Inspector General Uncovers 'High-Risk Security Vulnerabilities' in State Medicaid Systems

     The Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) has uncovered seventy-nine "high-risk security vulnerabilities" in the information processing systems of ten state Medicaid agencies that "raise concerns about the integrity of the systems used to process Medicaid claims."  While the ten states are not identified by name, the OIG said that the investigation "suggests that other State Medicaid information systems may be similarly vulnerable," though the results could not be conclusively applied to all fifty states.  Now that the expansion of Medicaid under the Affordable Care Act has taken effect in 2014, millions of new enrollees will be added to these same state systems, ready or not.
    While the number of findings range from a low of three in one state to a high of seventeen in another, a chart accompanying the report illustrates the pervasiveness of the problems throughout the states, as well as the widespread nature of the vulnerabilities:

    The OIG provided specific examples of the vulnerabilities exposed by the investigation:

• one State agency had not encrypted the hard drives of 14 portable laptop computers, leaving them susceptible to unauthorized access.
• one State agency had not established any type of formal agency-wide inventory mechanism to account for all information system components and devices and was unable to identify all workstations and servers that were authorized to access the secure network and so needed to be properly secured.
• one State agency had not enabled the network user account lockout function after unsuccessful login attempts, an error that could have allowed intruders to successfully run automated login attack tools without detection. 
• one State agency was using an insecure remote access method, which sent unencrypted data (including passwords) across the Internet, to perform system administration functions within its MMIS [Medicaid Management Information Systems].
• one State agency’s physical access control policies and procedures did not address the review of electronic badge access rights; consequently, some terminated employees still had access to the datacenter housing the State agency’s MMIS.
• one State agency had not established formal policies and procedures to address the antivirus software deployment and update requirements. In the absence of formal antivirus deployment policies and procedures, more than 1,000 workstations and 200 servers from the State agency’s network were not reporting to the antivirus software control console, which was used to track the antivirus deployment and update status. Without updated antivirus deployment, State agencies expose their networks to known vulnerabilities, which could leave sensitive systems and data susceptible to unauthorized access and exploitation. 

    In the report's conclusion, the OIG repeated the warning of the "serious vulnerabilities" found in the ten states studied.  The state Medicaid agencies told the OIG that the vulnerabilities were being addressed.  The OIG said that "management should make information system security a higher priority," and that the inspector general was continuing to investigate in this area.

    With full implementation of the Affordable Care Act (ACA) in 2014, Medicaid will see a massive increase in enrollment even with only about half of states participating in the ACA-related expansion. As many as 8.9 million low-income Americans will meet the revised income threshold for eligibility.  With the personal information of nearly 9 million more Americans running through state Medicaid systems, the increased strain on the system and workload of state personnel serve to increase the urgency of addressing these serious security shortcomings.


Note: A version of this post first appeared at The Weekly Standard.