Audit Finds Security Woes at California Medi-Cal PlansDozens of 'High Risk' Security Control Vulnerabilities Identified
A federal audit of three California Medi-Cal (Medicaid) managed care organizations found dozens of "high risk" security control vulnerabilities, ranging from weak access controls to poor patch management, that potentially threaten the entities' operations and put Medicaid beneficiaries' data at risk for breaches.
Some security experts say the problems identified during the reviews by the Department of Health and Human Services' Office of Inspector General, unfortunately, can be found at many other healthcare organizations.
"Most, if not all, of these vulnerabilities are common across the healthcare industry," says Kate Borten, founder of privacy and security consulting firm The Marblehead Group.
"The findings relate to basic IT management components that have been around for a long time, but that organizations still struggle with today," says Jeff Cobb, who until recently was CISO at Tennessee healthcare provider Capella Healthcare. He's now a principal security consultant at World Wide Technology. "In general, I see IT and security as still operationally immature in healthcare," he adds.
In its report, which represents a consolidation of OIG reviews conducted at three managed care organizations from 2012 to 2015, the watchdog agency says it identified 74 "high-risk" security vulnerabilities in the information system general controls of the entities.
As of May 2015, California had 87 managed care organizations serving more than 9.5 million Medi-Cal beneficiaries. The report does not identify the three that OIG audited. California's Department of Health Care Services administers the Medi-Cal program and is responsible for monitoring and oversight of the managed care organizations.
"The integrity of the [California] state agency's Medi-Cal managed care systems depends on the effectiveness of information system general controls, which are critical to the reliability, confidentiality, and availability of Medi-Cal data," the report notes. "Without effective general controls, the state agency is not able to adequately safeguard sensitive Medi-Cal managed-care systems and data."
The "high risk" designation means "that a threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation," OIG says.
OIG grouped the 74 vulnerabilities into 14 security control areas within three information system general control categories: access controls, configuration management and security management. In six of the 14 security control areas, all three MCOs had vulnerabilities. "We determined that most of the 74 vulnerabilities were significant and pervasive," OIG writes.
According to the audit report:
- In the access control category, OIG identified 31 vulnerabilities related to portable and backup media; database security controls; password and login controls; wireless local area network controls; remote network access; and physical security controls.
- In the configuration management category, OIG identified 29 vulnerabilities related to configuration of network devices, patch management, anti-malware management and out-of-date software.
- In the security management category, OIG identified 14 vulnerabilities related to contingency planning; required system security plan elements; sanitization of data and disposal of devices; and background checks.
"Our consolidated findings from the individual reports show significant vulnerabilities in the three MCOs' information systems and raise concerns about the integrity of the systems used to process Medicaid managed care claims," OIG says.
OIG notes that its individual reports made recommendations to the California state Medicaid agency regarding the vulnerabilities identified. "In almost all cases, the state agency agreed with our recommendations and described corrective actions that it had taken or planned to take. We restricted the distribution of these reports to the MCOs, the state agency and the CMS action official because of the sensitivity of the vulnerabilities, which could have left the MCOs' information systems susceptible to exploitation or attack," OIG writes.
Although the OIG performed the same audit steps to assess each MCO's general controls, "because of minor differences in the types of information systems at each MCO, we cannot conclude that all Medi-Cal managed care information system security environments have similar vulnerabilities," the report notes.
A spokesman for the California Department of Health Care Services, which oversees the Medi-Cal program says, "DHCS is committed to protecting the confidentiality of our members, and the department appreciates OIG's work to identify these data vulnerabilities. We have begun working with all three plans to correct the issues. At least one of the plans has already completed corrective work. DHCS expects to receive regular updates on the plans' progress toward fixing these vulnerabilities."
Many healthcare entities, both providers and payers, are dealing with security issues similar to those discovered by OIG at the California managed care organizations, Borten says. "The vulnerabilities are common security practices that have not been implemented - or not adequately," she says.
"For example, unencrypted protected health information on a portable device or media continues to be a big risk, even though organizations routinely encrypt laptops today," she notes. "Failure to patch systems is a long-standing issue. Two-factor authentication for remote access continues to be uncommon; solutions are problematic for many not-for-profit organizations since they are somewhat costly and can be cumbersome when physicians practice at multiple facilities.
In fact, the HHS "wall of shame", which lists major health data breaches affecting 500 or more individuals, contains hundreds of incidents since September 2009 involving lost or stolen unencrypted computing devices and storage media.
Also, the HHS Office for Civil Rights one year ago slapped Anchorage Community Mental Health Services with a $150,000 fine as part of a resolution agreement stemming from a 2012 malware-related breach that involved the entity's failure to apply software patches.
Addressing the Problems
Security experts stress that all healthcare entities must carefully assess how they're handling basic best practices.
All of the security control weaknesses identified by the OIG are important, Cobb says, "because I consider them foundational for IT and security programs. But security professionals have to prioritize, and I feel you can use the compiled [HHS] healthcare breach data from 2009 to date to identify where to start. Encryption and/or disposal of laptops, mobile devices, back up tapes, etc. would be one. Patching obviously would be another, given the importance of closing known vulnerabilities to help prevent commons ways of system compromise. Adoption of two-factor authentication for at least remote access is also key in today's threat landscape."
Borten stresses that multiple security controls are needed to mitigate risks. "There are no silver bullets or shortcuts in information security," she says. "Organizations need to recognize the major role security plays in business today and be willing to put resources - budget and people - into their security programs."