- CMS may have significant Medicare beneficiary data vulnerabilities because of security standards gaps within organizations that review and audit Medicare performance, a new GAO report found.
GAO found security risks based on discrepancies in data security protocols designed for Medicare Administrative Contractors (MACs), third-party research organizations, and qualified public or private entities that analyze Medicare performance. CMS allows the independent researchers to determine their own data security risks but requires MACs to adhere to certain CMS standards.
CMS believes that the independent organizations can more accurately determine their internal data risks than through federal reviews. However, GAO warns that self-administered data security guidelines within public and private organizations may lack the comprehensive controls needed to protect data.
“Recent data breaches have highlighted the importance of ensuring the security of health information, including Medicare beneficiary data,” GAO said. “Such data are created, stored, and used by a wide variety of entities, such as health care providers, insurance companies, financial institutions, researchers, and others.”
“Without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards.”
CMS also does not track security protocols for third-party administrators and researchers, which presents opportunities for potential data breaches. A lack of routine security guidance and oversight may unintentionally permit haphazard handling of sensitive Medicare information.
“By not providing guidance to researchers that includes security implementation requirements tailored to CMS-authorized uses of Medicare data, CMS cannot ensure that researchers implement security measures that are commensurate with the sensitivity of the data that is provided to them,” GAO advised.
Additionally, a review of federal standard assessments showed that MACs had three security risks. CMS assessments identified configuration management of security control software as a recurring weakness in MACs. Ideal configuration management processes ensure that software updates are timely and do not introduce new security weaknesses.
Assessments also found issues regarding MAC system security plans. A system security plan allows evaluators to review a system’s security strategy and determine if contractors implemented security features in an efficient manner.
MACs experienced other problems with security system inventories. System inventories support configuration management and ensure that an organization has all the software capabilities to run a security system.
“Consequently, security officials may be unaware that inappropriately configured devices running obsolete versions of software may be connected to the network, posing risks to other systems and information,” GAO cautioned.
CMS assessors said that these were relatively low-risk security concerns, but GAO argued that a lack of security compliance by MACs could lead to unintentional data leaks.
“Weaknesses that appear to be low-risk may be indicators of more significant underlying issues and, thus, may not be receiving appropriate management attention or prompt remediation, unnecessarily exposing Medicare beneficiary data to security risks,” GAO said.
GAO provided a set of recommendations for CMS Administrator Seema Verma to ensure that MACs and other organizations are effectively protecting Medicare beneficiary data.
The first recommendation is for Verma to develop and distribute security guidance for third-party researchers that follows the National Institute of Standards and Technology (NIST) standards.
The second and third recommendations made by GAO are for Verma to develop processes and procedures for tracking MAC assessments and ensure that researchers have security controls that meet CMS standards.
HHS concurred with GAO’s recommendations that CMS needs to address Medicare beneficiary data security weaknesses within federal and third-party organizations. However, these organizations still present immediate security risks a unless concrete changes are made.
“Until CMS provides more comprehensive, risk-based guidance on implementing security controls to all of its external partners, there is an increased risk that researchers will not fully implement appropriate protections for Medicare beneficiary data,” GAO concluded.