The Department of Health and Human Services’ Office of Inspector General has recently published its annual review of the health IT security programs of Medicare Administrative contractors (MACs).
A MAC is a private health care insurer that has been contracted by the Centers for Medicare and Medicaid Services (CMS) to process Medicare Fee-For-Service beneficiary Medicare Part A/Part B (A/B) claims and/or Durable Medical Equipment (DME) claims in specific geographical regions
Each year, the reviews highlight healthcare data security gaps that could potentially be exploited by malicious actors. In its 2014 review, the OIG discovered 129 healthcare data security gaps which needed to be addressed; an 8% increase from the 2013 review.
The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 and the Social Security Act require the CMS to conduct annual reviews of the security programs of MACs. An independent organization must be hired to conduct the reviews. The reviews provide a valuable insight into the effectiveness of the security programs at each MAC. The reviews also identify data security vulnerabilities which must be addressed to ensure that PHI and Medicare data are properly protected and secured. In total, nine MACs were assessed for the review.
The CMS appointed PricewaterhouseCoopers (PwC) to conduct the 2014 review. PwC assessed each of the 9 MACs on the control areas of the Federal Information Security Management Act of 2002 (FISMA) and the core security requirements of the CMS.
18 high risk data security gaps were identified, along with 45 medium risk gaps, and 66 low risk gaps. In total, 129 data security gaps were identified by PwC.
All high and medium risk data security gaps identified by CMS/PwC must be addressed as a priority. Each MAC has now been issued with a corrective action plan covering each data security gap. The CMS is required to follow up on the progress each MAC makes toward addressing the gaps.
The review revealed that some MACs had failed to address the data security gaps that had been identified in the 2013 review. Almost 30% of the previously identified gaps had not been addressed over the course of the previous 12 months. According to the OIG report, 28% of gaps that had not been addressed were classed as high risk.
The main problem areas for MACs was conducting periodic tests of information security controls. 38 data security gaps existed in this category – between 3-6 gaps per MAC. Risk management policies and procedures were also a problem area with between 3 and 5 security gaps identified per MAC. Each of the nine MACs were also discovered to have at least one data security gap in their system security plans.
The OIG reported that while the total number of data security gaps had increased since 2013, the number of high and medium risk gaps decreased slightly. The OIG recommended that the CMS continue to oversee the MACs and ensure that each remediates the medium and high risk security gaps in a timely manner.