State Medicaid Agency Systems Have High Security Risk
An audit of Medicaid management information systems at 10 state agencies has found high-risk security vulnerabilities that affect their ability to sustain secure Medicaid systems. The report from the Department of Health and Human Services' Office of Inspector General concluded that these vulnerabilities "raise concerns about the integrity of the systems used to process Medicaid claims."
OIG reviewed information system general controls at 10 state agencies from 2010 through 2012 and identified "systemic" and "pervasive" high-risk vulnerabilities. "The integrity of the State agencies Medicaid systems depends on the effectiveness of the information system general controls, which are critical to the reliability, confidentiality, and availability of Medicaid data," states the OIG report. "Without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data."
In the report, 79 individual findings were grouped into 15 security control areas within three information system general control categories: entity-wide controls, access controls, and network operations controls. In the area of entity-wide controls, OIG identified "significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management," among other findings.
When it came to findings in the area of access controls, the report included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access. In the area of network operations controls, OIG identified "significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management," among other findings.
"This review aggregates findings from the individual reports that show serious vulnerabilities in the 10 States MMIS," states the report. "The State agencies advised us, in their comments on the individual restricted reports on information system general controls, that they were addressing the vulnerabilities that we had identified. The fact that some of the vulnerabilities were shared among the 10 State agencies suggests that other State Medicaid information systems may be similarly vulnerable. Medicaid agencies management should make information system security a higher priority."
The HHS OIG report is available here.