Security Weaknesses Found at Yet Another Healthcare AgencyOIG Report Cites Shortcomings That Apparently Are Widespread in the Sector
A federal watchdog agency review found that the Massachusetts Medicaid program needs to bolster its data security controls to better comply with federal requirements, including addressing weaknesses related to security management, configuration management and website and database vulnerability scans.
The Department of Health and Human Services' Office of Inspector General's report issued on March 14 provides an overview of the agency's audit of the information security controls at Massachusetts's Executive Office of Health and Human Services, which is responsible for administering the state's Medicaid program, MassHealth.
An OIG spokesman says the agency conducted its fieldwork for the MassHealth review from Sept. 28 through Oct. 8, 2015. The OIG report notes that MassHealth's information systems supported more than 1.67 million beneficiaries, and processed approximately $13.8 billion in fiscal year 2015.
The report notes that OIG focused its audit on MassHealth's web sites, databases and other supporting information systems. "We reviewed MassHealth's implementation of federal requirements and National Institute of Standards and Technology guidelines within the following areas: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications."
In a statement provided to Information Security Media Group, a MassHealth spokesperson says, "MassHealth reviews and makes upgrades to ensure that the MMIS [Medicaid Management Information System] data and supporting systems are in compliance with federal requirements and consistent with the OIG's recommendations. It takes its responsibility to safeguard its members sensitive information seriously."
The MassHealth security weaknesses cited by OIG - including configuration management and security management - appear to be similar to findings in OIG's other reviews of systems at state or federal healthcare-related agencies, as well as their contractors.
For instance, a report issued by OIG in January that summarized the watchdog agency's annual review of nine contractors providing Medicare with administrative services found a variety of similar gaps (see HHS OIG: Medicare Contractors Struggle with Security Gaps).
In reference to the findings at MassHealth, the OIG notes that although it did not identify evidence that the state's vulnerabilities had been exploited, exploitation could have resulted in unauthorized access or disclosure of sensitive information, as well as disruption of operations. "As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity and availability of MassHealth's [information systems]," the report states. "These vulnerabilities existed because MassHealth did not implement sufficient controls over its Medicaid data and information systems."
Kate Borten, president of security and privacy consulting firm The Marblehead Group, says the weaknesses OIG identified are troubling.
"This report points out that these vulnerabilities may not have resulted in breaches; nevertheless, these problems are very serious and must be addressed," she says. "This message is significant and leadership everywhere should take note."
Generally these type of findings "connote weaknesses in process, disciplined administration and a lack of active testing and monitoring of controls," says Mac McMillan, CEO of the security consulting firm CynergisTek. "These are common weak spots we see across the board with organizations, and it comes back to bite us as an industry over and over again with malware attacks and breaches."
The combination of the bureaucratic nature of the government and budget constraints may explain why these security areas are often weaknesses for many state and federal government agencies, says Keith Fricke, principal consultant at tw-Security.
"Technology changes at a very rapid pace, as do the vulnerabilities associated with new technologies," he says. "Federal and state governments have a lot of moving parts and complexities, making it difficult to keep up with the pace of technology change."
He contends there are "fundamental security practices that should be in place by now, such as basic and standard configuration management practices and scanning for vulnerabilities."
The security weaknesses OIG report spotlighted in its report on MassHealth, as well as in previous reviews of other government entities, are also common problem areas for healthcare organizations, Borten notes.
"Weak security management, along with configuration management and system software controls, covers a lot of territory, meaning that it's challenging to do it all and do it well," she says. "These broad topics often contain vulnerabilities at both the public and private sector organizations."
Other weaknesses cited by OIG in its MassHealth review - website and database controls - "are more discrete topics, and they are mainly technical areas where there are fairly straightforward solutions," Borten notes. "Vulnerability scanning is widely recognized as a standard component of a security program, so if it's not being done or if identified vulnerabilities are not being mitigated, that is a significant organizational issue."
Steps to Take
Government agencies, as well as private sector healthcare entities, can address the types of security weaknesses cited by OIG in the MassHealth review by taking several steps, Fricke says.
"Many vendors now offer combinations of products designed to provide protective and detective security capabilities," he says. "For example, next-generation firewalls often combine traditional firewall capabilities with intrusion prevention, granular web filtering and advanced anti-malware protection."
McMillan suggests entities automate their configuration management process. "Many of the configuration managers will apply a chosen standard and dynamically monitor for changes and provide alerts. Take advantage of advanced vulnerability scanning that can scan for policy and configuration settings, not just missing patches."
Also, endpoint protection software now includes anti-malware, application control, encryption and behavior heuristics, Fricke notes. "These combined technologies are often less costly that investing in discrete components of each feature, with the benefit of centralized management. Consequently, a larger collection of security technologies can be managed by less staff at a lower cost."
The OIG's report says that the watchdog agency suggested that MassHealth implement "detailed recommendations" to address its findings on security management, configuration management, system software controls, and website and database vulnerability scans.
The OIG also notes that in written comments on its draft report, "MassHealth did not explicitly express concurrence or noncurrence with our eight recommendations; however, it described corrective actions that it had taken or planned to take to remediate all the vulnerabilities."