Federal auditors uncovered “numerous” security vulnerabilities at two Medicaid managed care organizations (MCOs) in Arizona, a finding that could be indicative of broader data security issues across the country.
A report (PDF) issued by the Office of Inspector General (OIG) on Tuesday identified 19 “significant vulnerabilities” in the information systems of the two MCOs, revolving primarily around access control and configuration management. In some instances, the organizations did not disable user accounts for terminated employees or failed to use two-factor authentication for remote access. The report also highlighted inadequate firewall configurations on the MCOs’ networks and an unencrypted claims processing database.
“Our consolidated findings from the reviews of the MCOs show significant vulnerabilities in the MCOs’ information systems and raise concerns about the integrity of the systems used to process Medicaid managed care claims,” the report stated. “The fact that some of the same vulnerabilities were identified at both MCOs suggests that other Arizona Medicaid MCOs may be similarly vulnerable.”
But the OIG also raised concerns beyond Arizona. MCOs are not required to follow the same federal security regulations as state Medicaid agencies, even though MCOs handle claims data. And there are no federal regulations requiring states to ensure that MCOs comply with federal security standards.
“Further, depending on the type of arrangement involved, the State may not have to include HIPAA data security standards in MCOs’ contracts or ensure MCO compliance with those standards,” the report stated. “This disparate application of security requirements for Medicaid data could affect State-MCO relationships nationwide and could increase risk to Medicaid patient data.”
There appears to be confusion about which entity is responsible for oversight. When confronted with the vulnerabilities, the state told OIG it was not responsible for overseeing security compliance for MCOs. But CMS disagreed with that position.
The OIG recommended that the Centers for Medicare & Medicaid Services (CMS) conduct a risk assessment to determine how the disparate application of federal security requirements impact Medicaid data maintained by MCOs and inform all state agencies of the vulnerabilities identified in Arizona.
While CMS agreed to alert state agencies, it argued that the Office for Civil Rights (OCR) already requires a risk assessment and that any additional efforts would be “duplicative.” However, OIG pointed out that although OCR can remind state contractors of their HIPAA responsibilities, they are not responsible for ensuring that Medicaid MCOs meet federal security requirements.
“Since this issue resides in the Medicaid program, we believe that CMS is in the best position to ensure that data security regulations are consistently applied to protect Medicaid beneficiaries’ data, regardless of where the data resides,” auditors wrote.
Watchdog agencies have continuously pushed CMS—and the Department of Health and Human Services more broadly—to do more to protect beneficiary data in both the Medicare and Medicaid programs. The OIG has previously pegged cybersecurity as a top management challenge for HHS.