The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

Posted By on Aug 16, 2018

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system.

The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data.

The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS.

The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the vulnerabilities were present due to the failure to implement sufficient controls over MMIS data and information systems. While the flaws were serious, OIG did not discover any evidence to suggest the flaws had previously been exploited.

OIG has recommended Maryland make several improvements to its Medicaid program to ensure its information systems and Medicaid data are appropriately secured to a standard that meets Federal requirements.  Maryland concurred with all of the recommendations made by OIG and has submitted a plan that addresses all of the vulnerabilities that have not yet been corrected.

The audit was one of several conducted on various states over the past few months and the findings were similar to other state’s MMIS audits. While it is a concern that serious vulnerabilities exist, the audits ensure that vulnerabilities are identified and are addressed before they are exploited by threat actors, thus helping to prevent serious data breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist