OIG Uncovers ‘High-Risk’ Security Issues at State Medicaid Agencies
March 10, 2014 in News
There were “high-risk security vulnerabilities” present in 10 states’ Medicaid management information systems between 2010 and 2012, according to a recent report from HHS’ Office of the Inspector General, Health Data Management reports.
The report includes previously restricted findings from audits conducted in 10 unnamed states between 2010 and 2012 that focused on information system’s general controls (Slabodkin, Health Data Management, 3/7). OIG said it decided to release the data in an effort to “increase public awareness” of such vulnerabilities and “strengthen system security” at CMS.
OIG divided the report findings into three categories:
- Access controls;
- Entity-wide controls; and
- Network operations controls.
In total, the report identified 79 problems in the 10 state agencies audited.
For entity-wide controls, OIG found:
- Eight states were not encrypting their data;
- Seven states did not have system security plans in place; and
- Two states had limited security configuration baselines.
For access control issues, OIG identified problems with:
- Identification; and
- User account management.
Of the 10 agencies audited:
- Six had errors in their remote access policies that could leave data vulnerable to breaches;
- Five had physical security problems; and
- Five had authentication and identification problems.
In addition, the report found that eight of the 10 audited Medicaid agencies had problems with network operations controls.
Specifically, problems included inconsistent or limited:
- Antivirus software;
- Policies for network device management;
- Software upgrading or “patching;” and
- User logs and monitoring (Brino, Government Health IT, 3/7).
The report stated, “The fact that some of the vulnerabilities were shared among the 10 state agencies suggests that other state Medicaid information systems may be similarly vulnerable” and that the offices should make security a “higher priority” (Health Data Management, 3/7).
OIG said that state Medicaid officials generally agreed with the audits and said they would be addressing the issues. The states also noted that limited resources make “information system security a lower priority” (Government Health IT, 3/7).