to dispute our analysis.”
Toward the end of 2016, OIG had similar findings in its investigation of the Colorado Department of Health Care Policy and Financing (HCPF) information systems.
OIG reported that HCPF did not fully comply with Federal information system security requirements when it came to safeguarding its Medicaid eligibility determination and claims processing systems.
The investigation reviewed HCPF’s risk assessment, database security, Web site security, and USB device security for its Medicaid eligibility determination and claims processing information systems.
“We identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices,” OIG stated in its report.
A lack of proper safeguards could leave systems vulnerable to unauthorized individuals that may attempt “to commit fraud, waste, or abuse or launch attacks against other computer systems and networks,” OIG added.
HCPF should address the found risk assessment vulnerabilities, along with the database administration and security weaknesses, the agency recommended. Furthermore, HCPF should ensure that it strengthens its Web site security and USB port and device security for its Medicaid eligibility determination and claims processing information systems.
Lackluster data security measures with Medicaid programs can potentially lead to data breaches.
For example, the North Carolina Department of Health and Human Services (DHHS) reported two potential Medicaid data breaches in two years’ time.
The second incident was reported in 2015, and happened when a DHHS employee "inadvertently sent an email to the Granville County Health Department without first encrypting it," agency spokeswoman Kendra Gerlach said at the time.
The unencrypted email reportedly contained a spreadsheet with approximately 1,615 Medicaid recipients’ PHI, including first and last names, Medicaid identification numbers (MID), provider names and provider ID numbers, and other information related to Medicaid services.