HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements.

The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems.

The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites.

Even though a security program had been adopted for the DMAS Medicaid Management Information System (MMIS), several vulnerabilities had not been addressed. Those vulnerabilities were allowed to persist as a result of insufficient controls over Medicaid data and systems, and a lack of oversight over its contractors to ensure sufficient security measures had been applied.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities were severe in some cases, potentially allowing Medicaid data to be accessed and critical Medicaid operations to be disrupted. Together, the vulnerabilities could have compromised the integrity of the Virginia Medicaid program. However, OIG uncovered no evidence to suggest that the vulnerabilities had already been exploited.

OIG made several recommendations in various areas including the risk management process, system and information integrity controls, audit and accountability controls, system and communication protection controls and configuration management controls. OIG also recommended access and authentication controls be augmented.

Virginia concurred with all of the recommendation and has developed an action plan to implement those recommendations and correct all vulnerabilities that have yet to be addressed.

While the specific vulnerabilities discovered by OIG were not disclosed in the report, they all fall within areas that other private and public sector organizations have experienced problems with in the past.

Recent healthcare data breaches have also resulted from unaddressed vulnerabilities in similar areas. The recent WannaCry ransomware attacks have shown that vulnerabilities can all too easily be exploited by threat actors.

Healthcare organizations should therefore conduct periodic risk assessments – as required by the HIPAA Security Rule – and conduct vulnerability scans to determine whether any vulnerabilities exist. Organizations must then ensure any identified are vulnerabilities are addressed, prioritising the critical vulnerabilities that have the highest potential of being exploited and those that are likely to cause the most damage.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.