Share this article on:
In response to recent data breaches, the chairmen of the U.S Senate Committee on Finance, the House Committee on Ways and Means, and the House Committee on Energy and Commerce requested the U.S. Government Accountability Office conduct a study of HHS’ Centers for Medicare and Medicaid Services (CMS) to assess its efforts to protect Medicare beneficiary data accessed by external entities.
The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements.
The study revealed the CMS has only established security requirements that align with federal guidance for some external entities and oversight of the implementation of security controls by external entities has been inconsistent.
The CMS shares Medicare beneficiary data with three main types of external entities: Medicare Administrative Contractors (MACs), research organizations, and public or private entities that use claims data to assess the performance of Medicare service providers and equipment suppliers.
Each year, MACS process more than 1.2 billion Medicare fee-for-service claims and interact with over 1.5 million healthcare providers. Healthcare providers submit Medicare fee-for-service claims to the MACs, who check and process the claims.
In order to process claims, MACs require access to the CMS virtual data centers (VDCs) and connect directly to via the CMSNet telecommunications network. The VDCs contain personally identifiable information and protected health information of Medicare beneficiaries.
Researchers are provided with access to beneficiary data to study how healthcare services are provided to beneficiaries. That research benefits the public through the improved delivery of healthcare services. Researchers apply to the CMS and are granted access to the specific dataset necessary for the research.
Researchers are required to enter into a data use agreement with the CMS which details the data that will be accessed, for what purpose, how long, and the requirements to ensure confidentiality and protection of the data. They can either access the data electronically by connecting to the CMS’s Chronic Conditions Warehouse/Virtual Research Data Center (CCW/VRDC) via a secure network connection or receive copies of encrypted data sent via the U.S. mail.
Qualified entities that access claims data to assess the effectiveness of Medicare service providers and equipment suppliers can access the data via a Secure File Transfer System connection to the CCW/VRDC or can receive encrypted data via U.S. mail. They too are required to enter into a data use agreement with the CMS.
The GAO study revealed that requirements for implementing security controls in line with federal guidance have only been developed for MACs and qualified entities, but not for researchers as they are not CMS contractors. The failure to provide risk-based requirements for implementing security controls to researchers could mean security controls meeting CMS standards are not applied.
GAO also discovered that while an oversight program has been developed for the security of MAC data, there is no equivalent program for the data handled by researchers and qualified entities.
The lack of oversight of data security by those two types of external entities means the CMS cannot determine whether Medicare beneficiary data is being adequately protected.
While the CMS has overseen independent assessments of MACs which identify whether security controls have been implemented correctly, there has been inconsistent tracking and monitoring of vulnerabilities identified by those assessments and the actions taken to correct those issues. The CMS therefore cannot be sure that all security gaps have been addressed in a timely fashion.
- To ensure the security of Medicare beneficiary data, GAO has made three recommendations. The CMS should develop security guidance for researchers defining the minimum security controls that must be implemented and ensure the guidance is consistent with NIST guidelines.
- All findings of MAC assessments should be classified and tracked, and processes and procedures should be developed to ensure researchers and qualified entities have implemented information security controls.
- The CMS should also establish an effective oversight program for all external entities that access Medicare beneficiary data.
The CMS concurred with all three GAO recommendations.