OIG: Medicaid Lacks Info Security

Report Cites Vulnerabilities at 10 State Agencies
OIG: Medicaid Lacks Info Security

A new government watchdog report says dozens of high-risk security vulnerabilities found in information systems at 10 state Medicaid agencies should serve as a warning to other states about the need to take action to prevent fraud.

See Also: Bolstering Australia’s Security Posture with Accelerated ZTNA

"The fact that some of the vulnerabilities were [the same at] the 10 state agencies suggests that other state Medicaid information systems may be similarly vulnerable," says a new report from the Department of Health and Human Services' Office of the Inspector General.

The March 2014 report was based on OIG reviews conducted from 2010 through 2012 of information system general controls at 10 state agencies, but the states were not revealed.

Among the major areas of high-risk vulnerabilities commonly found among the states were the lack of a system security plan and inadequate encryption, access controls and network device management.

The report notes that while the vast majority of the agencies reviewed "acknowledged the vulnerabilities and committed to addressing them," OIG hopes the release of the findings "may increase public awareness of these pervasive vulnerabilities across state agencies and lead the Centers for Medicare and Medicaid Services and all states to strengthen system security."

Higher Priority

Asked to react to the findings, officials from several state agencies "pointed most frequently to resource constraints that made information system security a lower priority," the report notes. "Officials also described a lack of formal policies and procedures when explaining the causes of the vulnerabilities."

Nonetheless, OIG says "the effectiveness of these information system general controls directly affects the state agencies' ability to sustain secure Medicaid systems."

Besides addressing the vulnerabilities cited in the report, OIG recommends that "Medicaid agencies' management should make information system security a higher priority."

A lack of awareness and accountability at state agencies are the culprits for why security is not a higher priority, says security expert Mac McMillan, CEO of consulting firm CynergisTek. "Leadership sets the priorities for organizations and in so doing creates its culture," he says. "Uninformed or misinformed leadership can and will make bad decisions or set the wrong priorities."

Report's Findings

The 10 states had a total of 79 individual findings, which OIG grouped into 15 security control areas within three major categories. Areas found to be problematic include:

  • Entitywide Controls: System security plan, encryption, contingency planning, configuration management, inventory tracking, risk assessments and security configuration baselines.
  • Access Controls: Logical access rights; identification and authentication; remote access; and physical security.
  • Network Operations Controls: Network device management; patch management; anti-malware deployment; and logging and monitoring.

McMillan says the OIG findings show common areas of vulnerability that are often overlooked at many state agencies, beyond Medicaid.

"We have seen these reports over and over again," he notes. "It all stems from a lack of a good, solid framework for security and an accreditation process to ensure there is accountability," he says. "When you look at the list, these are basic components of any security program."

Among the biggest risks presented by these vulnerabilities is fraud, he says. "Poor security, inadequate controls, lack of proactive monitoring all create a welcoming playground for the would-be identity thief and fraudster."

Problems Cited

When it comes to entitywide controls, the lack of a system security plan and inadequate use of encryption were common problems, according to the report.

For instance, in one case, the OIG found a state agency had not developed a formal, comprehensive system security plan that addressed the general support system and major application elements of the Medicaid information system. "Without a formal, comprehensive system security plan, state agencies could experience long-term consequences, including risks to data security, fraud and monetary loss," the report says.

OIG found one state agency had not encrypted the hard drives of 14 laptop computers, "leaving them susceptible to unauthorized access."

In regards to access controls, the OIG found, for example, that one state agency "had not established any formal policies regarding user account management and had not performed periodic reviews of network accounts to ensure that access was appropriately authorized and that accounts were properly configured," according to the report.

"Without periodically reviewing user accounts and user access, state agencies run the risk of allowing personnel to gain inappropriate access to sensitive Medicaid data and systems, access that could lead to improper activities."

Under the general category of network operations controls, the most common weak spot found was related to network device management. "One state agency had not implemented any formal policies and procedures for managing network devices," the report notes. "In the absence of formal network device management policies and procedures, administrators were using shared user accounts to administer the devices, and there was no formal process for implementing and tracking configuration changes to network devices."

Systemic Problems

The OIG report noted that the discovery of similar vulnerabilities in different states' Medicaid agencies "indicated that the vulnerabilities identified in these findings were systemic and pervasive."

But because OIG did not test all of the same information system general controls at each state agency and did not use a methodology that allows OIG to extrapolate its findings to all state agencies, "we cannot conclude that all Medicaid information system security environments have similar vulnerabilities," the report notes.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.