OIG Finds Security Weaknesses in Two More Medicaid ProgramsWatchdog Agency Findings Highlight Familiar Shortcomings
Two new reports by a federal watchdog agency hit a familiar theme: Some state Medicaid systems have weaknesses that potentially put sensitive data and government operations at risk.
The Department of Health and Human Services Office of Inspector General recently issued two reports separately reviewing whether New Mexico and North Carolina each implemented adequate information system general controls for their Medicaid-related systems in accordance with federal requirements.
In both states, OIG found weaknesses that the watchdog agency declined to describe in the public reports due to sensitivity. But they appear to be similar to the kinds of issues OIG has previously spotlighted in several recent security reviews of other states' Medicaid systems, including Virginia and Colorado.
For instance, just as was noted in OIG's new reports about New Mexico and North Carolina, OIG's recent security reviews on Virginia and Colorado cited vulnerabilities that increased the risk to the confidentiality, integrity and availability of those states' Medicaid data.
The challenges that states face in securing the data and systems of Medicaid programs are similar to the woes faced by many healthcare entities, says Keith Fricke, principal consultant at tw-Security.
"States struggle with security weaknesses much the same way any organization in any industry does - keeping up with the criminals and vulnerabilities in new and existing technology, while managing budgetary constraints and competing priorities," he says.
New Mexico Flaws
In its review of New Mexico's Medicaid eligibility systems and data, OIG says it found the state's Human Services Division had not adequately secured its Medicaid data and information systems in accordance with federal requirements. "Although HSD adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed HSD's operations at risk. These vulnerabilities existed because HSD had not implemented sufficient controls over its Medicaid data and information systems," OIG writes.
The watchdog agency notes that it selected New Mexico HSD for review "because of inherent risks" related to HSD's migration of its legacy eligibility systems to the Automated System Program and Eligibility Network, or ASPEN, in 2014. "We also considered the numerous risks related to HSD's security controls over the eligibility systems for entitlement programs that were identified during a previous audit conducted by the HHS OIG," the report notes.
In New Mexico, HSD administers the eligibility systems for entitlement programs through ASPEN, OIG notes. "HSD designed ASPEN to improve New Mexicans' access to services through the Internet and to provide HSD field staff with more efficient and technically advanced tools."
While OIG did not disclose in the public report its "detailed recommendations" to HSD to address the findings of the watchdog agency's security review of New Mexico's Medicaid eligibility system security program, OIG notes that HSD concurred with all the findings and described corrective actions that it had taken or plans to take.
"However, HSD did not concur with one of our recommendations and described a compensating control and that they elected to accept all risks related to the compensating control," OIG notes. "We continue to recommend that HSD implement our recommendation. However, if HSD continues to rely on its compensating control, then we recommend that HSD conduct a full risk assessment and accept all related risks in accordance with federal requirements."
North Carolina Weaknesses
Meanwhile, OIG's 2016 review of North Carolina assessed whether CSRA Inc., with which the state's Medicaid agency contracts to operate its claims processing systems, had implemented adequate information system general controls.
"The vulnerabilities that we identified increased the risk to the confidentiality, integrity and availability of North Carolina's Medicaid data," OIG writes.
"Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could result in unauthorized access to and disclosure of sensitive information, as well as disruption of critical North Carolina Medicaid operations. As a result, the vulnerabilities are collectively, and, in some cases, individually significant and could potentially compromise the confidentiality, integrity or availability of North Carolina's Medicaid claims processing data and systems."
In addition, without proper safeguards, systems are not protected from individuals and groups with malicious intent to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks, OIG writes.
OIG notes that it recommended that the state agency improve the protection of sensitive data on its Medicaid claims processing systems by working with CSRA to address the vulnerabilities identified during the audit.
The watchdog notes that the North Carolina Medicaid agency concurred with OIG's recommendations and described corrective actions that it had taken or planned to take.
Neither New Mexico nor North Carolina's Medicaid agencies immediately responded to Information Security Media Group's requests for comment on the OIG reports.
Fricke suggests that states can learn valuable data protection lessons from each other. "Within a company, departments tend to operate in silos. I suspect that between states, a similar mode of operation exists," he says. "Perhaps states could find ways to better share best practices to help secure their Medicaid programs."
Medicaid programs, which are co-funded by the states and the federal government - also often face budget restraints when it comes to security, Fricke notes. "Levels of security maturity likely vary between states," he says. "Skilled resources are likely a challenge to attract and retain because the private sector pays more."