State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems
Penetration tests conducted on ten State Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) systems have revealed they contain vulnerabilities that could potentially be exploited in sophisticated cyberattacks. The penetration tests were conducted on behalf of the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) by a third-party penetration testing company between 2020 and 2022 to determine the effectiveness of information technology system controls in preventing attacks on web-facing MMIS and E&E systems.
The penetration tests were conducted in response to an increase in cyberattacks targeting MMIS and E&E systems. These systems are attractive targets as they contain significant amounts of valuable and sensitive data. HHS-OIG has observed an increase in multiple threat types targeting these systems, including ransomware attacks, phishing, and denial-of-service attacks. Between 2012 and 2023, at least six U.S. states have experienced cyberattacks that resulted in access being gained to significant amounts of Medicaid data, including an attack in Texas in 2021 that affected approximately 1.8 million individuals, a data breach in Utah that affected 780,000 Medicaid recipients, and a data breach in South Carolina that affected 228,000 Medicaid recipients.
The penetration tests simulated cyberattacks. While the security controls were found to be generally effective at blocking unsophisticated or limited cyberattacks, improvements are required to prevent more sophisticated attacks and persistent threats. The cybersecurity controls implemented by the nine states – Alabama, Illinois, Maryland, Massachusetts, Michigan, Minnesota, South Carolina, South Dakota, Utah – and Puerto Rico responded to and blocked some of the HHS-OIG’s simulated cyberattacks, but not others. Simulated phishing attempts were also conducted on a selection of employees to determine whether they had received adequate security awareness training.
The most common NIST security controls that were identified as ineffective in most of the audited states were website transmission confidentiality and integrity controls; flaw remediation controls to properly identify, report, and correct software flaws; information input validation controls to verify the validity or properly sanitize the information system input for public-facing systems; and error handling controls to prevent disclosure of information.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
The common causes were developers and contractors that were unaware of government standards or industry best practices; the failure to securely configure and patch flaws in a timely manner; the failure to assess all components in MMIS and E&E systems (e.g. third party plug-ins and libraries); infective procedures for testing security controls; and delays in detecting, reporting, and fixing flaws in systems.
HHS-OIG made 27 recommendations to the nine states and Puerto Rico for improving security controls, policies, and procedures. The most common recommendations included: patching outdated servers; improving input sanitization on web servers; enhancing vulnerability detection tools; conducting periodic evaluations of the effectiveness of security controls; updating cryptographic settings; improving vulnerability management strategies; and ensuring server configurations support secure protocols
