OIG: Maryland did not adequately secure Medicaid system, data
The state of Maryland has not adequately secured its Medicaid Management Information System in accordance with federal requirements and guidance, potentially putting sensitive data and its operations at risk.
That’s the finding of an audit by the Department of Health and Human Services’ Office of Inspector General, which used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, websites, servers, and databases.
“Although Maryland had adopted a security program for its MMIS, numerous significant system vulnerabilities existed,” states OIG’s report. “These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems.”
At the same time, auditors reported that they did not identify evidence that anyone had exploited these vulnerabilities, while noting that “exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations” and adding that “these vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland’s Medicaid program.”
OIG recommended that Maryland improve its security program to secure Medicaid data and information systems in accordance with federal requirements.
In written comments to OIG’s report, Maryland concurred with the audit’s recommendations and described actions that it had taken or plans to take to implement them.
“The complete version of this report contains restricted information for official use only,” states OIG. “We did not review Maryland’s Medicaid administrative costs that resulted from the failed MMIS replacement project. At the time of our audit, Maryland was engaged in ongoing litigation with the contractor. Accordingly, we make no recommendations regarding those costs.”