GAO says CMS needs to do more to protect Medicare data

The Centers for Medicare & Medicaid Services (CMS) needs to do more to ensure research organizations and qualified entities that access Medicare data meet certain cybersecurity standards, according to federal auditors.

A report (PDF) issued by the Government Accountability Office (GAO) last week found CMS has developed strong security requirements for Medicare Administrative Contractors (MAC) that facilitate provider payments, but it lacks the necessary oversight of research organizations and qualified entities that evaluate Medicare providers and equipment suppliers, both of which access claims data.

Although CMS provides researchers with “a broad requirement to implement security and privacy protections,” it lacks more specific risk-based guidance on minimum security controls. Researchers frequently access Medicare beneficiary information through a data center that is monitored by the agency, but in some cases, CMS provides data on external hard drives processed on the researcher’s own systems.

Furthermore, CMS has “limited security oversight mechanisms in place” for researchers and qualified entities. The agency does not conduct on-site reviews of security protocols or require independent testing, the GAO said.

RELATED: With the largest IT budget among federal agencies, HHS security functions labeled ineffective

“According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement; however, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards,” the GAO wrote.

CMS officials agreed with GAO’s recommendations, including more specific guidance for researchers. The agency said it is “considering implementing processes and procedures” to ensure agreements with researchers and qualified entities include security controls. It also agreed to more consistently ack findings from MAC security assessments.

The GAO has routinely criticized CMS and the Department of Health and Human Services (HHS) more broadly, for failing to implement effective cybersecurity protections.

Similarly, the Office of Inspector General has repeatedly identified cybersecurity weaknesses across HHS. Meanwhile, ousted HHS cybersecurity leaders say the Healthcare Cybersecurity Communications Integration Center (HCCIC) has been derailed following political infighting.