GAO says CMS needs to do more to protect Medicare data

Security lock on computer data
CMS agreed with GAO findings that it needs to provide more specific cybersecurity guidance to researchers that access Medicare data. (Getty/gintas77)

The Centers for Medicare & Medicaid Services (CMS) needs to do more to ensure research organizations and qualified entities that access Medicare data meet certain cybersecurity standards, according to federal auditors.

A report (PDF) issued by the Government Accountability Office (GAO) last week found CMS has developed strong security requirements for Medicare Administrative Contractors (MAC) that facilitate provider payments, but it lacks the necessary oversight of research organizations and qualified entities that evaluate Medicare providers and equipment suppliers, both of which access claims data.

Although CMS provides researchers with “a broad requirement to implement security and privacy protections,” it lacks more specific risk-based guidance on minimum security controls. Researchers frequently access Medicare beneficiary information through a data center that is monitored by the agency, but in some cases, CMS provides data on external hard drives processed on the researcher’s own systems.


2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

Furthermore, CMS has “limited security oversight mechanisms in place” for researchers and qualified entities. The agency does not conduct on-site reviews of security protocols or require independent testing, the GAO said.

RELATED: With the largest IT budget among federal agencies, HHS security functions labeled ineffective

“According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement; however, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards,” the GAO wrote.

CMS officials agreed with GAO’s recommendations, including more specific guidance for researchers. The agency said it is “considering implementing processes and procedures” to ensure agreements with researchers and qualified entities include security controls. It also agreed to more consistently ack findings from MAC security assessments.

The GAO has routinely criticized CMS and the Department of Health and Human Services (HHS) more broadly, for failing to implement effective cybersecurity protections.

Similarly, the Office of Inspector General has repeatedly identified cybersecurity weaknesses across HHS. Meanwhile, ousted HHS cybersecurity leaders say the Healthcare Cybersecurity Communications Integration Center (HCCIC) has been derailed following political infighting.

Suggested Articles

What are some of the biggest challenges for independent medical practices?

Researchers at two universities plan to develop an autonomous trauma care system that uses robotics and artificial intelligence to treat soldiers.

A change to the government’s voluntary bundled payment model for oncology is going to be bad news for many participants.