GAO: Lack of security controls put Medicare beneficiary data at risk
The Centers for Medicare and Medicaid Services needs to improve its oversight of security controls for Medicare beneficiary data used by research organizations and qualified entities, according to an audit by the Government Accountability Office.
While CMS has developed guidance for Medicare Administrative Contractors (MAC), GAO says the agency has not developed similar guidance for research organizations such as colleges, universities and non-profit institutes, which is putting Medicare beneficiary data at risk.
“Without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards,” states the audit.
In addition, the GAO found that although CMS has established an oversight program for the security of MAC data, it has not established a corresponding program to oversee security implementation by researchers and qualified entities.
Nonetheless, as of October 2017, auditors revealed that 195 research entities had received Medicare beneficiary data, which they use to study how healthcare services are provided to beneficiaries, and 10 organizations had received the data as qualified entities.
“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” concluded auditors.
To address this inadequate oversight, GAO recommended that CMS develop additional guidance for researchers on implementing security controls required by the agency, consistently track results of independent assessments, as well as provide oversight of researchers and qualified entities.
In a written response to the report, the Department of Health and Human Services concurred with all three of the GAO’s recommendations.
Specifically, HHS indicated that it is “considering implementing processes and procedures that would be necessary to ensure that qualified entities and researchers have implemented information security controls during their agreements with CMS.”
Research organizations enter into data use agreements with CMS for access to specific sets of Medicare beneficiary data, which detail the data that can be accessed, for what purpose, as well as the duration of access.