Share this article on:
An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist.
The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems.
The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations.
The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered.
A security gap is defined as an incomplete implementation of FISMA or CMS core security requirements. The security gaps identified are ranked as high, medium, or low-risk, depending on their severity.
PwC identified 22 high-risk gaps, 46 medium-risk gaps, and 81 low-risk gaps. According to the OIG report, 9 percent of the high and medium-risk gaps were identified in the previous year’s evaluations and had not yet been addressed. Four out of the six repeat gaps were determined to be high risk in both 2014 and 2015.
While the number of gaps increased by 16%, OIG points out that the scope of the evaluations was greater this year, with additional controls assessed in the 2015 financial year. The average number of gaps per MAC was 17. The highest number of gaps identified at any one MAC was 25 and the lowest was 14.
The biggest FISMA problem areas were ‘policies and procedures to reduce risk’ and ‘periodic testing of information security’, which had 45 and 41 security gaps identified respectively across the 9 MACs. 15 security gaps were identified with ‘system security plans’. Gaps were identified across all the FISMA control areas that were tested.
OIG reports that each MAC had 4-7 gaps related to policies and procedures to reduce risk. The evaluations showed that the most common security gaps were policies and procedures related to mobile device encryption, platform patch management, and external information systems that did not meet CMS requirements.
Each MAC had four to six gaps related to periodic testing of information security controls, including the failure to consistently enforce change management procedures and deficient system security configurations. There were one to three gaps in system security plans, including the failure to consistently enforce access control procedures, the failure to review policies and procedures within 365 days of the previous review date, and having a system security plan that did not reflect the current operating environment.
Each MAC is responsible for developing its own corrective action plan to address the high and medium risk security gaps identified by PwC. Each MAC must ensure that each of the identified gaps is remediated in a timely manner.
OIG has recommended that CMS continue with its oversight of MACs and should ensure that each MAC remediate all the identified high and medium-risk gaps in a timely manner.