- Colorado’s Medicaid data security may have increased risk due to vulnerabilities found in the Colorado Department of Health Care Policy and Financing (HCPF) information systems according to a recent investigation by the Office for Inspector General (OIG).
HCPF did not fully comply with Federal information system security requirements when it comes to safeguarding its Medicaid eligibility determination and claims processing systems, OIG stated in its report summary.
HCPF administers or supervises the administration of Colorado’s Medicaid program, and uses outside contractors to develop and operate the state Medicaid eligibility determination and claims processing systems, OIG states in its report. It also relies on the Governor’s Office of Information Technology (OIT) to provide or contract necessary information system resources.
“Using the information systems managed by OIT, HCPF provided eligibility determinations for approximately 2.3 million Colorado Medicaid recipients and processed approximately 90.5 million claims in State fiscal year (SFY) 2015,” OIG found. “Total Medicaid claims in Colorado for SFY 2015 totaled approximately $6.4 billion.”
However, OIG wanted to see if adequate security controls had been implemented, and assessed information system general control effectiveness. The agency also reviewed HCPF’s risk assessment and implementation of certain controls over its Medicaid application database security, web site security, and universal serial bus (USB) device security.
In evaluating HCPF’s risk assessment, database security, Web site security, and USB device security for its Medicaid eligibility determination and claims processing information systems, we identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices.
These exploitations could have potentially resulted in unauthorized access to sensitive information, or led to that information being inappropriately disclosed, OIG determined. Furthermore, a lack of proper safeguards could leave systems vulnerable to unauthorized individuals that may attempt “to commit fraud, waste, or abuse or launch attacks against other computer systems and networks.”
OIG recommended that HCPF address the found risk assessment vulnerabilities, along with the database administration and security weaknesses. HCPF should also ensure that strengthens its Web site security and USB port and device security for its Medicaid eligibility determination and claims processing information systems.
Medicaid data security risks can lead to widespread problems for any healthcare organization. Unfortunately, this is not the first time that OIG has investigated this type of potential vulnerability.
South Carolina’s Medicaid Management Information System (MMIS) was found to have a weak risk management process earlier this year.
OIG reported that MMIS data was not safeguarded properly per federal standards, the supporting systems were not properly secured, and there was not “an adequate risk management process that included contractor oversight.”
Overall, OIG highlighted what a strong risk management program should include:
- Contractor oversight
- Establish a security plan for the MMIS
- Implement media protection for laptop computers
- Meet Federal requirements for the security of software and data
- Adequately address vulnerabilities on network devices or Web sites
- Implement adequate security awareness and role-based training programs
In some cases, the found security weaknesses were significant, according to OIG.
“Although we did not find evidence that anyone had exploited these weaknesses, exploitation could have resulted in unauthorized access to and disclosure of beneficiaries’ electronic protected health information, as well as disruption of critical Medicaid operations,” OIG explained in its report.