OIG Uncovers Vulnerabilities in State Health Information Systems

Share this article on:

An investigation of Colorado’s Department of Health Care Policy and Financing (HCPF) by the Department of Health and Human Services’ Office of Inspector General has revealed a number of security vulnerabilities that could potentially be exploited by hackers to gain access to personally identifiable information.

The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of Colorado’s Medicaid data at risk. No evidence was uncovered to suggest any of the vulnerabilities had already been exploited, although exploitation of the security weaknesses could have disrupted critical Colorado Medicaid operations.

OIG conducted an audit of HCPF information system general controls and policies and procedures in place in July 2015. The review was conducted to assess the effectiveness of its general controls over computer operations. OIG evaluated risk assessments, website security, database security, and USB device security for its Medicaid eligibility determination and claims processing information systems. The audit uncovered vulnerabilities existed in all those areas.

Medicaid databases were improperly administered, inadequate risk assessments had been performed, Medicaid databases and websites lacked appropriate security, and HCPF had failed to adequately manage devices and USB ports. The lack of security controls posed a serious risk to the confidentiality, integrity, or availability of Colorado’s Medicaid eligibility determination and claims processing data and systems.

OIG made a number of detailed recommendations to address the vulnerabilities. HCPF concurred with all recommendations and will work with the Colorado Governor’s Office of Information Technology to ensure corrective action is taken to address the vulnerabilities in a timely manner.

Minnesota Health Insurance Marketplace Audited

Last month, OIG published a report on the Minnesota Health Insurance Marketplace (MNSure) which also revealed numerous database and website vulnerabilities. In this case, security controls, policies, and procedures had been implemented to prevent vulnerabilities in its website and database and associated computer systems. However, MNSure did not always comply with Federal and State information technology requirements when implementing security controls, policies and procedures. MNSure had not formalized procedures for analyzing and sharing information about vulnerabilities and vulnerabilities were discovered relating to website monitoring and penetration testing.

Four recommendations were made to correct the vulnerabilities, but due to the sensitive nature of OIG’s findings, those recommendations were only disclosed to MNSure. MNSure only concurred with one of the recommendations, partially concurred with another, and did not concur with the other two. However, MNSure is taking action to implement OIG’s recommendations.

Keeping security controls up to date and managing vulnerabilities is a major challenge, not just for health insurance exchanges, but all organizations. However, with hackers ready to take advantage of security vulnerabilities to gain access to healthcare systems and data, it is essential for vulnerabilities to be effectively managed.

Commercially available tools exist that allow organizations to scan for known vulnerabilities. Those tools should be used and plans developed to address any security weaknesses that are discovered in a timely manner. If vulnerabilities are allowed to persist, it is only a matter of time before they are exploited.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On