HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps

An annual review of Medicare administrative contractors (MAC) conducted by Pricewaterhouse Coopers (PwC) on behalf of the Office of Inspector General revealed 129 data security gaps existed in 2014, representing an increase of 8% from the previous year.

The Social Security Act requires the information security programs of all MACs to be assessed by an independent entity on an annual basis. This year PwC was contracted to assess all nine MACs on the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) in addition to the Centers for Medicare and Medicaid Services (CMS) core security requirements.

Data security gaps are defined as the incomplete implementation of FISMA or CMS core security requirements. Each data security gap is rated as high risk, medium risk, or low risk. For high and medium risk data security gaps, each MAC must develop an action plan to address the issues and the CMS is required to follow up and ensure that those data security gaps have been addressed. PwC discovered 18 high risk, 45 medium risk, and 66 low risk gaps. The average number of gaps per MAC was 14.

PwC discovered security gaps existed in each of the 8 control areas, although the biggest problem area was the periodic testing of information security controls with 38 gaps discovered, followed by policies and procedures to reduce risk with 36 data security gaps. 16 gaps were discovered with system security plans.

Please see the HIPAA Journal Privacy Policy

Some security gaps identified in the 2013 assessment had been improperly addressed. In total, 18 high and medium risk repeat gaps were identified by PwC – 29% of the total discovered in 2014. 28% of repeat gaps were rated as high risk in both the 2013 and 2014 reviews.

All nine MACs were discovered to have between three and six gaps relating to the periodic testing of information security controls. The testing of patch management policies, password policies, and configuration management is essential to ensure compliance. Gaps included the failure to implement system component inventory processes in accordance with CMS requirements, system security configuration weaknesses, and other vulnerabilities uncovered using external network penetration testing.

According to the report, “Without a comprehensive program for periodically testing and monitoring information security controls, management has no assurance that appropriate safeguards are in place to mitigate identified risks.”

Security gaps that existed with policies and procedures to reduce risk included the failure to implement patches to address known vulnerabilities, system configuration checklists that did not meet CMS requirements, and the failure to implement compliant mechanisms to protect against malicious software.

PwC also discovered one to three gaps at each of the nine MACs relating to system security plans. Those gaps included the failure to review policies and procedures within a year, inconsistent enforcement of access control procedures, and the failure to provide a security plan to CMS.

The report concludes that CMS should continue its oversight visits and ensure all MACs address all of the high and medium-risk gaps in a timely manner to prevent security vulnerabilities being exploited and PHI and other sensitive data being exposed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.