Vulnerabilities raise systems integrity issues with California managed-care organizations

The information systems at three California managed-care organizations (MCOs) contain troubling high-risk security vulnerabilities, according to audits by the Office of the Inspector General (OIG).

These vulnerabilities raise concerns about the integrity of the systems used to process Medicaid managed-care claims, according to an OIG report.

The audits looked at the systems' general controls, which are the structure, policies and procedures that apply to its overall computer operations and create a secure environment for application systems.

The audits identified 74 high-risk security vulnerabilities, which the report terms "significant and pervasive." If found:

  • In the access-controls category: 31 vulnerabilities related to portable and backup media, database security controls, password and login controls, wireless local area network controls, remote network access, and physical security controls.

  • In the configuration-management category: 29 vulnerabilities related to network devices, patch management, antivirus management and out-of-date software.

  • In the security-management category: 14 vulnerabilities related to contingency planning, required system security plan elements, sanitization of data and disposal of devices, and background checks.

Because the OIG found similar problems at all three organizations, the report suggests that other MCOs might be equally vulnerable. The state says it is addressing these vulnerabilities.

The OIG's recent semi-annual report noted security problems at its parent Department of Health and Human Services' systems as well as in other state systems.

A review of Medicare payments to acute-care hospitals is part of OIG's 2016 work plan.

To learn more:
- find the report (.pdf)