The Centers for Medicare & Medicaid Services needs to improve the resiliency of its Enrollment Database (EDB); otherwise it could face heavy financial costs in a potential cyber incident.
That's the conclusion of the HHS Office of Inspector General, which released a report on Tuesday analyzing the EDB. It warned that the database—which houses enrollment information on everyone who was ever a Medicare beneficiary—could cost the agency $47 million per day it becomes nonfunctional.
And that's to say nothing of the protected health information stored on those databases.
"Our objective was to determine whether CMS implemented security controls within the EDB to protect the confidentiality, integrity, and availability of Medicare enrollee data, in accordance with Federal requirements," the report said.
Most of the report is restricted, with five specific recommendations delivered solely to CMS. This was done, officials said, so that the agency has a chance to fix potential threat vectors before malevolent actors can take advantage of them. (It would be counterproductive, they reason, for OIG to be highlighting points of weakness to a nontrusted audience.)
But it's unclear whether HHS would have the capacity to fix these issues before malevolent actors jump on them. Earlier this summer, two of HHS' senior cybersecurity officials were abruptly reassigned under somewhat questionable circumstances. Congressional leaders said their departure had "undeniable impacts" on the agency's ability to respond to cyberthreats.
"We do not believe CMS’s system consolidation will have a significant impact on our findings and recommendations," the report concluded.