OIG scolds New Mexico for failing to secure Medicaid data

The state’s Human Services department migrated its legacy eligibility systems to a modernized network in 2014, but the Inspector General’s office found flaws caused by insufficient controls.
By Jessica Davis
12:24 PM

New Mexico’s Human Services Department didn’t “adequately secure” its Medicaid data and IT systems according to federal requirements, a report from the U.S. Department of Health and Human Services’ Office of the Inspector General found.

Further, OIG officials found systemic vulnerabilities in New Mexico’s newly adopted security system that, if exploited, could put the state’s HSD data at risk. The flaws were caused by a failure to implement sufficient controls on its Medicaid data and IT systems.

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

“Although we did not identify evidence that the vulnerabilities had been exploited,” officials said in a statement, “exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of New Mexico's critical operations.”

“As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of New Mexico's eligibility systems,” officials added.

[Also: OIG warns EHR vendors it will 'vigilantly' crack down on false claims tied to meaningful use]

HSD migrated its legacy eligibility systems to the Automated System Program and Eligibility Network in 2014. The implementation was meant to improve patient access to services and give staff more advanced and efficient tools.

However, OIG auditors found inherent risks in its migration, based on a prior audit, which prompted this latest evaluation.

OIG shared these flaws with HSD, but left details out of its report to prevent exploitation. In its report to HSD, OIG also shared recommendations to improve its security posture. HSD concurred with all but one of OIG’s findings and corrective actions.

[Also: Hospitals must factor patient safety into security strategies]

HSD did not agree with OIG about its recommendation on the agency’s compensating control, but accepted all associated risks with the tool. Officials said OIG continues to recommend HSD implement its recommendation

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com