Security Woes at Arizona Medicaid MCOs: Tip of the Iceberg?Report: Medicaid Data and Systems Could Also Be at Risk at Other Medicaid MCOs
A security review of two Medicaid managed care organizations in Arizona revealed several significant access control and configuration vulnerabilities that raise concerns about the integrity of systems used to process claims.
The federal watchdog's findings also raise questions about whether similar issues exist with Medicaid MCOs in other states due, in part, to disparities in complying with federal security regulations.
Medicaid MCOs include health maintenance organizations, health plans and other comparable organizations that provide services to Medicaid beneficiaries.
HIPAA Compliance Issues
The report issued on Nov. 23 by the Department of Health and Human Services' Office of Inspector General about two unnamed Medicaid managed care organizations in Arizona notes that the agency's objective was to summarize the security vulnerabilities it identified during its review of whether the MCOs protected data and systems in accordance with HIPAA guidelines.
"The vulnerabilities were collectively - and in some cases, individually - significant, and could have potentially compromised the integrity of the Medicaid data at the MCOs."
The report notes that that federal regulations treat the security of Medicaid data differently depending on whether the data resides at the state Medicaid agencies or the Medicaid MCOs.
"State Medicaid agencies must follow federal security requirements for their Medicaid data, yet the MCOs handling the states' Medicaid data do not have to follow the same federal security regulations," the report notes.
"In addition, there are no federal regulations requiring states to provide oversight for ensuring MCOs comply with federal security requirements related to Medicaid data. Further, depending on the type of arrangement involved, the state may not have to include HIPAA data security standards in MCOs' contracts or ensure MCO compliance with those standards," the report notes.
"This disparate application of security requirements for Medicaid data could affect state-MCO relationships nationwide and could increase risk to Medicaid patient data."
The OIG report notes that the agency identified 19 security vulnerabilities in the information system general controls at the two Arizona MCOs reviewed.
"Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could result in unauthorized access to, and disclosure of, sensitive information, as well as disruption of critical operations at the two MCOs," HHS OIG writes.
"As a result, the vulnerabilities were collectively - and in some cases, individually - significant, and could have potentially compromised the integrity of the Medicaid data at the MCOs."
OIG adds that its consolidated findings from the reviews show "significant vulnerabilities" in the MCOs' information systems and raise concerns about the integrity of the systems used to process Medicaid managed care claims.
"The fact that some of the same vulnerabilities were identified at both MCOs suggests that other Arizona Medicaid MCOs may be similarly vulnerable," the report notes. At the time of OIG's initial review of the two MCOs - September 2016 - Arizona had 13 MCOs with more than 1.5 million beneficiaries, totaling more than $8 billion in spending for fiscal 2016, the watchdog agency notes.
In the configuration management category, the OIG identified 14 vulnerabilities related to configuration of network devices, patch management, anti-virus management, server management, database management and website security.
For instance, OIG writes that both MCOs did not securely configure the setting for their firewall's Secure Shell session timeout.
"Only administrators should have access to this setting and use it to determine whether an SSH session is no longer being used, enabling a device to determine when a connection can be automatically disconnected. The default timeout session for this firewall was set at 5 minutes," OIG writes. "However, at one MCO it was changed to 30 minutes, which allowed more time for a potential attacker to access the system using an authenticated administrator session that had not been properly ended."
An attacker could have obtained information on the configuration settings and performed malicious activities acting as the previously authenticated administrator user, according to the report
One of the MCOs lacked adequate procedures to ensure that patching was current on all workstations. Patching required users to restart their workstations before patches were applied, and some users were not restarting their workstations, OIG writes. "Without adequate patch management, an attacker may be able to gain unauthorized access to sensitive data and personally identifiable information on a network," OIG says.
"For example, in May 2017, the WannaCry ransomware worldwide cyberattack targeted unpatched computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments," the report notes.
In the access controls category, OIG said it found five vulnerabilities related to remote network access, password and login controls, and physical security controls.
