Because of the recent data breaches, the U.S Senate Committee on Finance, the House Committee on Energy and Commerce and the House Committee on Ways and Means chairmen requested the U.S. Government Accountability Office (GAO) to perform a study on the work of HHS’ Centers for Medicare and Medicaid Services (CMS). The study seeks to evaluate CMS’ work of protecting the Medicare beneficiary data from getting accessed by external entities.
The three major objectives of the study include:
- To know which external entities collect, store, and share Medicare beneficiary data
- To find out if the requirements for protecting Medicare data are in line with federal guidance
- To evaluate CMS with regards to its oversight of the requirements implementation
According to the study, although CMS has already established the security requirements that align with federal guidance for Medicare data access by external entities, the implementation of security controls has been inconsistent. GAO found the following inconsistencies:
- Only the requirements for implementing security controls aligned with federal guidance for MACs and qualified entities have been developed. There are no such requirements for researchers. This shows that security controls meeting CMS standards are not implemented.
- There’s an oversight program developed for the security of MAC data. But there is no equivalent program for the security of data handled by researchers and qualified entities. This could mean that the CMS is not able to determine if Medicare beneficiary data is adequately protected.
- Although the CMS has monitored the assessments of MACs to ensure the correct implementation of security controls, the tracking and monitoring of vulnerabilities identified by those assessments and the actions taken to correct those issues had been inconsistent. Hence, it cannot be guaranteed that all security gaps have been addressed properly.
To address the problems in securing Medicare beneficiary data, GAO made the following recommendations and CMS concurred.
- The CMS needs to create security guidance for researchers defining the minimum security controls required that are aligned with NIST guidelines.
- All the results of MAC assessments must be classified and monitored. There must be processes and procedures developed that make sure researchers and qualified entities followed the data security controls.
- The CMS should have an effective oversight program for all external entities accessing Medicare beneficiary data.