A number of recent health privacy and developments have occurred in recent months that emphasize the importance of health privacy and security for State Medicaid programs. This advisory summarizes these recent developments.
OIG Audit Report on Security Vulnerabilities
On March 5, 2014, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued an audit report summarizing its review of electronic information system controls at 10 State Medicaid agencies. The OIG reports that it found “serious vulnerabilities” in the 10 States’ Medicaid Management Information Systems (MMIS). The OIG intends for its report to assist States and CMS in strengthening security, and points out the key areas of vulnerability on which States should focus.
Background
45 C.F.R. Part 95, Subpart F includes requirements for costs for federally funded automatic data processing equipment and services incurred under the State plan for programs including Medicaid and CHIP. The definition of automated data processing is broad and includes all computers (and supporting equipment), data transmission, input, and communications equipment, and services to operate these systems.
Section 95.621(f) provides that States are responsible for the security of all automatic data processing projects and operations involved in the administration of HHS programs. Sections 11205, 11210, and 11280 of the State Medicaid Manual also explain that the provisions of this regulation apply to state MMIS systems and to state eligibility determination systems.
Specifically, States must implement appropriate security measures based on recognized industry standards. These standards include establishment of a security plan, as appropriate, and policies and procedures to address the following areas:
- physical security;
- equipment security to protect from theft and unauthorized use;
- software and data security;
- telecommunications security;
- personnel security;
- contingency plans to meet critical processing needs in the event of a service interruption;
- emergency preparedness; and
- designation of an Agency Automatic Data Processing (ADP) security manager.
Id. § 95.621(f)(2). States are also required to conduct periodic risk analyses, at least biannually, including whenever significant changes occur. Id. § 95.621(f)(3). States must maintain these reports for on-site reviews by HHS.
Costs for these activities are matched at the regular administrative match rate. However, States that fail to comply with the requirements for automatic data processing may be subject to a disallowance of federal financial participation (FFP). Id. § 95.612.
OIG Audit
The OIG explained that it conducted reviews of information systems at Medicaid agencies using procedures from the General Accountability Office’s (GAO) Federal Information Systems Controls Audit Manual for state MMIS systems, which provides a methodology for evaluating controls of information systems.
The audits looked at the structure, policies, and procedures that apply to State’s information systems and identified high-risk vulnerabilities in 10 unnamed State agencies’ MMIS systems. The OIG identified 79 findings of vulnerabilities among the 10 States. In many States, the vulnerabilities identified were similar, suggesting to the OIG that the problems were “systemic and pervasive.”
OIG has broken its findings into three main controls: entity-wide controls, access controls, and network operations controls.
Entity-wide controls. Entity-wide controls establish the framework for assessing risk, implementing effective procedures, and monitoring these procedures. The OIG found non-compliance with regard to entity-wide controls in the following areas:
- Security System Plans. The OIG writes that States should formalize security plans at both the system and application levels for networks, facilities, and systems. These plans should address the duties of those responsible for overseeing security as well as security measures for those who own, use, or rely on these systems. For example, at least one State had not developed a formal, comprehensive security plan that addressed the major application elements of the State’s MMIS system.
- Encryption. States should ensure that their stored data and data transmitted over its systems are sufficiently encrypted, including laptop computers and mobile devices.
- Contingency Plans. States must establish policies and procedures for continuity of operations in emergencies including detailed roles and responsibilities and procedures for restoration of systems. For example, the OIG found at least one State had not established disaster recovery plans to recover and reestablish business functions related to claims processing.
- Configuration Management. Configuration management ensures proper maintenance of the information systems throughout their life cycle. OIG recommends that States establish configuration management policies that include a decision-making structure for system changes as well as documentation procedures for implementation and testing. For example, the OIG reported that in one State, the network administrator could implement system changes without formal management approval or documented procedures for implementation and testing, which could lead to compromised data security.
- Inventory Tracking. States are required to maintain inventories of their systems to monitor, test, and evaluate information technology controls. States should be able to identify workstations and servers authorized to access secure networks. The OIG reported that at least three States had tracking vulnerabilities, such as failing to establish any type of formal agency-wide inventory mechanism.
- Risk Assessments. Risk assessments should consider threats to confidentiality, integrity, and availability of data and systems posed by authorized users as well as unauthorized users who may attempt to break into the system.
- Security Configuration Baselines. A configuration baseline includes information about all systems designated at a specific time during a system’s life. OIG recommends that States maintain a current and comprehensive baseline inventory of hardware, software, and firmware that is routinely validated for accuracy.
Access Controls. Access controls are physical and technological controls that prevent or detect unauthorized access. The OIG found non-compliance with these requirements in the following areas:
- Logical Access Rights. Each State should ensure that access to networks is appropriately segregated and limited to those individuals who have a legitimate need for access.
