The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report questioning the integrity of security systems at two managed care organizations (MCOs) in Arizona following security audits of the facilities. OIG is charged with identifying and combatting fraud, waste, and abuse in HHS’s programs. In their latest report, investigators discovered serious security vulnerabilities in information systems that placed the confidentiality, integrity, and availability of Medicaid data and systems used to process Medicaid managed care claims at risk at the MCOs.
As medical facilities, the Arizona Medicaid MCOs are required to be fully compliant with Health Insurance Portability and Accountability Act (HIPAA) security requirements. This requires them to have adequate technical, physical, and security safeguards in place to protect the integrity of protected healthcare information (PHI) at all times.
While performing the audit, OIG discovered 19 security vulnerabilities in access controls and configuration management spanning 9 security control areas. A further 5 vulnerabilities were identified in the access controls category and 14 vulnerabilities were identified in the configuration management category.
Vulnerabilities were noted in areas such as access controls, administrative controls, patch management, antivirus management, database management, server management, website security, and the configuration of network devices. The vulnerabilities were collectively and, in some cases, individually significant. OIG did not report any evidence that vulnerabilities had been exploited and patient data had been used for malicious purposes.
Examples of vulnerabilities in the access control category include the failure to disable user accounts for terminated employees in a timely manner and the lack of two-factor authentication for remote network access. Administrative safeguards such as these are required by HIPAA’s Security Rule, and failure to implement these controls not only puts patient data at risk, but may render HIPAA covered entities liable to pay huge fines for non-compliance with HIPAA rules.
Examples of vulnerabilities in the configuration management category include the misconfiguration of firewall Secure Shell (SSH) session timeouts. One exampled cited in the report involved the default timeout being changed from 5 minutes to 30 minutes at one of the MCOs. Such a long timeframe would allow an attacker to access the system using an authenticated administrator session that had not been terminated.
OIG investigators discovered that MCOs failed to apply patches on workstations promptly. If vulnerabilities persist, they can be exploited to gain access to data as the May 2017 WannaCry attacks on the UK’s National Health Service (NHS) clearly demonstrated.
In a huge security oversight, it was found one of the MCO’s systems ran outdated antivirus software. Around half of its servers had out of date antivirus definitions. Out-of-date software could allow malware to be installed undetected. Unsupported software was still in use on three production servers used by one MCO and there was no encryption used on the claims processing database.
The auditors found that in three security control areas, which accounted for 10 of the 19 vulnerabilities identified, similar vulnerabilities were present at both audited MCOs.
As both of the MCO’s had similar security failings, it is not unreasonable to hypothesise that other MCOs in Arizona, or potentially nationwide, may have the same security vulnerabilities. OIG also notes that federal regulations covering the security of Medicaid data differ depending on who holds the data. The different application of security measures by state agencies and MCOs could affect state-MCO relationships nationwide and thus increase the risk of exposure of Medicaid data.
OIG investigators included several recommendations to the CMS in their report. They advised that a risk assessment should be conducted to determine how the disparate application of Federal security requirements creates cybersecurity risks for Medicaid data maintained by MCOs, and suggested the CMS identify actions that could be taken to address the security gaps.
OIG also recommended that the CMS should inform all state agencies of the findings of the audits to raise awareness of the vulnerabilities to enhance nationwide awareness of cybersecurity weaknesses. Spreading awareness to other organisations will not only prevent them from potentially being fined for violating HIPAA rules, but will encourage organisations to thoroughly audit their own data protection protocols and enhance current security frameworks.
However, the CMS did not agree with OIG’s recommendation to conduct a documented risk assessment: “CMS stated that a risk assessment is already a requirement under the jurisdiction of the HHS Office for Civil Rights (OCR) and it would be duplicative of existing risk assessment efforts.”
“Since this issue resides in the Medicaid program and OCR is not responsible for the disparate application of Federal security requirements, OIG believes CMS is in the best position to ensure data security regulations are consistently applied to protect Medicaid beneficiaries’ data, regardless of where the data resides,” CMS officials added.