Maryland fails OIG security audit, potentially put Medicaid patient data at risk
A U.S. Department of Health and Human Services Office of Inspector General audit of Maryland’s Medicaid system found the state did not adequately secure its Medicaid Management Information System (MMIS) and Medicaid data, which potentially put patient data and operations at risk.
OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”
“These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems,” the report authors wrote.
While there’s no evidence of unauthorized access, officials found that if exploited, the system flaws would have allowed unauthorized access and exposed Medicaid data and “the disruption of critical Medicaid operations.”
Not only that, but officials said the vulnerabilities were significant enough that it could have compromised the integrity of the state’s Medicaid program. While details of the flaws weren’t publically disclosed, officials said they were caused by a lack of sufficient controls.
Officials made a series of recommendations to bolster the state’s security program and systems to meet federal requirements. State officials agreed with recommendations and outlined steps it had taken and their plans to shore up security.
Maryland is just the latest state to be audited by OIG, many with similar results. In fact, HHS itself had a less than stellar audit in Dec. 2017. The audits are intended to find flaws and improve security posture across government systems.
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.