The Department of Health and Human Services’ Office of Inspector General (OIG) found data security inadequacies upon auditing the North Carolina State Medicaid agency. According to the report, the State agency did not implement enough controls that guarantee the security of data and its Medicaid eligibility determination system. HHS is the overseer of federal programs including the Medicaid. As such, it is their responsibility to audit State agencies implementing the Medicaid program to ensure proper security system controls and adherence to federal requirements.
The OIG audit sought to determine if the state of North Carolina had adequate information system general controls for securing data and the Medicaid eligibility determination system. The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was given the task to operate the NC Medicaid eligibility determination system. OIG audited NC FAST in terms of entity-wide security, access control, network device management, configuration management, mainframe operations, service ontinuity and application change control. Those controls were assessed in relation to the NC eligibility determination system for State fiscal year 2016.
Unfortunately, OIG reported that NC FAST failed to meet the requirements. OIG identified vulnerabilities that could put in jeopardy the confidentiality, integrity and availability of NC’s Medicaid eligibility data. Hackers could exploit the vulnerabilities to access sensitive information. A cyberattack could disrupt North Carolina Medicaid eligibility operations. Although there were collectively and individually significant vulnerabilities, there’s no evidence that would pinpoint to any system compromise or theft/access of sensitive information.
OIG recommended that the State of North Carolina should appropriately secure its Medicaid eligibility determination system. NC FAST needs to address nine identified vulnerabilities so that Federal standards are met. North Carolina did not directly address the vulnerabilities but agreed to take corrective steps to resolve the problems that OIG identified. Last year, North Carolina also failed to implement sufficient controls to secure its Medicaid claims processing systems. CRSA, Inc managed those systems. North Carolina also agreed to take corrective steps to address the problems.