OIG: New Mexico did not adequately secure Medicaid data, systems
The State of New Mexico has not adequately secured its Medicaid data and information systems in accordance with federal requirements, potentially putting sensitive data and its operations at risk, according to an audit by the Department of Health and Human Services' Office of Inspector General.
While OIG reveals that the state adopted a security program for its Medicaid eligibility systems, auditors identified system vulnerabilities because the New Mexico Human Services Department did not implement sufficient controls in its program.
“Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of New Mexico's critical operations,” state the OIG report. “As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity and availability of New Mexico's eligibility systems.”
The New Mexico Human Services Department (HSD) administers the eligibility systems for entitlement programs through the Automated System Program and Eligibility Network (ASPEN), which was designed to improve public access to services through the Internet and to provide HSD field staff with more efficient and technically advanced tools. However, auditors said they selected HSD for review bcause of “inherent risks” related to the agency’s migration of its legacy eligibility systems to ASPEN in 2014.
“We also considered the numerous risks related to HSD’s security controls over the eligibility systems for entitlement programs that were identified during a previous audit,” states the report.
Based on its review of HSD’s information system general controls, OIG recommended that the agency implement changes to its security program for the Medicaid eligibility system.
In written comments to OIG’s report, HSD concurred with all of the audit findings and detailed corrective actions that it has taken or plans to take. Nonetheless, the state agency did not concur with one of the report’s recommendations having to do with a compensating control, noting that they elected to accept all associated risks.
“We continue to recommend that HSD implement our recommendation. However, if HSD continues to rely on its compensating control, then we recommend that HSD conduct a full risk assessment and accept all related risks in accordance with federal requirements,” conclude auditors.
The state agency was not immediately available for comment.