High-risk security vulnerabilities were discovered in audits of information system general controls at 10 state Medicaid agencies between 2010 and 2012, according to a report published this week by the U.S. Department of Health & Human Services Office of Inspector General.
OIG divided its findings into three categories: entitywide controls, access controls and network operations controls. With regard to entitywide controls, the agency identified 34 findings across the 10 agencies. Eight of those findings related to under- or undeveloped system security plans, while another eight related to encryption issues. According to OIG, for instance, one state agency failed to encrypt the hard drives of 14 portable laptops.
Regarding logical access controls, OIG found, for example, that one state agency both failed to establish a formal policy regarding user account management and had not performed periodic reviews of network accounts to confirm appropriate authorization for access. For network operations controls, the agency found, for example, that one state agency had not implemented any policies or procedures for the management of network devices.
Based on the findings, state Medicaid agencies, according to OIG, must make information system security a higher priority.
"The fact that some of the vulnerabilities were shared among the 10 state agencies suggests that other state Medicaid information systems may be similarly vulnerable," the report's authors said.
The report reaffirms points made last summer at the Government Health IT Conference & Exhibition in Washington, D.C., by Chad Grant, a senior policy analyst with the National Association of State Chief Information Officers. Grant told an audience at the event that state level governance efforts for storing and exchanging citizen data, including health information, are "shaky at best."
In spring 2012, the Utah Department of Health learned the nightmare that can ensue from use of a default admin password after a breach affected nearly 800,000 Medicaid patients.
To learn more:
- read the OIG report (.pdf)