HHS OIG Recommends Virginia Medicaid Address Security GapsWatchdog Agency Says Data, Operations Vulnerable
A federal watchdog agency is recommending that Virginia Medicaid, administered by the state's department of medical assistance services, or DMAS, address security weaknesses that could potentially leave beneficiaries' data vulnerable to breaches and state Medicaid operations susceptible to disruptions. Security experts say the audit's recommended improvements are needed at many healthcare organizations.
The Department of Health and Human Services' Office of Inspector General's report released May 19 notes that the agency did not include specific details of vulnerabilities identified during an audit of Virginia's Medicaid Management Information System because of "the sensitive nature" of the information.
The OIG's general recommendations to Virginia presented in the report, however, cover an array of security control areas - including access and authentication - that also have been frequently spotlighted by the watchdog agency's reviews of systems at other state or federal healthcare agencies, as well as their contractors (see HHS OIG: Medicare Contractors Struggle with Security Gaps).
In its report, OIG says it reviewed Virginia MMIS policies, procedures and information system general controls that were in place as of September 2015, determining that Virginia did not adequately secure its Medicaid data and information systems in accordance with federal requirements. "Virginia had adopted a security program for its MMIS, but numerous significant system vulnerabilities remained," the report states.
OIG notes that although it did not identify evidence that anyone had exploited the vulnerabilities, "exploitation could have resulted in unauthorized access to and disclosure of Medicaid beneficiary data, as well as the disruption of critical Medicaid operations." The vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Virginia's Medicaid program, OIG adds.
OIG recommended that Virginia "improve its Medicaid security program to secure Medicaid data and information systems in accordance with federal requirements, provide adequate oversight to its contractor, and address the vulnerabilities identified during our audit."
Specifically, OIG recommended that Virginia enhance its Medicaid:
- Systems and information integrity controls;
- Risk management process;
- Access and authentication controls;
- Audit and accountability controls;
- System and communications protection controls;
- Configuration management controls.
OIG notes in the report that Virginia concurred with the agency's recommendations and described corrective actions that it had taken or planned to take.
The MMIS security control areas that OIG recommended Virginia bolster are also frequent trouble spots for healthcare sector entities and their business associates.
"These are common areas where audits reveal weaknesses in security controls," says Keith Fricke, principle consultant at tw-Security.
"In particular, the risk management process is often lacking, and this is something we've heard the HHS Office for Civil Rights say at conferences over the past six months," he notes. "A good and consistent risk analysis/risk management process would identify the security controls areas in need of attention and define the plan to address them."
As cybersecurity attacks rage, weak access controls are especially worrisome, says Mac McMillan, president of security consulting firm CynergisTek.
"Given the recent incidents with WannaCry and other malware types, I'm always concerned when I see integrity and access control issues," he says. "Right now everyone needs to be diligent in basic management of security."
The OIG review of Virginia Medicaid is one in its series of audits of states' computer systems used to administer HHS-funded programs. The report notes that Virginia's Medicaid program uses an outside contractor to develop and operate its claims processing system.
Virginia's Medicaid program processed $8.2 billion in claims for nearly 1.3 million beneficiaries in fiscal year 2015, the report notes.
The Virginia Information Technology Agency supports the state's DMAS Medicaid Management Information System by providing cybersecurity, information technology services and governance.
In a statement to Information Security Media Group, DMAS says it is "addressing the findings of the OIG and will meet the timeline established by our Director of Information Management."
In March, OIG released a review of Massachusetts' Medicaid information systems with findings of various security weaknesses, including security management, configuration management and website and database vulnerability scans.
Fricke notes that while the OIG's reviews of government agencies bring to light security vulnerabilities that need to be addressed by those entities, it's critical that private sector organizations also scrutinize their systems for similar weaknesses.
"With a good risk analysis and risk management process in place, healthcare sector organizations and business associates can identify risks and prioritize them," he says. "Often starting with medium-to-high ranked risks that are low-cost/low-effort to address gets results and creates momentum."