Report: A single day of downtime in CMS' Enrollment Database would cost $47M

Pile of money
The Office of Inspector General calculated the cost of daily database downtime on CMS officials' own estimates. (Getty/urfinguss)

The Centers for Medicare & Medicaid Services needs to improve the resiliency of its Enrollment Database (EDB); otherwise it could face heavy financial costs in a potential cyber incident.

That's the conclusion of the HHS Office of Inspector General, which released a report on Tuesday analyzing the EDB. It warned that the database—which houses enrollment information on everyone who was ever a Medicare beneficiary—could cost the agency $47 million per day it becomes nonfunctional.

And that's to say nothing of the protected health information stored on those databases.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

"Our objective was to determine whether CMS implemented security controls within the EDB to protect the confidentiality, integrity, and availability of Medicare enrollee data, in accordance with Federal requirements," the report said.

RELATED: Congressional leaders say staff reassignments had ‘undeniable impacts’ on HHS cybersecurity capabilities

Most of the report is restricted, with five specific recommendations delivered solely to CMS. This was done, officials said, so that the agency has a chance to fix potential threat vectors before malevolent actors can take advantage of them. (It would be counterproductive, they reason, for OIG to be highlighting points of weakness to a nontrusted audience.)

But it's unclear whether HHS would have the capacity to fix these issues before malevolent actors jump on them. Earlier this summer, two of HHS' senior cybersecurity officials were abruptly reassigned under somewhat questionable circumstances. Congressional leaders said their departure had "undeniable impacts" on the agency's ability to respond to cyberthreats.

RELATED: Report: HHS needs consistent data-sharing protocol

"We do not believe CMS’s system consolidation will have a significant impact on our findings and recommendations," the report concluded.