HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG Uncovers Vulnerabilities in State Health Information Systems

An investigation of Colorado’s Department of Health Care Policy and Financing (HCPF) by the Department of Health and Human Services’ Office of Inspector General has revealed a number of security vulnerabilities that could potentially be exploited by hackers to gain access to personally identifiable information.

The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of Colorado’s Medicaid data at risk. No evidence was uncovered to suggest any of the vulnerabilities had already been exploited, although exploitation of the security weaknesses could have disrupted critical Colorado Medicaid operations.

OIG conducted an audit of HCPF information system general controls and policies and procedures in place in July 2015. The review was conducted to assess the effectiveness of its general controls over computer operations. OIG evaluated risk assessments, website security, database security, and USB device security for its Medicaid eligibility determination and claims processing information systems. The audit uncovered vulnerabilities existed in all those areas.

Medicaid databases were improperly administered, inadequate risk assessments had been performed, Medicaid databases and websites lacked appropriate security, and HCPF had failed to adequately manage devices and USB ports. The lack of security controls posed a serious risk to the confidentiality, integrity, or availability of Colorado’s Medicaid eligibility determination and claims processing data and systems.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

OIG made a number of detailed recommendations to address the vulnerabilities. HCPF concurred with all recommendations and will work with the Colorado Governor’s Office of Information Technology to ensure corrective action is taken to address the vulnerabilities in a timely manner.

Minnesota Health Insurance Marketplace Audited

Last month, OIG published a report on the Minnesota Health Insurance Marketplace (MNSure) which also revealed numerous database and website vulnerabilities. In this case, security controls, policies, and procedures had been implemented to prevent vulnerabilities in its website and database and associated computer systems. However, MNSure did not always comply with Federal and State information technology requirements when implementing security controls, policies and procedures. MNSure had not formalized procedures for analyzing and sharing information about vulnerabilities and vulnerabilities were discovered relating to website monitoring and penetration testing.

Four recommendations were made to correct the vulnerabilities, but due to the sensitive nature of OIG’s findings, those recommendations were only disclosed to MNSure. MNSure only concurred with one of the recommendations, partially concurred with another, and did not concur with the other two. However, MNSure is taking action to implement OIG’s recommendations.

Keeping security controls up to date and managing vulnerabilities is a major challenge, not just for health insurance exchanges, but all organizations. However, with hackers ready to take advantage of security vulnerabilities to gain access to healthcare systems and data, it is essential for vulnerabilities to be effectively managed.

Commercially available tools exist that allow organizations to scan for known vulnerabilities. Those tools should be used and plans developed to address any security weaknesses that are discovered in a timely manner. If vulnerabilities are allowed to persist, it is only a matter of time before they are exploited.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.