OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Kusserow on Compliance: Tips for protecting data against attacks and breaches

The media is filled with stories of data breaches in all business sectors. Larger organizations are not immune. In fact, the larger the organization, the better the target appears for attackers. The largest breaches have been with the Federal Government. In the health care sector, data breaches involving Protected Health Information (PHI) have been rising at a great rate. Patient records are very valuable and are sold on a per record basis. Providers are also considered “soft targets”, especially by those engaged in “Ransomeware” extortions; and many pay the demands to regain access to their patient records.

No one seems immune to these types of attacks. One can hardly forget that one of the biggest successful penetration attacks on data was with the U.S. Office of Personnel Management, where sensitive information was compromised, including the Social Security Numbers, of 21.5 million individuals, including 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Even law firms that provide advice on data security to their clients have been victimized and among those with the weakest controls to protect their data. Survey reporting by Marsh found four out of five of the largest 100 law firms had been hacked. As is common in any business arena, they noted that many don’t know they have been hacked. The following are best practice tips to assist in preventing and/or mitigating attacks and breaches.

  1. Have a dedicated information security officer that has the responsibility as well as the authority to adopt, implement, and enforce adequate security protocols, including ensuring (a) the IT infrastructure and data creation, transmission, and storage protect data from unauthorized disclosure; (b) ensuring legitimacy of data received, source and content; and (c) accessible for auditing and monitoring.
  1. Develop and implement data security policies for:
  • all external drives and mobile devices (including personally owned)
  • location and remote-erase options in case of loss or theft
  • data backup
  • installation of firewalls
  • data encryption
  • password protection
  • how to respond to any data breach
  • disaster recovery
  • records retention
  • business continuity in case of loss to data
  • uses of social media
  • vendors relation requirements
  • use of free public wi-fi
  1. Institute safeguards and device management to protect information, such as encryption and passwords for all devices (USB drives, cell phones, tablets)
  1. Engage in ongoing monitoring to ensure that policies and procedures are being properly followed; and periodic outside auditing of the systems.
  1. Train all covered persons on existing policies and procedure relating to data protection, and report any suspected unusual emails. This is important as most successful attacks are the result of email users opening attachments that give entry to a wrongdoer. Users are often the ones that detect early irregularities occurring as result of an attack and the quicker they report it, the better it is to contain the attack.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: GAO lambasts HHS/OCR failure to protect EHR security

The General Accountability Office (GAO) reported a 13-fold increase in reported cyber-attacks on federal government agencies between 2006 and 2015 that rose to more than 77,000 last year. They attributed this increase to failures on HHS and Office for Civil Rights (OCR) that has primary responsibility for setting standards for protecting Electronic Health Records (EHR) and for enforcing compliance with these standards, but have failed to address what is called for by other federal cyber-security guidance under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) for health plans and care providers. GAO reported that over 113 million health records were breached in 2015 alone, which represents more than half the U.S. population has had their medical records breached. Of those, just 221 breaches or 13.3%, were attributed to some form of a hacking incident, but many of those hacks were whoppers, contributing to 126 million records, or 75%, of those records exposed. These breaches can have serious adverse impacts such as identity theft, fraud, and disruption of health care services

Although EHR permits providers to more efficiently share information and give patients easier access to their health information, it must be protected. However this system for storing and transmitting this information in electronic form continues to be vulnerable to cyber-based threats. GAO cited the following examples of failures:

  • Failure to address how covered entities should tailor their implementations of key security controls identified by the National Institute of Standards and Technology to their specific needs, such as developing risk responses.
  • Covered entities and business associates must comply with HHS requirements for risk assessment and management, but without more comprehensive guidance, they may not be adequately protecting electronic health information from compromise.
  • Although HHS has established an oversight program for compliance with privacy and security regulations, they have not always fully verified that the regulations were implemented.
  • OCR has failed to establish benchmarks to assess the effectiveness of its audit program, which result in less assurance that loss or misuse of health information is being adequately addressed.
  • For OCR’s investigations, the technical assistance they provided was not pertinent to identified problems, and in other cases it did not always follow up to ensure that agreed-upon corrective actions were taken once investigative cases were closed.

GAO made five recommendations, including that HHS update its guidance for protecting electronic health information to address key security elements, improve technical assistance it provides to covered entities, follow up on corrective actions, and establish metrics for gauging the effectiveness of its audit program. HHS generally concurred with the recommendations and stated it would take actions to implement them.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.