OIG: Medicare system needs more USB security

By Anthony Brino
01:01 PM

An IT contractor that tests the Medicare claims standard systems needs to improve security controls for USB devices, an Inspector General report recommends — especially considering the risks of malware and breaches posed by USBs.

Quality Software Services Inc. (QSSI) provides independent testing for the Medicare Parts A and B fee-for-service standard systems with data on about 6 million Medicare beneficiaries, and until late last year, the firm hadn’t listed essential system services or USB ports in its security plan and hadn’t restricted the use of unauthorized USB device access, according to the Health and Human Services’ Office of the Inspector General.

Due to “insufficient controls over USB ports and devices, the (personally identifiable information) of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft,” wrote assistant inspector general Kay Daly.

The testing systems weren’t subject to any breaches or viral activity, but the OIG pointed to several examples of USB devices compromising security as cause for concern. In 2008, a USB device inserted into a military computer transferred malware that spread undetected to other government computer networks and ultimately caused what deputy defense secretary William Lynn called the “most significant breach of U.S. military computers ever.”

And more malicious than that perhaps is “Gauss”, a malware of apparently unknown origins — and similar to the Stuxnet virus that penetrated Iranian nuclear systems — that can infiltrate bank accounts and, when inserted into a Windows operating system, can intercept cookies from email and credit card accounts.

USBs also pose breach risks  by way of simple human error in losing the device, the OIG said. In 2011, for instance, a University of Texas trainee lost an unencrypted USB with the medical records of 2,200 patients on an employee shuttle bus.

In its report, the OIG recommended QSSI update its policies and ensure that USB controls comply with federal requirements, namely National Institute of Standards and Technology guidelines for federal agencies. Specifically, the OIG said, the firm should list essential system services and ports in its security plan, update its policies to explicitly prohibit unauthorized USB devices in systems working with Medicare data and limit USB port access to “essential connections.”

QSSI, which is also building the data hub for the federally-facilitated health insurance exchange, told the OIG it has already made several changes following the recommendations. The firm said it revised access control policy with usage restrictions for USBs and mobile devices and is implementing a “read only” restriction for USB ports in all laptops, to disable automatic execution of code. QSSI also said it plans to require the scanning of all portable and mobile devices for malicious code.

See also:

NSTIC: Making a case for Trusted IDs and HIE

VA hacked by foreign orgs, security needs standardization

OIG: Medicare provider databases need better management

Q&A: Why IT security grows more complex