- An Office of Inspector General (OIG) audit found the Virginia Medicaid Management Information System (MMIS) to have information security vulnerabilities.
“Virginia did not adequately secure its Medicaid data and information systems, which potentially compromised the integrity of its Medicaid program and could have resulted in unauthorized access to and disclosure of Medicaid beneficiary information,” OIG stated in its report.
The Virginia Department of Medical Assistance Services (DMAS) administers or supervises the administration of Virginia’s Medicaid program. OIG explained that DMAS uses an outside contractor to develop and operate the Virginia Medicaid claims processing system.
“Virginia’s Medicaid program processed $8.2 billion in claims for 1,277,214 beneficiaries in fiscal year (FY) 2015,” the report authors wrote. “The Virginia Information Technology Agency (VITA) supports the DMAS Medicaid Management Information System (MMIS) by providing cybersecurity, information technology (IT) infrastructure services, and IT governance.”
VITA also uses NIST’s Recommended Security Controls for Federal Information Systems and Organizations as its security standard. The organization also requires that guide be used through the entire state.
The NIST special publication discusses numerous areas, including how organizations should approach access control, contingency planning, risk assessments, and security assessment and authorization.
For example, NIST maintains that “a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance” is necessary.
There should also be “procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.” This includes reviews and updates to the risk assessment policy and risk assessment procedures.
While OIG did not specify what the vulnerabilities were because of the sensitive nature of the information, the report said there were insufficient “controls over its Medicaid data and information systems.” This could not ensure that the contractor implemented contract security requirements, according to OIG.
Specifically, OIG recommended the following areas be improved for Virginia to strengthen its Medicaid security:
- Systems and information integrity controls
- Risk management process
- Access and authentication controls
- Audit and accountability controls
- System and communications protection controls
- Configuration management controls
Virginia reportedly concurred with OIG’s recommendations and also explained the specific actions that it would take to make necessary improvements.
OIG reported similar issues about the Massachusetts Medicaid Management Information System (MMIS) earlier this year.
“MassHealth did not safeguard MMIS data and supporting systems in accordance with Federal requirements,” OIG wrote in the March 2017 report. “Specifically, MassHealth had vulnerabilities related to security management, configuration management, system software controls, and Web site and database vulnerability scans.”
In that case, OIG reviewed how MassHealth implemented Federal requirements and NIST guidelines within several areas, including system security plan, risk assessment, data encryption, Web applications, vulnerability management, and database applications.
“We recommended that MassHealth implement our detailed recommendations to address the findings that we identified related to security management, configuration management, system software controls, and Web site and database vulnerability scans,” the report’s authors wrote.
Medicaid data breaches could be a potential outcome from lackluster security measures and insufficient employee training as well.
The North Carolina Department of Health and Human Services (DHHS) reported a potential Medicaid data breach in 2015, where a DHHS employee "inadvertently sent an email to the Granville County Health Department without first encrypting it."
The unencrypted email reportedly contained a spreadsheet with Medicaid recipients’ PHI, including first and last names, Medicaid identification numbers (MID), provider names and provider ID numbers, and other information related to Medicaid services.