Maryland fails OIG security audit, potentially put Medicaid patient data at risk

While the state program had a security program in place, it lacked sufficient controls over the data and its operation.
By Jessica Davis
12:48 PM

A U.S. Department of Health and Human Services Office of Inspector General audit of Maryland’s Medicaid system found the state did not adequately secure its Medicaid Management Information System (MMIS) and Medicaid data, which potentially put patient data and operations at risk.

OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”

“These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems,” the report authors wrote.

 

While there’s no evidence of unauthorized access, officials found that if exploited, the system flaws would have allowed unauthorized access and exposed Medicaid data and “the disruption of critical Medicaid operations.”

 

Not only that, but officials said the vulnerabilities were significant enough that it could have compromised the integrity of the state’s Medicaid program. While details of the flaws weren’t publically disclosed, officials said they were caused by a lack of sufficient controls.

Officials made a series of recommendations to bolster the state’s security program and systems to meet federal requirements. State officials agreed with recommendations and outlined steps it had taken and their plans to shore up security.

Maryland is just the latest state to be audited by OIG, many with similar results. In fact, HHS itself had a less than stellar audit in Dec. 2017. The audits are intended to find flaws and improve security posture across government systems.

It should serve as a reminder for organizations to audit their own programs, as hackers are becoming more sophisticated and require just a small window to gain access to a network.

Healthcare Security Forum

The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.