HHS OIG Finds Security Flaws in Maryland's Medicaid SystemFindings by Watchdog Agency Similar to Problems Previously Cited in Other States
Maryland's Medicaid system has "numerous significant" security weaknesses that need to be addressed, according to a recent federal watchdog agency review. Earlier audits of other state Medicaid programs have yielded similar results.
While the report released on Tuesday by the Department of Health and Human Services' Office of Inspector General did not specify the kinds of vulnerabilities identified, the agency notes Maryland did not adequately secure its Medicaid data and information systems in accordance with federal requirements and guidance.
The recent Maryland Medicaid review is one of a number of reviews HHS OIG is conducting of states' computer systems used to administer HHS-funded programs, the watchdog agency notes in the report.
OIG says that although Maryland had adopted a security program for its Medicaid Management Information System, numerous significant system vulnerabilities existed.
"These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems," the report notes. "Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland's Medicaid program."
OIG's findings of security weaknesses in Maryland's Medicaid system are not unusual. The watchdog agency, in many of its previous reports, has cited a variety of vulnerabilities it identified during periodic assessments of other states' Medicaid systems.
For instance, the OIG's reports last year on the security of Massachusetts' and Virginia's Medicaid systems also cited various weaknesses, including security management, configuration management, and website and database vulnerability scans.
OIG's findings in Maryland, as well as in its previous security reviews of other states' Medicaid systems, send several important messages to other organizations, says former healthcare CIO David Finn, executive vice president of strategic innovation at security consultancy CynergisTek.
"First, there is no such thing a 'perfect' security. Security is a journey, not a destination. It must be adjusted to a myriad of ongoing occurrences both inside and outside of any organization. It is never complete," he says.
"Second, the fact that these inspectors or 'watchdog' groups keep finding issues or weaknesses, is a good thing - if that is what it takes to get it fixed. But it means the agencies themselves are not doing what we all should be doing: an ongoing risk management process," he adds.
The OIG audits are helpful to the public, security experts note.
"What I take away from this is that auditors need to keep auditing in order to shine a light on organizations with weaknesses. That process creates visibility and hopefully accountability to address weaknesses before criminal exploit them," says Keith Fricke, principal consultant at tw-Security.
"I have the same concerns about weak Medicaid systems as I do any other system with PHI in any healthcare organization - weak security can lead to breaches, many of which could have been prevented."
Medicaid Breaches Reported
An Aug. 15 search by Information Security Media Group of "Medicaid" on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website shows only three major breaches involving state Medicaid agencies impacting a total of about 6,600 individuals. Also commonly called the "wall of shame" the website lists reports since 2009 of health data breaches impacting 500 or more individuals.
The HHS website, however, also shows a number of additional large breaches involving Medicaid data have also been reported by state agencies called by names other than "Medicaid."
For instance, in January, Florida's Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid in that state, reported to OCR a phishing breach that impacted 30,000 individuals.
Among the largest breaches involving Medicaid data was a 2012 incident reported by the South Carolina Department of Health and Human Services impacting more than 228,000 individuals. That incident involved a state worker who in 2013 pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.
OIG's report on the Maryland security review notes that the watchdog agency made a number of recommendations for the state to improve its Medicaid security program in accordance with federal requirements.
"In written comments on our draft report, Maryland concurred with our recommendations and described actions that it had taken or plans to take to implement them," the report adds.
OIG did not reveal its recommendations to Maryland.
Upcoming OIG Reviews
HHS OIG notes in a recent update to its work plan, which is posted on its website, a number of other security-related reviews slated in the coming months.
That includes a review in fiscal 2019 of HHS operating divisions to identify cybersecurity vulnerabilities.
HHS OIG also plans to conduct a penetration test on the website and associated systems of the Affordable Care Act - also known as Obamacare - which are administered by HHS' Centers for Medicare and Medicaid Services.