Department of Health and Human Services OFFICE OF INSPECTOR GENERAL



Similar documents
HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

INFORMATION SECURITY AT THE HEALTH RESOURCES AND SERVICES ADMINISTRATION NEEDS IMPROVEMENT BECAUSE CONTROLS WERE NOT FULLY IMPLEMENTED AND MONITORED

THE INFORMATION TECHNOLOGY INFRASTRUCTURE

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

THE FRAUD PREVENTION SYSTEM IDENTIFIED MILLIONS IN MEDICARE SAVINGS, BUT THE DEPARTMENT COULD STRENGTHEN SAVINGS DATA

ARKANSAS GENERALLY SUPPORTED ITS CLAIM FOR FEDERAL MEDICAID REIMBURSEMENT

May 12, Report Number: A Mr. Trace Woodward Finance Director National Heritage Insurance Company 402 Otterson Drive Chico, CA 95928

J:::'~~ c.4;t: Regional Inspector General for Audit Services. June 17,2008. Report Number: A

CMS DID NOT ALWAYS MANAGE AND OVERSEE CONTRACTOR PERFORMANCE

Page 2 Ms. Janna Zumbrun. HHS Action Official:

MAY Report Number: A-OI

RHODE ISLAND HOSPICE GENERAL INPATIENT CLAIMS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

COLORADO CLAIMED UNALLOWABLE MEDICAID NURSING FACILITY SUPPLEMENTAL PAYMENTS

JUt vengriy-- Review offederal Medicaid Claims Made by Inpatient Substance Abuse Treatment Facilities in New Jersey (A )

OREGON PROPERLY VERIFIED CORRECTION OF DEFICIENCIES IDENTIFIED DURING SURVEYS OF NURSING HOMES PARTICIPATING IN MEDICARE AND MEDICAID

THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING

COLORADO CLAIMED UNALLOWABLE MEDICAID INPATIENT SUPPLEMENTAL PAYMENTS

MASSACHUSETTS MEDICAID PAYMENTS TO ESSEX PARK REHABILITATION AND NURSING CENTER DID NOT ALWAYS COMPLY WITH FEDERAL AND STATE REQUIREMENTS

JUl ' Review ofmedicaid Claims Made by Freestanding Residential Treatment Facilities in New York State (A )

MORRISTOWN MEDICAL CENTER INCORRECTLY BILLED MEDICARE INPATIENT CLAIMS WITH KWASHIORKOR

MEDICARE COMPLIANCE FOLLOWUP REVIEW OF BOSTON MEDICAL CENTER

MEDICARE INAPPROPRIATELY PAID HOSPITALS INPATIENT CLAIMS SUBJECT TO THE POSTACUTE CARE TRANSFER POLICY

Maryland Misallocated Millions to Establishment Grants for a Health Insurance Marketplace (A )

March 23, Report Number: A

MOUNT SINAI MEDICAL CENTER INCORRECTLY BILLED MEDICARE INPATIENT CLAIMS WITH KWASHIORKOR

August 9, Report Number: A

OREGON DID NOT BILL MANUFACTURERS FOR REBATES FOR PHYSICIAN-ADMINISTERED DRUGS DISPENSED TO ENROLLEES OF MEDICAID MANAGED-CARE ORGANIZATIONS

i;; .j. \::::l' P: t~

June 13, Report Number: A

, MAY. oß.vi.. Daniel R. Levinson ~ ~ .~~.vi...

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

perform cost settlements to ensure that future final payments for school-based services are based on actual costs.

APR,: Charlene Frizzera Acting Administrator Centers for Medicare & Medicaid Services. FROM: Daniel R. Levinson ~,u,l, ~.~ Inspector General

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

MEDICARE CONTRACTORS PAYMENTS TO PROVIDERS FOR HOSPITAL OUTPATIENT DENTAL SERVICES IN JURISDICTION K DID NOT COMPLY WITH MEDICARE REQUIREMENTS

/Diann M. Saltman/ for George M. Reeb Acting Deputy Inspector General for Audit Services

JUN Review of Termination Claim for Postretirement Benefit Costs Made by CareFirst. Maryland, Incorporated (A )

Review Of Hartford Hospital s Controls To Ensure Accuracy Of Wage Data Used For Calculating Inpatient Prospective Payment System Wage Indexes

DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF AUDIT SERVICES 233 NORTH MICHIGAN AVENUE. August 4, 2008

~ 1AY Patrie';;. cogley:'>~o. Report Number: A

JUN SUBJECT: Review of Head Start Board of Directors, Inc., for the Period September 1,2006, Through October 23,2007 (A-OI )

)1VC(~J1~J~l AUG 1 ~,U08. Sincerely, Report Number: A-OI Dear Ms. Favors:

