- The South Carolina (State) Medicaid Management Information System (MMIS) did not have a strong risk management process, according to a recent report from the Office of Inspector General (OIG).
Specifically, MMIS data was not safeguarded properly per federal standards, and the supporting systems were also not properly secured. There was also not “an adequate risk management process that included contractor oversight,” according to OIG.
“Although we did not find evidence that anyone had exploited these weaknesses, exploitation could have resulted in unauthorized access to and disclosure of beneficiaries’ electronic protected health information, as well as disruption of critical Medicaid operations,” explained the report.
Furthermore, a comprehensive and adequate risk management program would include the following areas:
- Contractor oversight
- Establish a security plan for the MMIS
- Implement media protection for laptop computers
- Meet Federal requirements for the security of software and data
- Adequately address vulnerabilities on network devices or Web sites
- Implement adequate security awareness and role-based training programs
The weaknesses found by OIG “were collectively, and in some cases, individually significant.” The report added that the integrity of the State’s Medicaid program could also have been compromsied in some of the cases.
While OIG did not release its exact details of its findings because of the sensitive nature of the information, it did recommend ways for South Carolina to improve its MMIS risk management process.
We recommended that the State establish priorities and allocate the resources necessary to implement our detailed recommendations for improving the controls necessary to safeguard its Medicaid information and systems. We communicated with the State our findings on control weaknesses throughout the audit and before we issued our draft report.
South Carolina reportedly concurred with all of OIG’s recommendations and described actions to how it will implement the necessary changes to improve its risk management approach.
A lackluster risk management program, or approach to a risk assessment, could be greatly detrimental to a healthcare organization.
For example, toward the end of last year Lahey Clinic Hospital, Inc. (Lahey) agreed to an OCR HIPAA settlement where it paid $850,000.
The settlement was from a 2011 incident where an unencrypted laptop was stolen, potentially compromising the PHI of 599 individuals. According to OCR, Lahey failed to “conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”
Similarly, just one month after that settlement, the University of Washington Medicine (UWM) agreed to a $750,000 fine as part of an OCR settlement. That case also involved an alleged lack of risk assessments, with OCR adding that UWM also did not appropriately respond to the potential risks and vulnerabilities in all of its affiliated entities’ environments.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” OCR Director Jocelyn Samuels said in a statement. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”