Report: A single day of downtime in CMS' Enrollment Database would cost $47M

Pile of money
The Office of Inspector General calculated the cost of daily database downtime on CMS officials' own estimates. (Getty/urfinguss)

The Centers for Medicare & Medicaid Services needs to improve the resiliency of its Enrollment Database (EDB); otherwise it could face heavy financial costs in a potential cyber incident.

That's the conclusion of the HHS Office of Inspector General, which released a report on Tuesday analyzing the EDB. It warned that the database—which houses enrollment information on everyone who was ever a Medicare beneficiary—could cost the agency $47 million per day it becomes nonfunctional.

And that's to say nothing of the protected health information stored on those databases.

Conference

13th Partnering with ACOS & IDNS Summit

This two-day summit taking place on June 10–11, 2019, offers a unique opportunity to have invaluable face-to-face time with key executives from various ACOs and IDNs from the entire nation – totaling over 3.5 million patients served in 2018. Exclusively at this summit, attendees are provided with inside information and data from case studies on how to structure an ACO/IDN pitch, allowing them to gain the tools to position their organization as a “strategic partner” to ACOs and IDNs, rather than a merely a “vendor.”

"Our objective was to determine whether CMS implemented security controls within the EDB to protect the confidentiality, integrity, and availability of Medicare enrollee data, in accordance with Federal requirements," the report said.

RELATED: Congressional leaders say staff reassignments had ‘undeniable impacts’ on HHS cybersecurity capabilities

Most of the report is restricted, with five specific recommendations delivered solely to CMS. This was done, officials said, so that the agency has a chance to fix potential threat vectors before malevolent actors can take advantage of them. (It would be counterproductive, they reason, for OIG to be highlighting points of weakness to a nontrusted audience.)

But it's unclear whether HHS would have the capacity to fix these issues before malevolent actors jump on them. Earlier this summer, two of HHS' senior cybersecurity officials were abruptly reassigned under somewhat questionable circumstances. Congressional leaders said their departure had "undeniable impacts" on the agency's ability to respond to cyberthreats.

RELATED: Report: HHS needs consistent data-sharing protocol

"We do not believe CMS’s system consolidation will have a significant impact on our findings and recommendations," the report concluded.

Suggested Articles

The Trump administration has released its annual rule governing payments to inpatient providers.

Pharmacy retail giant Walgreens plans to implement a new minimum age requirement of 21 for its customers seeking to purchase tobacco products in its stores.

An artificial intelligence tool can help diagnose post-traumatic stress disorder in veterans by analyzing their voices, a new study found.