("t>".4:.. ~.,~f- ;\~Uf.~ APR San Francisco, CA Report Number: A

NOT ALL COMMUNITY SERVICES BLOCK GRANT RECOVERY ACT COSTS CLAIMED

NOT ALL OF THE COLORADO MARKETPLACE S INTERNAL CONTROLS WERE EFFECTIVE IN ENSURING THAT INDIVIDUALS WERE ENROLLED IN QUALIFIED HEALTH PLANS ACCORDING

May 22, Report Number: A

OFFICE OF INSPECTOR GENERAL

Report Number: A

Review of Medicaid Upper-Payment-Limit Requirements for Kansas Nursing Facility Reimbursement (A )

Region VII 601 East 12 th Street Room 0429 April 11, 2011 Kansas City, Missouri 64106

/Lori S. Pilcher/ Assistant Inspector General for Grants, Internal Activities, and Information Technology Audits

SEP f Nationwide Review of Inpatient Rehabilitation Facilities' Compliance With Medicare's Transfer Regulation (A )

NEW JERSEY IMPROPERLY CLAIMED MEDICAID REIMBURSEMENT FOR SOME HOME HEALTH CLAIMS SUBMITTED BY HOME HEALTH AGENCIES

OFFICE OF INSPECTOR GENERAL

MEDICARE DRUG INTEGRITY CONTRACTORS IDENTIFICATION

MEDICARE BENEFICIARIES PAID NEARLY HALF OF THE C OSTS FOR OUTPATIENT SERVICES AT CRITICAL ACCESS HOSPITALS

COSTS CHARGED TO HEAD START PROGRAM ADMINISTERED BY ROCKINGHAM COMMUNITY ACTION,

OFFICE OF INSPECTOR GENERAL

OCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS

MEDICARE S NATIONAL CORRECT CODING INITIATIVE

/-..~.~ JAN Mr. Dennis Conroy, SPHR

Montana Did Not Properly Pay Medicare Part B Deductibles and Coinsurance for Outpatient Services (A )

CDC S ETHICS PROGRAM FOR SPECIAL GOVERNMENT EMPLOYEES

MEDICARE PART D E-PRESCRIBING STANDARDS: EARLY ASSESSMENT SHOWS PARTIAL CONNECTIVITY

January 18, Donald M. Berwick, M.D. Administrator Centers for Medicare & Medicaid Services. /Daniel R. Levinson/ Inspector General

In total, Massachusetts overstated its Medicaid claim for reimbursement by $5,312,447 (Federal share).

MEDICAID DRUG PRICE COMPARISON: AVERAGE SALES PRICE TO AVERAGE WHOLESALE PRICE

REVIEW OF MEDICARE CLAIMS FOR AIR AMBULANCE SERVICES PAID TO NATIVE AMERICAN AIR AMBULANCE

Medicaid Revocation of Medicare DME Suppliers

OFFICE OF INSPECTOR GENERAL

CMS AND ITS CONTRACTORS HAVE ADOPTED FEW PROGRAM INTEGRITY PRACTICES TO ADDRESS VULNERABILITIES IN EHRS

OFFICE OF INSPECTOR GENERAL

EFFECT OF THE PART D COVERAGE GAP ON MEDICARE BENEFICIARIES WITHOUT FINANCIAL ASSISTANCE IN 2006

,.~. ReportNumber: A-O July2, DEPARTlVIENT OF HEALTH AND HUlVlAl'i SERVICES

CALCULATION OF VOLUME- WEIGHTED AVERAGE SALES PRICE FOR MEDICARE PART B PRESCRIPTION DRUGS

EARLY ASSESSMENT OF REVIEW MEDICAID INTEGRITY CONTRACTORS

COMPOUNDED DRUGS UNDER MEDICARE PART B: PAYMENT AND OVERSIGHT

TEXAS MADE INCORRECT MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PAYMENTS

COMPARING PHARMACY REIMBURSEMENT: MEDICARE PART D TO MEDICAID

Dennis G. Smith Director, Center for Medicaid and State Operations

AGENCY FOR HEALTHCARE RESEARCH AND QUALITY: MONITORING PATIENT SAFETY GRANTS

ALLEVIATE WELLNESS CENTER RECEIVED UNALLOWABLE MEDICARE PAYMENTS FOR CHIROPRACTIC SERVICES

REVIEW OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2015

THE UNIVERSITY OF SOUTH FLORIDA DID NOT ALWAYS CLAIM COSTS

CMS RESPONSE TO BREACHES AND MEDICAL IDENTITY THEFT

SURETY BONDS REMAIN AN UNDERUTILIZED TOOL TO PROTECT MEDICARE FROM SUPPLIER OVERPAYMENTS

EFFECT OF THE HOME HEALTH PROSPECTIVE PAYMENT SYSTEM

CDC S CHEMPACK PROJECT: NERVE AGENT ANTIDOTE STORAGE

Review of Arizona s Medicaid Claims for School-Based Health Services (A )

