On Wednesday, March 5th, the Department of Health and Human Services Office of Inspector General (“OIG”) released a report stating that an investigation into 10 states’ Medicaid agencies found that there were many security vulnerabilities that could result in patients’ personal health information being at risk.
The report, titled “High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies,” was conducted after previous reviews of information systems raised concerns regarding the data safety of the systems that process claims for Medicaid beneficiaries.
The purpose of the investigation was for the OIG to summarize high-risk security vulnerabilities when reviewing information system general controls at 10 state Medicaid agencies between 2010 and 2012. Information system general controls include the procedures and structures that apply to the overall computing operations of an organization and that create a secure environment for the operation of application systems.
System general controls work to protect data and prevent unauthorized individuals from accessing the system.The OIG identified 79 individual findings from its review of the information system general controls at the 10 state Medicaid agencies. The OIG grouped the 79 findings into three information general control categories:
- entity-wide controls;
- network operations controls; and
- access controls.
The OIG further divided the findings into 15 security control areas. From the investigation, the OIG concluded that there are “serious vulnerabilities” in the 10 states’ Medicaid systems, and some of the vulnerabilities were shared among many of the state agencies reviewed.
The state agencies whose systems were reviewed are currently working to address the vulnerabilities that the OIG’s investigation identified.
Review the OIG’s report.