Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs

Share this article on:

The Department of Health and Human Services’ Office of Inspector General has conducted reviews of the Medicaid programs run by North Carolina and New Mexico and has identified information security weaknesses that could potentially be exploited by cybercriminals to gain access to systems and the sensitive data of Medicaid recipients.

If the vulnerabilities were exploited, it would have placed the states’ Human Services Departments (HSD) at risk and compromised the confidentiality, integrity, and availability of eligibility systems. Similar reviews have been conducted to assess the security controls in place in other states. Vulnerabilities were also detected in the systems used in Colorado, Massachusetts, South Carolina and Virginia, suggesting many states are struggling to implement appropriate policies, procedures and technology to comply with federal regulations on information security.

As with healthcare organizations, state Medicaid programs face budgetary constraints and a lack of resources. It can be a major challenge to ensure appropriate resources are directed to cybersecurity when there are many competing priorities. However, with cyberattacks on the rise, it is becoming increasingly likely that cybercriminals will take advantage of poor security controls to gain access to sensitive data.

New Mexico HSD was selected for review because of “inherent risks related to HSD’s migration of its legacy eligibility systems to the Automated System Program and Eligibility Network (ASPEN),” uncovered in a previous audit.

OIG discovered technology information control weaknesses in the New Mexico HSD Medicaid eligibility systems. The vulnerabilities were due to a lack of controls over the state’s Medicaid data and information systems, although OIG pointed out in the report that New Mexico HSD had adopted a security program for its eligibility systems.

OIG auditors said the vulnerabilities were “collectively and, in some cases, individually significant.” If the vulnerabilities were exploited there was potential for a compromise of the confidentiality, integrity, and availability of HSD’s eligibility systems; although, OIG uncovered no evidence to suggest that any of the vulnerabilities had already been exploited. The nature of the vulnerabilities was not disclosed in the report for security reasons.

Detailed findings of the review were sent to New Mexico HSD, which concurred with all but one of OIG’s findings. The vulnerability with which New Mexico did not concur had a compensating control in place. OIG has made several recommendations to improve security, including conducting a risk assessment on the compensating control if New Mexico HSD continues to rely on that control, and must accept all risks in accordance with federal requirements.

North Carolina contracts with CRSA Inc., to operate its claims processing systems. OIG conducted its review to assess the information security controls in place, but discovered inadequate information system general controls had been implemented that increased the risk to the confidentiality, integrity, and availability of Medicaid data.

Had the vulnerabilities been exploited, malicious actors could have gained access to Medicaid data and could potentially have disrupted HSD operations.  As with New Mexico HSD, the vulnerabilities were “collectively and, in some cases, individually significant.”

In its report, OIG said “In addition, without proper safeguards, systems are not protected from individuals and groups with malicious intent to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks.” No evidence was uncovered to suggest any of the vulnerabilities had already been exploited.

North Carolina HSD concurred with all recommendations made by OIG and will work closely with CRSA to address the identified security weaknesses.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On