Department of Health and Human Services

. 4 " ~ f.".2 DEPARTMENT OF HEALTH & HUMAN SERVICES OFFICE OF INSPECTOR GENERAL. December 19,2003. Our Reference: Report Number A-O

TRACEABILITY IN THE FOOD SUPPLY CHAIN

GENERIC DRUG UTILIZATION IN

LOCAL PANDEMIC INFLUENZA PREPAREDNESS: VACCINE AND ANTIVIRAL DRUG DISTRIBUTION AND DISPENSING

Office of Inspector General

AUG Ambulance suppliers did not always comply with consolidated billing biling requirements in CY 2006.

Page 2 Kerry Weems. We recommend that the State agency: refund to the Federal Government $29,759,384 in unallowable costs claimed for TCM services;

JUl Review of Abortion-Related Laboratory Claims Billed as Family Planning Under the New York State Medicaid Program (A )

Review of Georgia s Title IV-E Adoption Assistance Costs (A )

Transcription:

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL THE CENTERS FOR MEDICARE & MEDICAID SERVICES IMPLEMENTATION OF SECURITY CONTROLS OVER THE MULTIDIMENSIONAL INSURANCE DATA ANALYTICS SYSTEM NEEDS IMPROVEMENT Inquiries about this report may be addressed to the Office of Public Affairs at Public.Affairs@oig.hhs.gov Gloria L. Jarmon Deputy Inspector General for Audit Services September 2015 A-06-14-00067

Office of Inspector General http://oig.hhs.gov The mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is to protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of beneficiaries served by those programs. This statutory mission is carried out through a nationwide network of audits, investigations, and inspections conducted by the following operating components: Office of Audit Services The Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with its own audit resources or by overseeing audit work done by others. Audits examine the performance of HHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are intended to provide independent assessments of HHS programs and operations. These assessments help reduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS. Office of Evaluation and Inspections The Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress, and the public with timely, useful, and reliable information on significant issues. These evaluations focus on preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of departmental programs. To promote impact, OEI reports also present practical recommendations for improving program operations. Office of Investigations The Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and misconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50 States and the District of Columbia, OI utilizes its resources by actively coordinating with the Department of Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI often lead to criminal convictions, administrative sanctions, and/or civil monetary penalties. Office of Counsel to the Inspector General The Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering advice and opinions on HHS programs and operations and providing all legal support for OIG s internal operations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS programs, including False Claims Act, program exclusion, and civil monetary penalty cases. In connection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG renders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides other guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement authorities.

Notices THIS REPORT IS AVAILABLE TO THE PUBLIC at http://oig.hhs.gov Section 8M of the Inspector General Act, 5 U.S.C. App., requires that OIG post its publicly available reports on the OIG Web site. OFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS The designation of financial or management practices as questionable, a recommendation for the disallowance of costs incurred or claimed, and any other conclusions and recommendations in this report represent the findings and opinions of OAS. Authorized officials of the HHS operating divisions will make final determination on these matters.

Although the Centers for Medicare & Medicaid Services had implemented controls to secure the Multidimensional Insurance Data Analytics System and consumer personally identifiable information, we identified areas for improvement in its information security controls. This summary report provides an overview of the results of the Office of Inspector General s (OIG) review of the Multidimensional Insurance Data Analytics System (MIDAS). It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We have provided more detailed information and recommendations to officials responsible for the MIDAS so that they can address the issues we identified. The findings listed in this summary reflect a point in time regarding system security and may have changed since we reviewed these systems. WHY WE DID THIS REVIEW Analytics and database systems that are not secured properly create vulnerabilities that could be exploited by unauthorized individuals to compromise the confidentiality of personally identifiable information (PII) or other sensitive data. Data and systems security is a top oversight priority for OIG. The MIDAS is a central repository for insurance-related data intended to provide reporting and performance metrics to the Department of Health and Human Services for various initiatives mandated by the Patient Protection and Affordable Care Act. The MIDAS collects, generates, and stores a high volume of sensitive consumer information, and it is critical that it be properly secured. Therefore, we performed the audit described in this summary report. Our objective was to assess whether CMS had implemented information security controls to secure the PII related to the MIDAS and a certain number of its supporting databases. HOW WE CONDUCTED THIS REVIEW We focused our audit on information security controls over operations and systems that support MIDAS s database servers. The Centers for Medicare & Medicaid Services (CMS) is responsible for providing guidance and oversight for the MIDAS. Therefore, we reviewed CMS s policies and procedures related to the MIDAS s information security controls. We also examined documentation related to the MIDAS and conducted interviews with CMS representatives who administer the system. We reviewed contractor reports related to vulnerability scans of the MIDAS, determined whether CMS had fully addressed and remediated the vulnerabilities found, and conducted database vulnerability scans. We limited our review of controls to those that were in effect at the time of our audit. We conducted our audit work from August to December 2014. We conducted the performance audit described here in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and CMS s Implementation of Security Controls Over MIDAS Needs Improvement (A-06-14-00067) 1

conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. WHAT WE FOUND AND RECOMMENDED Although CMS had implemented controls to secure the MIDAS and consumer PII data in the systems and databases we reviewed, we identified areas for improvement in its information security controls. At the time of our fieldwork, CMS: had not disabled unnecessary generic accounts 1 in its test environment; had not encrypted user sessions; had not conducted automated vulnerability assessments that simulate known attacks, which would have revealed vulnerabilities (e.g., password weaknesses and misconfigurations) specific to the application or databases that support the MIDAS; and used a shared read-only account for access to the database that contained the PII. In addition to the information security control vulnerabilities mentioned above, our database vulnerability scans identified 22 high, 62 medium, and 51 low vulnerabilities. We made related recommendations to address the issues we identified. CMS provided the attached comments on our findings and recommendations. CMS EFFORTS DURING THE COURSE OF OUR AUDIT We shared with CMS information about our vulnerability scan findings immediately following the scan and informed CMS about other preliminary findings in advance of issuing our draft report. CMS began remediation efforts before the completion of our fieldwork. In written comments, CMS concurred with all of our recommendations. CMS reported that it remediated all vulnerabilities and addressed all findings we identified before we issued our final report. We have since reviewed the supporting documentation and verified CMS s remediation. 1 A generic account is an account used for application maintenance or other privileged access that can allow multiple users to access a single account. CMS s Implementation of Security Controls Over MIDAS Needs Improvement (A-06-14-00067) 2

l-4-.,s~vi C-ts-. ~ DEPAR1MENT APPENDIX: CMS COMMENTS OF HEALTH & HUMAN SERVICFS Centers for Medicare & Medicaid Seovices 200 Independence Avenue SW Washington, DC 20201 DATE: ffay- 8 2015 TO: Daniel R. Levinson Inspector General FROM: AndrewM. Slavitt ~~ ~ Acting Administrator SUBJECT: Office of Inspector General (OIG) Draft Report: "The Centers for Medicare & Medicaid Services' Implementation ofsecurity Controls Over the Multidimensional Insurance Data Analytics System Needs Improvement" (A-06 14-00067) The Centers for Medicare & Medicaid Services (CMS) appreciates the opportunity to review and comment on this draft report. The privacy and security of consumers' personally identifiable information (PII) are a top priority for CMS. CMS takes OIG's findings seriously and has implemented all ofoig's recommendations and addressed all ofthe security vulnerabilities identified in this report. The privacy and security ofconsumers' personally identifiable information (PII) are a top priority for CMS. No person or group has maliciously accessed personally identifiable information from HealthCare.gov or its related systems. The Multidimensional Insurance Data Analytics System (MIDAS) supports HealthCare.gov by acting as a central repository for capturing, aggregating, and analyzing enrollment, plan selection, consumer, and other marketplace data. MIDAS is an internal system accessible only by authorized CMS employees and support personnel. Use ofmidas must be requested and approved based on appropriate justification before staffor a contractor is granted access. CMS requires MIDAS, like all federal systems that CMS maintains or that are maintained on its behalf, to comply with the Federal Information Security Management Act of2002 (FISMA). In addition, MIDAS has met the CMS Acceptable Risk Safeguards (ARS) 2.0 security controls ident ified in Appendix A ofthe Draft Report. CMS is focused on conti nually strengthening our security and privacy controls. In addition to weekl y vulnerability assessments ofthe MIDAS environment, we conduct an annual Security Control Assessment (SCA) that meets Federal and industry standards. CMS worked with the OIG dw ing the security testing and within a week ofthe findings being identified, CMS had addressed all the high vulnerabilities identified. CMS had addressed a maj ority of the remaining findings within 30 days ofidentification. All ofoig' s findings in this CMS's Implementation ofsecurity Controls Over MIDAS Needs Improvem ent (A-06-14-00067) 3

Page 2 - Daniel R. Levinson report were addressed by February 2015. In addition, all ofthe recommendations in this report were fully implemented prior to the draft report being issued. CMS thanks OIG for their efforts on this issue and looks forward to working with OIG on this and other issues in the future. CMS's Implementation ofsecurity Controls OverMIDAS Needs Improvement (A-06-14-00067) 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information