OIG Identified Serious Security Failures at Arizona Managed Care Organizations

The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report on the findings of security audits at two managed care organizations (MCOs) in Arizona. OIG discovered serious security flaws in information systems that placed the confidentiality, integrity, and availability of Medicaid data and systems used to process Medicaid managed care claims at risk.

OIG conducted the audits to determine whether the Arizona Medicaid MCOs were adequately protecting their information systems and Medicaid data, and whether they were in compliance with Health Insurance Portability and Accountability Act (HIPAA) security requirements.

OIG discovered 19 security vulnerabilities in access controls and configuration management spanning 9 security control areas.

5 vulnerabilities were identified in the access controls category and 14 vulnerabilities were identified in the configuration management category. They included vulnerabilities in access controls, administrative controls, patch management, antivirus management, database management, server management, website security, and the configuration of network devices. The vulnerabilities were collectively and, in some cases, individually significant, although OIG did not uncover any evidence to suggest the vulnerabilities had been exploited.

Examples of vulnerabilities in the access control category include the failure to disable user accounts for terminated employees in a timely manner and the lack of two-factor authentication for remote network access.

Examples of vulnerabilities in the configuration management category include the misconfiguration of firewall Secure Shell (SSH) session timeouts. While the default timeout was 5 minutes, at one of the MCOs it had been changed to 30 minutes. Such a long timeframe would allow an attacker to access the system using an authenticated administrator session that had not been terminated.

The MCOs failed to apply patches on workstations promptly. If vulnerabilities persist, they can be exploited to gain access to data as the May 2017 WannaCry attacks on the UK’s National Health Service (NHS) clearly demonstrated.

Antivirus software was not updated at one of the MCOs. Around half of its servers had out of date antivirus definitions, which could have allowed malware to be installed undetected. Unsupported software was still in use on three production servers used by one MCO and there was no encryption used on the claims processing database.

The auditors found that in three security control areas, which accounted for 10 of the 19 vulnerabilities identified, similar vulnerabilities were present at both audited MCOs.

The discovery of similar security vulnerabilities at both MCO’s strongly suggests that other MCOs in the state, and potentially nationwide, could have the same vulnerabilities. OIG also notes that federal regulations covering the security of Medicaid data differ depending on who holds the data. The different application of security measures by state agencies and MCOs could affect state-MCO relationships nationwide and thus increase the risk of exposure of Medicaid data.

OIG recommended the CMS to conduct a documented risk assessment to determine how the disparate application of Federal security requirements creates cybersecurity risks for Medicaid data maintained by MCOs, and suggested the CMS identify actions that could be taken to address the security gaps.

OIG also recommended that the CMS should inform all state agencies of the findings of the audits to raise awareness of the vulnerabilities to enhance nationwide awareness of cybersecurity weaknesses.

The CMS did not concur with the OIG recommendation to conduct a documented risk assessment. “CMS stated that a risk assessment is already a requirement under the jurisdiction of the HHS Office for Civil Rights (OCR) and it would be duplicative of existing risk assessment efforts.”

OIG noted that since the issue concerns the Medicaid program and OCR is not responsible for the disparate application of Federal security requirements, the CMS is in the best position to ensure that security requirements are consistently applied to protect Medicaid data, regardless of who holds the data.  The CMS did concur with the the recommendation to notify state agencies about the cybersecurity vulnerabilities uncovered by the audits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.