For instance, one of the MCO's remote access policy did not specify the use of two-factor authentication for remote network access. "Without the use of two-factor authentication for remote access, there is an increased risk of unauthorized access to sensitive computer systems and data," OIG writes.
Regarding vulnerabilities related to password and login controls, the OIG found that one of MCOs did not disable user accounts for terminated employees in a timely manner even though the MCO's policies and procedures stated that access should be disabled promptly after the user's termination. "Without strong password and login controls, there is an increased risk of unauthorized access to sensitive data," OIG writes.
The access control and configuration management vulnerabilities OIG identified at the two Arizona MCOs are issues with which many other healthcare sector entities struggle, some security experts say.
"These are two very prevalent weaknesses in many healthcare settings," says Mac McMillan, CEO of security consulting firm CynergisTek.
"The first runs the gamut from poorly managed accounts to weak passwords to lack of secondary factors on remote access or critical applications; the latter is generally poor practices or poor discipline in following [configuration management] practices," he notes.
Tom Walsh, president of tw-Security, says that a variety of factors can contribute to some of the types of issues OIG identified in the report.
For instance, healthcare organizations largely rely on applications and systems that are primarily vendor-controlled and managed, he notes. "When a configuration change and a security update is needed, there is a heavy reliance on the vendor to provide those updates," he says.
"Healthcare - in particular Medicaid systems - tend to be older, large, complex applications and systems running on older hardware platforms and operating systems. Changes are carefully tested before they get rolled out to avoid unintentionally shutting down services. This means that systems will have a tendency to be behind in patching and other configuration management changes."
In addition, IT staffs are often stretched thin trying to address urgent problems relating to keeping systems up and running, Walsh notes. "Documentation - such as configuration management and change control documentation - are less important and can get overlooked. In some cases, a security change may have been accomplished, but it wasn't properly documented by the IT staff."
When it comes to some of the access control issues highlighted by OIG, such as ending access for terminated users, "healthcare organizations share data with multiple entities," Walsh says. "The organization sharing that data with another entity may not receive timely notifications from the other entities when someone on their staff no longer needs access. ... People tend to forget to send termination notifications to all of their business partners."
OIG writes that its report is intended to provide information to assist the HHS Centers for Medicare and Medicaid Services, the Arizona Health Care Cost Containment System - the state agency that administers Arizona's Medicaid program - and the two MCOs in strengthening their system security.
The OIG recommends that CMS, which administers Medicaid, take steps to address the watchdog agency's findings. That includes CMS "conducting a documented risk assessment and determining how the disparate application of federal security requirements impacts cybersecurity risk for Medicaid data maintained by MCOs and what actions should be taken to address any oversight gap ... for ensuring that data at MCOs is protected."
OIG also recommended that CMS inform all state agencies of the types of vulnerabilities identified at the Arizona MCOs "to enhance nationwide awareness of cybersecurity weaknesses."
In its comments included in the report, CMS stated that its leaders not did not concur with OIG's recommendation to conduct a documented risk assessment, but did agree with the recommendation to inform all state agencies of the cybersecurity vulnerabilities identified at the Arizona MCOs.
"CMS stated that a risk assessment is already a requirement under the jurisdiction of the HHS Office for Civil Rights, and it would be duplicative of existing risk assessment efforts," OIG notes.
"CMS believed that it would be more effective to work with OCR to remind states and MCOs of their existing responsibilities for risk analysis and management under the HIPAA security regulations."
Walsh says that because each state handles MCOs' security requirements differently, it's challenging to make a broad statement of security risk to Medicaid data and systems nationwide based on the OIG's findings about two MCOs in Arizona.
"However, depending on the network connections or data exchanges taking place, it is possible for risks inherent in a state MCO to place other Medicaid systems at risk too," he notes. "This is becoming less of an issue as states have been implementing secure web portals for data exchanges rather than direct data feeds through some type of extranet."