Kusserow on Compliance: OIG finds inadequate security management practices in Utah

The HHS Office of Inspector General (OIG) has been conducting a number of audits related to the security controls to protect information security. State agencies must establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of state plans for Medicaid and other federal entitlement benefits. The agency reviewed the state of Utah as part of this effort. The resulting review report identified weaknesses in the comprehensive information system general controls. They also noted concerns regarding the Department of Technology Services’ (DTS) security management practices, particularly as they relate to implementation of information system general controls over systems used to support Medicaid eligibility determination and claims processing in Utah, and regarding the oversight of DTS.

Utah has eligibility for approximately 377,000 Utah Medicaid recipients, for whom the Utah Department of Health (DOH) processed approximately 6.5 million claims a year with outlays of approximately $2.2 billion. The OIG found they had not established an effective enterprise security control structure to ensure that adequate information system general controls were implemented in conformance with federal requirements over the systems used to support the DOH’s Medicaid eligibility determination and claims processing. These inadequate security management practices put Medicaid systems and data at risk. The OIG identified 39 high-impact, reportable weaknesses during its earlier comprehensive information system general controls audit of the systems used to support the DOH’s Medicaid eligibility determination and claims processing. Based on the OIG’s review of comprehensive information system general controls, it recommended that the DOH work to:

  • implement effective security management practices; and
  • establish oversight procedures to ensure that adequate information system general controls are implemented that correct the security weaknesses identified and to comply with federal information system security requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.