HHS OIG: Medicare Contractors Struggle with Security GapsNew Report Highlights Security Weak Spots; Experts Say Others Face Similar Woes
An annual review of nine contractors providing Medicare with administrative services shows that while their information security programs were deemed "adequate in scope and sufficiency," the number of gaps grew from a previous annual review.
A report issued on Jan. 23 by the Department of Health and Human Services' Office of Inspector General says an annual review in fiscal 2015 of nine contractors that provide administrative services, such as processing and paying Medicare fee-for-service claims for the Centers for Medicare and Medicaid Services, identified a total of 149 security gaps, compared with 129 gaps identified in fiscal 2014. The fiscal 2015 review identified 22 high-risk gaps, but the report did not name them.
The review, conducted by PricewaterhouseCoopers, evaluated how the contractors address eight requirements of the Federal Information Security Management Act of 2002, OIG notes.
Key Security Gaps
Similar to findings in fiscal 2014, most gaps in fiscal 2015 occurred in the following FISMA security control areas:
- Policies and procedures to reduce risk. That includes gaps related to mobile device encryption, patch management and external information systems connections.
- Periodic testing of information security controls. That includes change management procedures that were not consistently enforced, system security configurations that did not comply with CMS requirements and security weaknesses that were found by internal network penetration testing.
- System security plans. That includes access control procedures that were not consistently enforced, policies and procedures that were not reviewed within 365 days of the previous review date in accordance with CMS requirements, and system security plans that did not reflect the current operating environment or were not fully implemented and enforced.
Security and privacy expert Kate Borten, president of the consultancy The Marblehead Group, says the shortcomings revealed by the OIG review are likely widespread across healthcare organizations and their business associates.
"Some tested areas indicate a security program's level of maturity," Borten notes of the OIG review. "For example, many organizations may have a change management process, but it may be lax and informal. That opens the door to problems such as misconfiguration leading to breach."
Borten recommends that HIPAA covered entities and the business associates "read this report and compare their own practices" as a benchmark for improving their own security programs.
Mac McMillan, CEO of security consulting firm CynergisTek, says that based on the OIG's report, "the biggest area of concern is the apparent lack of good hygiene as it relates to maintaining the technical integrity of the network. Most hacks start with the attacker taking advantage of a poorly managed system with configuration and patching errors."
McMillan says the OIG findings are consistent with problems he sees across the healthcare sector, including a lack of good security practices and poor security awareness due to a lack of proper testing and monitoring.
"Vulnerability management as a whole - hardening, patching, configuration management, change control, regular testing - seems to be a struggle for many health systems, large and small," he adds. "Legacy systems and applications, end-of-life platforms, medical devices and other devices - such as the internet of things - that cannot be secured properly just add to this challenge. "
OIG notes that the contractors are responsible for developing a corrective action plan for each high-risk and medium-risk gap. The inspector general says it recommends that CMS should continue its oversight visits and ensure that the contractors remediate the gaps in a timely manner. CMS did not provide a response for the report, OIG notes. And CMS did not immediately respond to an Information Security Media Group request for comment.