- The Office of Inspector General (OIG) found high-risk security vulnerabilities, some of which included healthcare security issues, at three California Medicaid managed-care organizations (MCOs).
The vulnerabilities raise concern over system integrity in how Medicaid claims are processed, OIG explained in its report.
“The integrity of the State agency’s Medi-Cal managed-care systems depends on the effectiveness of information system general controls, which are critical to the reliability, confidentiality, and availability of Medi-Cal data,” OIG wrote. “Without effective general controls, the State agency is not able to adequately safeguard sensitive Medi-Cal managed-care systems and data.”
In total, OIG found 74 high-risk security vulnerabilities in the information system general controls at the three MCOs. Most of those 74 vulnerabilities were deemed “significant and pervasive.”
- In the access controls category, we identified 31 vulnerabilities related to portable and backup media, database security controls, password and login controls, wireless local area network controls, remote network access, and physical security controls.
- In the configuration management category, we identified 29 vulnerabilities related to configuration of network devices, patch management, antivirus management, and out-of-date software.
- In the security management category, we identified 14 vulnerabilities related to contingency planning, required system security plan elements, sanitization of data and disposal of devices, and background checks.
One example of a security vulnerability was with portable and backup media. OIG found that one MCO did not protect portable devices containing ePHI with appropriate encryption. Without the necessary encryption, there is an increased risk of unauthorized ePHI access.
“Organizations must implement mechanisms to encrypt and decrypt ePHI, including ePHI on portable devices,” OIG stated. “Encryption should be considered for backup media that are sent offsite for storage to secure data that could be lost or stolen in transit or at an alternate site.”
Eight vulnerabilities were also found connected to database security controls. For example, OIG said that one MCO did not encrypt its claims processing database to ensure ePHI security.
Healthcare security issues were also found with certain password and login controls. Five vulnerabilities were identified, including one MCO that did not disable user accounts for terminated employees in a timely manner.
“Without strong password and login controls, there is an increased risk of unauthorized access to sensitive data,” OIG wrote.
Configuration management was another area where several security vulnerabilities were found. Twenty-nine issues were found in total, with 24 vulnerabilities related to configuration of network devices. This could cause security problems because network devices are integral to ensuring the security of the claims processing system, according to OIG.
“...failure to adequately secure these devices exposes a network and its resources to attacks on the confidentiality, integrity, and availability of sensitive information, such as ePHI.”
In terms of security management, OIG explained that an organization’s security control structure relies strongly on a comprehensive “program for security planning and management.” It is important to regularly assess risk, develop and implement effective security procedures, and also monitor the procedures’ effectiveness.
“Without effective entitywide general controls, business process application-level controls may be made ineffective by circumvention or modification,” the report stated.
For example, OIG found that one MCO did not have a security plan and had not performed a security controls review of the claims processing system. Without these security tools in place, the MCO’s claims processing system may not be adequately secured.
Overall, the fact that the same security vulnerabilities were found at all three reviewed Medi-Cal MCOs means that other organizations could be in the same position in terms of data security. In response, the California agency said that it is working to address the found vulnerabilities.
To read the OIG report in full, click here.