Share this article on:
Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements.
The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems.
The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites.
Even though a security program had been adopted for the DMAS Medicaid Management Information System (MMIS), several vulnerabilities had not been addressed. Those vulnerabilities were allowed to persist as a result of insufficient controls over Medicaid data and systems, and a lack of oversight over its contractors to ensure sufficient security measures had been applied.
The vulnerabilities were severe in some cases, potentially allowing Medicaid data to be accessed and critical Medicaid operations to be disrupted. Together, the vulnerabilities could have compromised the integrity of the Virginia Medicaid program. However, OIG uncovered no evidence to suggest that the vulnerabilities had already been exploited.
OIG made several recommendations in various areas including the risk management process, system and information integrity controls, audit and accountability controls, system and communication protection controls and configuration management controls. OIG also recommended access and authentication controls be augmented.
Virginia concurred with all of the recommendation and has developed an action plan to implement those recommendations and correct all vulnerabilities that have yet to be addressed.
While the specific vulnerabilities discovered by OIG were not disclosed in the report, they all fall within areas that other private and public sector organizations have experienced problems with in the past.
Recent healthcare data breaches have also resulted from unaddressed vulnerabilities in similar areas. The recent WannaCry ransomware attacks have shown that vulnerabilities can all too easily be exploited by threat actors.
Healthcare organizations should therefore conduct periodic risk assessments – as required by the HIPAA Security Rule – and conduct vulnerability scans to determine whether any vulnerabilities exist. Organizations must then ensure any identified are vulnerabilities are addressed, prioritising the critical vulnerabilities that have the highest potential of being exploited and those that are likely to cause the most damage.