OIG: Medicare Contractors Have InfoSec GapsReport Evaluates CMS Vendors' Information Security Programs
Some Medicare administrative contractors have made improvements in their information security programs, but most still have a way to go in closing a number of key gaps, according to a new government watchdog report.
Among the concerns cited in the report are a lack of policies and procedures to reduce risk, failure to conduct periodic testing of information security controls and insufficient incident detection reporting and response.
The Department of Health and Human Services' Office of Inspector General's newly released report, Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2013, looked at the information security practices of nine Medicare administrative contractors, or MACs, that provide services, such as claims processing or enrollment, to the Centers for Medicare and Medicaid Services. Many of the entities had multiple contracts with CMS, the report notes.
CMS hired the consulting firm PricewaterhouseCoopers to use "agreed upon procedures" to evaluate the information security programs at the nine entities. Those evaluations included assessing how the contractors implemented eight major requirements of the Federal Information Security Management Act of 2002.
The OIG notes that the contractors are responsible for developing a corrective action plan for each finding, and that CMS is responsible for tracking each finding until it is remediated.
"The total number of gaps identified at the Medicare contractors decreased from the previous year. Deficiencies remain in the FISMA control areas tested, including findings repeated from the previous year," the report concludes. "CMS should ensure that all gaps are remediated by the Medicare contractors in a timely manner."
The report says that among the nine contractors, the most gaps in fiscal 2013, the year of latest study, occurred in the three FISMA control areas: policies and procedures to reduce risk (42 gaps), periodic testing of information security controls (39 gaps), and incident detection reporting and response (14 gaps).
The fewest gaps found were in remedial actions (one gap), security awareness training (three gaps), and periodic risk assessments (three gaps).
In total, PwC reported 119 gaps at the nine Medicare contractors for fiscal 2013, which was 19 percent fewer than the 147 gaps for the same nine contractors in fiscal 2012.
"OIG's findings show a slight improvement in the maturation of the information security levels of these Medicare contractors," says Dan Berger, CEO of security consultancy Redspin. "It is great that more risk analysis is being done; now we just need to see more action on remediation and information security program development. It's great to identify risks, but of course, then you have to address them."
The weaknesses seen among Medicare contractors in their information security programs are similar to the struggles that other entities and vendors in the healthcare sector face, Berger adds. "This is a common thing that we have seen across the board of HIPAA covered entities and business associates. There are more risk assessments conducted today than ever before. But next comes the hard part of fixing what you find."
Security expert Mac McMillan, CEO of consulting firm CynergisTek isn't surprised by the report's findings. "This seems to be a recurring theme with a lot of entities that do not have mature security programs based on disciplined processes for configuring and administering the enterprise," he says. "Poor configuration practices, lack of testing and poor auditing and monitoring means they are ripe for an incident and less likely to know it."
Level of Risk
PwC classified 34 percent of the gaps as high-risk findings, but did not identify which gaps it considered high-risk. Twenty-eight percent of the gaps were repeat findings from fiscal 2012, the report notes. Of those repeat findings, 58 percent were considered high-risk.
An OIG spokesman tells Information Security Media Group that it's the agency's policy to "not provide a roadmap for highly critical vulnerabilities" in the reports it issues. However, "CMS was notified of the high-risk areas" identified by PwC, the spokesman notes.
OIG noted in the study that CMS had no comments on the draft report. However, in a statement to ISMG, CMS says, "CMS had no substantive concerns with the OIG report, and concurred with the recommendation in the report. By law, the OIG prepares a similar report annually. As it does each year, CMS continues to work with the Medicare administrative contractors to resolve findings in a timely manner."
More Room for Improvement
One of the biggest areas of improvement from fiscal 2012 to fiscal 2013 was in incident detection, reporting and response. However, that area is still among the top three areas where compliance gaps were found in fiscal 2013.
Eight of the nine Medicare contractors had one to two gaps related to incident detection, reporting and response. In total, PwC identified 14 gaps in this area in fiscal 2013, versus 22 in fiscal 2012.
Among the examples of gaps in incident detection, reporting and response found:
- The log review policies and procedures and log review process of contractors did not comply with CMS requirements.
- Monthly reporting of scans and probes to CMS was not performed in accordance with CMS requirements.
- Incident detection and monitoring procedures were not documented in accordance with CMS requirements.
"Keeping the number of incidents reasonably low is very important to protect the business processes of the organization," the report notes. "If security controls are insufficient, high volumes of incidents may occur, which could overwhelm the incident response team. This could lead to slow and incomplete responses and negative business effects, such as extensive damage to computer systems, periods without computer service and periods when data are unavailable."
As for gaps seen in policies and procedures to reduce risk - another top-three weak-spot found by evaluators - examples included:
- System configuration checklists did not comply with CMS requirements.
- Systems operating in the contractor's environment did not have the latest patches installed.
- Malicious software protection procedures and mechanisms were not fully configured in a manner consistent with CMS requirements.
"Ineffective policies and procedures to reduce risk could jeopardize an organization's mission, information and IT assets," the OIG notes in the report. "Without adequate configuration standards and the latest security patches, systems may be susceptible to exploitation that could lead to unauthorized disclosure of data, data modification or the unavailability of data."
Examples of gaps in periodic testing of information security controls included:
- The contractors' system inventory process had not been implemented in accordance with CMS requirements.
- The contractors' system security configurations did not comply with CMS requirements.
- Security weaknesses were found by external network penetration testing.
"Without a comprehensive program for periodically testing and monitoring information security controls, management has no assurance that appropriate safeguards are in place to mitigate identified risks," the report notes.
McMillan suggests several steps that entities can take to fill the information security gaps highlighted in the report.
"Implement a process of hardening all devices that go on the network; ensure consistent baselines for configurations," he says. "Insist on discipline in testing as new assets are added to the network, and periodically, to ensure controls have not been altered and critical/serious patches have been applied."
Also, entities need to "instill discipline and documented processes for changes to the environment and require risk analysis as part of the change process," the consultant says. "Test, audit and monitor over and over again to proactively find risks, discover changes or things missed."