Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system.

The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data.

The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS.

The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program.

Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the vulnerabilities were present due to the failure to implement sufficient controls over MMIS data and information systems. While the flaws were serious, OIG did not discover any evidence to suggest the flaws had previously been exploited.

OIG has recommended Maryland make several improvements to its Medicaid program to ensure its information systems and Medicaid data are appropriately secured to a standard that meets Federal requirements.  Maryland concurred with all of the recommendations made by OIG and has submitted a plan that addresses all of the vulnerabilities that have not yet been corrected.

The audit was one of several conducted on various states over the past few months and the findings were similar to other state’s MMIS audits. While it is a concern that serious vulnerabilities exist, the audits ensure that vulnerabilities are identified and are addressed before they are exploited by threat actors, thus helping to prevent serious data breaches.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.