HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Weaknesses Discovered in New Mexico and North Carolina Medicaid Programs

The Department of Health and Human Services’ Office of Inspector General has conducted reviews of the Medicaid programs run by North Carolina and New Mexico and has identified information security weaknesses that could potentially be exploited by cybercriminals to gain access to systems and the sensitive data of Medicaid recipients.

If the vulnerabilities were exploited, it would have placed the states’ Human Services Departments (HSD) at risk and compromised the confidentiality, integrity, and availability of eligibility systems. Similar reviews have been conducted to assess the security controls in place in other states. Vulnerabilities were also detected in the systems used in Colorado, Massachusetts, South Carolina and Virginia, suggesting many states are struggling to implement appropriate policies, procedures and technology to comply with federal regulations on information security.

As with healthcare organizations, state Medicaid programs face budgetary constraints and a lack of resources. It can be a major challenge to ensure appropriate resources are directed to cybersecurity when there are many competing priorities. However, with cyberattacks on the rise, it is becoming increasingly likely that cybercriminals will take advantage of poor security controls to gain access to sensitive data.

New Mexico HSD was selected for review because of “inherent risks related to HSD’s migration of its legacy eligibility systems to the Automated System Program and Eligibility Network (ASPEN),” uncovered in a previous audit.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

OIG discovered technology information control weaknesses in the New Mexico HSD Medicaid eligibility systems. The vulnerabilities were due to a lack of controls over the state’s Medicaid data and information systems, although OIG pointed out in the report that New Mexico HSD had adopted a security program for its eligibility systems.

OIG auditors said the vulnerabilities were “collectively and, in some cases, individually significant.” If the vulnerabilities were exploited there was potential for a compromise of the confidentiality, integrity, and availability of HSD’s eligibility systems; although, OIG uncovered no evidence to suggest that any of the vulnerabilities had already been exploited. The nature of the vulnerabilities was not disclosed in the report for security reasons.

Detailed findings of the review were sent to New Mexico HSD, which concurred with all but one of OIG’s findings. The vulnerability with which New Mexico did not concur had a compensating control in place. OIG has made several recommendations to improve security, including conducting a risk assessment on the compensating control if New Mexico HSD continues to rely on that control, and must accept all risks in accordance with federal requirements.

North Carolina contracts with CRSA Inc., to operate its claims processing systems. OIG conducted its review to assess the information security controls in place, but discovered inadequate information system general controls had been implemented that increased the risk to the confidentiality, integrity, and availability of Medicaid data.

Had the vulnerabilities been exploited, malicious actors could have gained access to Medicaid data and could potentially have disrupted HSD operations.  As with New Mexico HSD, the vulnerabilities were “collectively and, in some cases, individually significant.”

In its report, OIG said “In addition, without proper safeguards, systems are not protected from individuals and groups with malicious intent to obtain access in order to commit fraud or abuse or launch attacks against other computer systems and networks.” No evidence was uncovered to suggest any of the vulnerabilities had already been exploited.

North Carolina HSD concurred with all recommendations made by OIG and will work closely with CRSA to address the identified security weaknesses.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.