Cybersecurity , Fraud

HHS OIG Outlines Anti-Fraud, Security Actions

Report to Congress Describes Crackdowns, Investigations
HHS OIG Outlines Anti-Fraud, Security Actions

In its latest report to Congress, the Department of Health and Human Services' Office of Inspector General spotlights recent efforts to combat healthcare fraud and pinpoints how data security can be improved at several agencies within HHS.

See Also: Managing Identity, Security and Device Compliance in an IT World

The OIG's semi-annual report to Congress for the six-month period ending Sept. 30 comes on the heels of OIG last month issuing its work plan for fiscal 2016. The plan says OIG will more closely scrutinize HHS' Office for Civil Rights' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information. It also says OIG will examine whether the Food and Drug Administration's oversight of hospitals' networked medical devices is sufficient to effectively safeguard associated electronic protected health information and ensure beneficiary safety.

Fighting Fraud

In its new report to Congress, OIG notes that it participated in "the largest nationwide Strike Force operation in history" related to fighting healthcare fraud.

The crackdown, disclosed in June, involved more than $700 million in potential false billings to Medicare and Medicaid and resulted in charges against 243 defendants (see 243 Charged in Medicare Fraud Scheme).

For the full 2015 fiscal year, OIG reports that it expects fraud-related recoveries of nearly $3.35 billion.

OIG's efforts related to payment fraud or errors also focused on Medicaid payment issues in several states, including Texas.

For instance, OIG notes that it determined that the Texas Medicaid program made incorrect HITECH Act electronic health record incentive payments to 38 hospitals totaling $15.3 million. Texas overpaid 26 hospitals a total of $13.9 million and underpaid 12 hospitals a total of $1.4 million, for a net overpayment of $12.5 million, OIG says. Texas provided information on corrective actions taken and actions to be implemented based on several OIG recommendations, OIG notes.

OIG also highlights in the report the case involving Joe White, the former CFO of the now defunct Shelby Regional Medical Center in Texas who was sentenced in June to serve to 23 months in federal prison, and ordered to pay $4.4 million in restitution after pleading guilty to making a false statement regarding the facility's qualifications for HITECH payments (see CFO Gets Prison Time for HITECH Fraud). OIG notes that White falsely certified to HHS that Shelby Regional met the meaningful use requirements, even though he was fully aware that Shelby Regional used the EHR system sparingly and did not meet the criteria for incentives.

Data Security Findings

The new report to Congress also spotlights various data security issues at several federal healthcare agencies that OIG identified in its audit reports.

For instance, OIG found inadequate security controls at some HHS operating divisions whose IT is managed by the Information Technology Infrastructure and Operations Office.

"Specifically, we reviewed controls over inventory management, patch management, antivirus management, event management, logical access, encryption, configuration management, Web vulnerability management, and Universal Serial Bus port control management," OIG reports. "We found that ITIO had not fully implemented or monitored some information security controls." OIG says ITIO concurred with detailed recommendations provided by OIG.

OIG also reports that it found various security issues during penetration testing of the Administration for Children and Families' computer networks and external Web applications.

"We assessed the ACF network's exposure to cyberattacks by performing penetration testing of its network and Internet-facing systems. Although we did not obtain unauthorized access to the ACF network, we identified issues that could lead to a cybersecurity incident involving ACF systems and data, given enough time and persistence by malicious computer hackers," OIG notes. Vulnerabilities were found in two primary areas: selected external Web applications and wireless networks. OIG provided detailed recommendations to ACF, and the agency concurred with all of them.

OIG also gives an update on previous findings that the Centers for Medicare & Medicaid Services needs to implement improved security controls over its Multidimensional Insurance Data Analytics System. MIDAS is a central repository for insurance-related data intended to provide reporting and performance metrics to HHS for various initiatives mandated by the Affordable Care Act (see OIG: Obamacare Data Repository Had Security Flaws).

"Although CMS had implemented controls to secure MIDAS and consumer personally identifiable information in the systems and databases we reviewed, we identified areas for improvement in MIDAS's information security controls," OIG states. "At the time of our field work, CMS had neither disabled unnecessary generic accounts in its test environment, encrypted user sessions, conducted automated vulnerability assessments that simulate known attacks, nor used a shared read-only account for access to the database that contained the PII," OIG notes.

CMS concurred with all of OIG's recommendations and reported that it remediated all vulnerabilities and addressed all findings identified before OIG issued its final report, OIG says. "We have since reviewed the supporting documentation and verified CMS's remediation," OIG writes in its report to Congress.

Timely Report

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says OIG's report to Congress is particularly timely.

"In light of the current environment of increased cyber attacks, including the massive OPM [Office of Personnel Management] breach, I think there is greater recognition that the federal government has to improve its own information security, in addition to requiring improvement in other. OIG's review is a reflection of this increased emphasis on information security," he says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network