- The North Carolina State Medicaid agency (State agency) did not implement necessary information system general controls to ensure proper Medicaid data security measures, according to an OIG report.
The State agency contracts with CRSA, Inc. for operating North Carolina’s Medicaid claims processing systems. OIG determined in its investigation that CRSA’s computer operations controls related to the state Medicaid program claims processing for State fiscal year 2016 created potential risk.
“We reviewed CSRA’s information system general controls relating to entity-wide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control,” report authors explained. “The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of North Carolina’s Medicaid data.”
The potential vulnerabilities had not been exploited, OIG noted. Even so, should the vulnerabilities be exploited it “could result in unauthorized access to and disclosure of sensitive information, as well as disruption of critical North Carolina Medicaid operations.”
Proper safeguards are necessary to protect systems from malicious third parties who want “to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks,” report authors wrote.
“We recommend that the State agency improve the protection of sensitive data on its Medicaid claims processing systems by working with CSRA to address the vulnerabilities identified during our audit to ensure compliance with Federal requirements,” OIG concluded. “The State agency concurred with our recommendations and described corrective actions that it had taken or planned to take.”
Earlier this week OIG released similar report findings on an investigation into the New Mexico Human Services Department (HSD). OIG discovered potential vulnerabilities in the HSD system, which could potentially lead to Medicaid data being exploited.
“Although HSD adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed HSD’s operations at risk,” OIG revealed. “These vulnerabilities existed because HSD had not implement sufficient controls over its Medicaid data and information systems.”
Federal agencies must ensure that their information systems are protected with appropriate and reasonable safeguards, especially when agencies store and/or transfer sensitive data – such as PHI or Medicaid data.
A NIST special publication released in July 2017 could assist organizations in assessing risk and strengthening their data security measures.
Entities must adopt a structured method of prioritizing programs, systems, and components based on their importance, NIST explained. Specifically, The Criticality Analysis Process Model is an approach that “can be used as a component of a holistic and comprehensive risk management approach that considers all risks, including information security risks.”
The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and suite of NIST Special Publications can be parid with the Model as well.
“The need for criticality analysis within information security emerged as systems have become more complex and supply chains used to create software, hardware, and services have become extended, geographically distributed, and vast,” report authors said in the executive summary. “The first mention of criticality analysis in NIST publications is in NIST SP 800-53 Revision 4 (Rev 4), Security and Privacy Controls for Federal Information Systems and Organizations.”
The special publication draft is also designed to help organizations create a uniquely tailored criticality analysis, NIST cybersecurity expert Jon Boyens wrote in a blog post.
“We are developing this for the government, but we want it to be friendly and useful for the private sector,” Boyens said. “If they were using criticality analysis, they might have bought a 10-year supply of the crucial parts in advance, or would know that they'd need to do more testing of the aftermarket product. Without a proper analysis, they might not realize these vulnerable spots in the first place.”