Governance & Risk Management , Healthcare , Incident & Breach Response

HHS OIG Finds Security Flaws in Maryland's Medicaid System

Findings by Watchdog Agency Similar to Problems Previously Cited in Other States
HHS OIG Finds Security Flaws in Maryland's Medicaid System

Maryland's Medicaid system has "numerous significant" security weaknesses that need to be addressed, according to a recent federal watchdog agency review. Earlier audits of other state Medicaid programs have yielded similar results.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

While the report released on Tuesday by the Department of Health and Human Services' Office of Inspector General did not specify the kinds of vulnerabilities identified, the agency notes Maryland did not adequately secure its Medicaid data and information systems in accordance with federal requirements and guidance.

The recent Maryland Medicaid review is one of a number of reviews HHS OIG is conducting of states' computer systems used to administer HHS-funded programs, the watchdog agency notes in the report.

Report Findings

OIG says that although Maryland had adopted a security program for its Medicaid Management Information System, numerous significant system vulnerabilities existed.

"These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems," the report notes. "Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland's Medicaid program."

Common Problems?

OIG's findings of security weaknesses in Maryland's Medicaid system are not unusual. The watchdog agency, in many of its previous reports, has cited a variety of vulnerabilities it identified during periodic assessments of other states' Medicaid systems.

For instance, the OIG's reports last year on the security of Massachusetts' and Virginia's Medicaid systems also cited various weaknesses, including security management, configuration management, and website and database vulnerability scans.

Important Messages

OIG's findings in Maryland, as well as in its previous security reviews of other states' Medicaid systems, send several important messages to other organizations, says former healthcare CIO David Finn, executive vice president of strategic innovation at security consultancy CynergisTek.

"First, there is no such thing a 'perfect' security. Security is a journey, not a destination. It must be adjusted to a myriad of ongoing occurrences both inside and outside of any organization. It is never complete," he says.

"Second, the fact that these inspectors or 'watchdog' groups keep finding issues or weaknesses, is a good thing - if that is what it takes to get it fixed. But it means the agencies themselves are not doing what we all should be doing: an ongoing risk management process," he adds.

The OIG audits are helpful to the public, security experts note.

"What I take away from this is that auditors need to keep auditing in order to shine a light on organizations with weaknesses. That process creates visibility and hopefully accountability to address weaknesses before criminal exploit them," says Keith Fricke, principal consultant at tw-Security.

"I have the same concerns about weak Medicaid systems as I do any other system with PHI in any healthcare organization - weak security can lead to breaches, many of which could have been prevented."

Medicaid Breaches Reported

An Aug. 15 search by Information Security Media Group of "Medicaid" on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website shows only three major breaches involving state Medicaid agencies impacting a total of about 6,600 individuals. Also commonly called the "wall of shame" the website lists reports since 2009 of health data breaches impacting 500 or more individuals.

The HHS website, however, also shows a number of additional large breaches involving Medicaid data have also been reported by state agencies called by names other than "Medicaid."

For instance, in January, Florida's Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid in that state, reported to OCR a phishing breach that impacted 30,000 individuals.

Among the largest breaches involving Medicaid data was a 2012 incident reported by the South Carolina Department of Health and Human Services impacting more than 228,000 individuals. That incident involved a state worker who in 2013 pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.


OIG's report on the Maryland security review notes that the watchdog agency made a number of recommendations for the state to improve its Medicaid security program in accordance with federal requirements.

"In written comments on our draft report, Maryland concurred with our recommendations and described actions that it had taken or plans to take to implement them," the report adds.

OIG did not reveal its recommendations to Maryland.

Upcoming OIG Reviews

HHS OIG notes in a recent update to its work plan, which is posted on its website, a number of other security-related reviews slated in the coming months.

That includes a review in fiscal 2019 of HHS operating divisions to identify cybersecurity vulnerabilities.

HHS OIG also plans to conduct a penetration test on the website and associated systems of the Affordable Care Act - also known as Obamacare - which are administered by HHS' Centers for Medicare and Medicaid Services.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.