An annual evaluation of Medicare administrative contractors (MACs) found information security gaps increased 16% between 2014 and 2015, including several recurring high-risk concerns.
Each of the nine MACs reviewed averaged 17 security gaps during fiscal year 2015, bringing the overall total to 149, according to a report (PDF) by the Office of Inspector General (OIG). However, the OIG noted that additional controls were tested in this year’s review, which likely added to the total number of gaps.
However, several gaps lingered from the previous year. Nearly half of the security risks identified were classified as high- or medium-risk, and nine percent of those were repeats from 2014.
The majority of security gaps identified in the report were tied to policies and procedures to reduce risk and periodic testing of security controls. Policy gaps included substandard mobile device encryption and external information system connections. A lack of periodic testing among MACs led to security configurations that didn’t meet federal standards and security weaknesses that went unnoticed.
RELATED: GAO report calls for more HIPAA, cybersecurity guidance
In its recently updated cybersecurity framework, the National Institute for Standards and Technology (NIST) developed cybersecurity metrics and included additional guidance regarding supply chain management. An earlier report by the Government Accountability Office (GAO) called on the federal government to improve security and privacy guidance as the Office of Civil Rights prepared for onsite HIPAA audits in 2017.