- Identification and Authentication. States should have user identification and authentication systems that require sufficient passwords, lockouts after numerous unsuccessful login attempts, or other safeguards that require the system to validate a user’s identity before he or she may access sensitive data.
- Remote Access Security. Remote access should require two-factor authentication (in which one factor is provided by a separate device) and have appropriate encryption technology. The OIG reported that remote access places MMIS systems at a higher risk of being compromised.
- Physical Security. In addition to technological controls, States should have adequate physical security measures that restrict entry to those who need access.
Network Operations Controls. Network operations controls monitor systems to ensure the network is secure from attacks. The OIG found four main vulnerabilities with these controls:
- Network Device Management. These systems, including firewalls, routers, and switches, alert the managers of attempted attacks. The OIG explains that systems must be monitored frequently to track the system and ensure proper configuration of the network devices.
- Patch Management. Patches allow for timely corrections to system flaws and weaknesses. OIG recommends states establish procedures for timely deployment of patches. This was a common issue identified by the OIG: in one state, approximately 30% of the agency’s computers did not have the latest patches.
- Antivirus Deployment. OIG also requires States to have adequate antivirus systems to detect and remove malicious viruses. In one case, OIG found a State had more than 1,000 workstations and 200 servers that were not reporting to the antivirus console and receiving required updates.
- Logging and Monitoring. OIG recommends States keep computer security logs that identify all security incidents, policy violations, fraudulent activities, and operational problems.
The OIG report puts States on notice that the security of information systems, including MMIS and eligibility systems, is a high priority for the OIG. States should ensure that their current systems have the required elements described above in order to guard against a disallowance of FFP.
HIPAA Compliance
In addition to the requirements that govern federally funded automatic data processing equipment and services incurred under the State plan, State Medicaid agencies are also subject to HIPAA as covered entities. 45 C.F.R. § 160.103. The HIPAA Security Rule requires covered entities to protect the confidentiality and integrity of electronic protected health information (PHI).
Specifically, covered entities must implement sufficient administrative, physical, and technical safeguards.
- Administrative safeguards include policies and procedures that are designed to prevent, detect, and correct threats to the integrity and confidentiality of PHI. These include risk analyses, adequate security personnel, workforce training and supervision, and emergency, contingency, and recovery plans for PHI. § 164.308.
- Physical safeguards ensure that only authorized personnel have access to areas where PHI is stored, such as building access control, workstation security measures, monitoring of equipment’s movement into and out of the facility, and protecting equipment from tampering or theft. § 164.310.
- Technical safeguards guard against unauthorized access to electronic devices. This includes measures that make PHI unreadable to unauthorized users, such as encryption, as well as automatic logoff after periods of inactivity and frequent changing of passwords. § 164.312.
Recent enforcement efforts suggest that HHS is scrutinizing public health entities subject to HIPAA for compliance with the Security Rule. HHS announced its first settlement with a county government. HHS and Skagit County, Washington agreed to a $215,000 monetary settlement after the Skagit County Health Department suffered a data breach that resulted in the compromise of seven individuals’ PHI. Skagit County had inadvertently moved the electronic PHI of 1,581 individuals, contained in money receipts, to a publicly accessible server.
HHS concluded that in addition to the breach, Skagit County failed to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations as required by HIPAA Security Rule. Furthermore, HHS found that the County did not have sufficient policies and procedures designed to ensure compliance with the Security Rule. HHS’s investigation also concluded Skagit County failed to provide adequate notification as required by the breach notification rule. 45 C.F.R. § 164.404.
HHS reports that the county will continue to work with HHS through a corrective action plan. The plan requires the county to provide notice to those individuals not notified, to provide HHS with copies of accountings of disclosures provided to individuals, keep and submit adequate documentation of Skagit County’s hybrid entity status, to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI maintained by the county, implement adequate policies and procedures for compliance with HIPAA, adequately train workforce members, and provide adequate reporting to HHS.
Meanwhile, HHS has faced recent criticism from the Office of Inspector General (OIG) that its enforcement actions on the Security Rule are not sufficiently proactive. The OIG issued a report in November 2013 criticizing the Office for Civil Rights (OCR) for not conducting sufficient audits to assess compliance with the Security Rule, and instead relying primarily on breach reporting to initiate investigations. It is expected that HHS may increase its periodic audits as a result of the report.
These recent efforts indicate that State Medicaid agencies should take steps to ensure that they are in compliance with HIPAA -- including the new requirements of the final HITECH rule that became effective in September 2013. We previously addressed the requirements of the new rule applicable to State Medicaid agencies in our advisories entitled HITECH Updates #1-4, issued in February 2013.