The Department of Health and Human Services’ Office of Inspector General (OIG) has released the results of the audit of Maryland’s Medicaid system. The audit was conducted in keeping with the HHS OIG’s initiatives to monitor states’ usage of diverse Federal programs and to find out if adequate security measures have been put in place to secure the Medicaid Management Information System (MMIS) as sensitive Medicaid data.
The audit comprised of interviews with employees, an assessment of supporting paperwork, vulnerability scans of network equipment, servers, internet sites, and databases that were part of its MMIS.
The audit discovered several system security flaws which had potential to be exploited by threat actors to obtain access to Medicaid data and interrupt Medicaid services. Together, and in certain instances independently, the flaws were ‘significant’ and had potential to seriously disrupt the state’s Medicaid program. OIG said the vulnerabilities were due to the failure to implement adequate controls over MMIS data and communication systems. While the flaws could have easily been exploited to gain access to the MMIS and Medicaid data, no evidence was uncovered to suggest any of the vulnerabilities had been exploited.
OIG provided Maryland with detailed information on the flaws that had been discovered, although the vulnerabilities were not disclosed publicly. OIG has made several recommendations to help improve the security of its MMIS and ensure Medicaid data are properly safeguarded to a standard that satisfies Federal requirements. Maryland agreed with all of the suggestions made by OIG and has developed a plan to tackle all of the vulnerabilities which have not yet been fixed.
The audit was one of a number of carried out on different states in the last few months. The results of the Maryland audit are comparable to the MMIS audits in other states. While it is certainly a concern that serious security flaws have been discovered, the audit will at least ensure that security gaps are plugged and should help to prevent future data breaches and cyberattacks.