HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG Audit Reveals High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs).

OIG Audits Reveal 74 High Risk Security Vulnerabilities at 3 Medi-Cal MCOs

The OIG audits revealed numerous, significant security vulnerabilities at the three Medi-Cal MCOs being assessed.

In total, 74 high-risk security vulnerabilities were discovered across 14 separate security control areas. Many of the vulnerabilities existed at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the vulnerabilities had potential to place patient data at risk of exposure. In some cases, the security vulnerabilities were extremely serious.

The vulnerabilities were categorized into three broad areas: Access controls, security management and configuration management.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Access Management Controls

Access controls included password and login controls, database security controls, the use of backup storage media, and portable device security. Physical security controls to protect devices and systems, as well as the management of remote network access and Wi-Fi networks were also covered in this category.

In total, 31 separate access control security vulnerabilities were discovered during the audits. 10 of those vulnerabilities related to the use of portable and backup media such as flash drives. These devices are all too easily lost or stolen, yet the data stored on the devices were not encrypted.

Database controls were also discovered to be lacking. One of the MCOs had not encrypted its database, while access logs were not kept. This made it impossible to review who had accessed sensitive data.

When individuals leave an organization, policies must exist to terminate logins and inactive accounts. One of the MCO’s under test was not terminating access to systems in a timely manner.

WLAN activity was also not logged by one entity, while restrictions were not put in place on the websites which could be accessed. Two-factor authentication was not employed by one MCO for remote network access. One MCO did not securely store back up devices off site.

Security Management Controls

Security management controls included system security plans, contingency planning, disposal of devices used to store data, sanitization of data, and background checks on new members of staff. 14 separate vulnerabilities were discovered in this category.

Disaster recovery plans and contingency planning were discovered to be inadequate at one of the audited MCOs. One MCO had not performed a security control review of the claims processing system, while the disposal and sanitization of devices were not effectively tracked, in particular, for portable storage devices such as flash drives.

While it was not established whether a background check had actually been conducted, there was no documentation to show that a director of technology and security had been subjected to a background check prior to being awarded the position.

Configuration Management Controls

Configuration management included the setup of network devices, out of date software, administration and management of software patches, and antivirus management. 29 vulnerabilities existed in this category.

One MCO failed to perform timely updates of anti-virus software definitions. Software programs were not updated to the latest version in a reasonable time frame by one MCOs, potentially allowing systems to be attacked via a well-known vulnerability. The installation of software patches was also discovered not properly managed, resulting in security vulnerabilities existing for an excessive period of time.

Alarmingly, one of the MCOs had not securely configured its router, allowing any attacker to view and intercept data, including user passwords. The router had clear text protocol enabled to allow the monitoring and management of network devices by network administrators. This serious security vulnerability potentially placed all ePHI at risk.

Medicaid Managed-Care Organizations Must Strengthen System Security to Safeguard Sensitive Data

Out of the 14 subdivisions within the above three general control categories, vulnerabilities existed in six of the categories which were shared by all three audited Medi-Cal organizations. These vulnerabilities accounted for 53 of the 74 security vulnerabilities discovered.

According to the report, the number of shared vulnerabilities “raise concerns about the integrity of the systems used to process Medicaid managed-care claims.” While it was not possible to determine whether all Medi-Cal MCOs have the same security vulnerabilities as those audited, OIG concluded that many of the vulnerabilities are significant, systemic, and pervasive. They could potentially exist at all Medi-Cal MCOs.

Consequently, action should be taken by all MCOs to assess their organizations for potential risks. Action must also be taken to mitigate any security risks discovered.

The full report can be downloaded here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.