OIG stings Virginia for failing to secure Medicaid data
An audit of Virginia Medicaid’s processing system revealed several vulnerabilities that left Medicaid beneficiaries’ data exposed, according to a recent report from the Department of Health and Human Services’ Office of the Inspector General.
Further, Virginia’s Department of Medical Assistance Services failed to secure its Medicaid data in a method in line with federal requirements. While the report didn’t detail the specific vulnerabilities to prevent a potential exploit, OIG sent full details and recommendations to the department for review.
These flaws were so severe that it could have allowed a hacker to gain access to Medicaid data, compromise the integrity of Virginia’s Medicaid program or disrupt services. Officials said there was no evidence to suggest the system had been breached.
To perform the audit, OIG examined DMAS system controls through staff interviews, policy and procedure review and a network vulnerability scan.
DMAS had a security plan in place prior to the audit, but officials said it didn’t address certain vulnerabilities. In fact, these security weaknesses persisted due to insufficient security measures. It also lacked oversight of its contractors that would have ensured the right security tools were in place.
Among its laundry list of recommendations, officials found that Virginia needs to improve its security program and IT systems to meet federal requirements, improve oversight to its contractors and address the vulnerabilities explained in the report.
Further, officials called for enhancement of the agency’s risk management process, access and authentication controls, system and communications protection controls and configuration management.
Virginia agreed with the recommendation and has instated an action plan to both implement OIG’s recommendations and fix its security flaws.
While the vulnerabilities found in Virginia’s system are severe, it’s not uncommon in the healthcare sector. The recent WannaCry campaign exploited similar vulnerabilities and shut down 20 percent of U.K. National Health Service. Ransomware campaigns have been successfully exploiting similar flaws since early 2016.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com