OIG Report Finds Vulnerabilities in Medicaid Services Agency

Vulnerabilities in Centers for Medicare & Medicaid Services could result in the disclosure of personally identifiable information and the “disruption of critical operations,” a government watchdog warned this week.

Vulnerabilities exist in systems that belong to the Centers for Medicare & Medicaid Services, a federal agency that’s part of the United States’ Department of Health and Human Services. If exploited the bugs could result in the disclosure of personally identifiable information and the “disruption of critical operations,” a government watchdog warned this week.

The Office of the Inspector General issued a report on Wednesday claiming it found, in a 2015 audit, four vulnerabilities in security controls used in the agency’s wireless networks.

Centers for Medicare & Medicaid Services, or CMS, helps oversee health insurance standards such as the Health Insurance Portability and Accountability Act, or HIPPA, and maintain quality standards in nursing homes. It also assists state governments when it comes to administering Medicaid.

The OIG said it doesn’t appear the vulnerabilities have been exploited, but acknowledges if they ever were it could have troubling implications for CMS and compromise the “confidentiality, integrity, and availability of CMS’s data and systems.”

The vulnerabilities stem from a failure on CMS’ part to follow through with previously diagnosed vulnerabilities, Amy Frontz, Assistant Inspector General for Audit Services said.

“According to CMS, these vulnerabilities existed because of improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently under way,” Frontz wrote in the report, “The vulnerabilities that we identified were collectively and, in some cases, individually significant.”

The document (.PDF) follows a wireless penetration test the OIG performed on 13 CMS data centers from Aug. 31 to Dec. 4, 2015. The OIG wouldn’t get into specifics around the flaws because the controls protect sensitive information.

For what it’s worth, the agency didn’t refute any of the OIG’s findings and instead asserted that it had either already addressed the vulnerabilities or was in the middle of addressing them. In a letter to the OIG’s Inspector General Daniel Levinson, Andrew Slavitt, Acting Administrator at CMS said the agency appreciated the audit. Slavitt added that the agency has a number of defenses in place; it requires two-factor authentication,  its network can only be accessed via a VPN, and it proactively monitors and blocks threats.

“CMS acknowledges that risks exist inherently for every IT system and that as technology progresses, additional safeguards will be needed,” Slavitt wrote, “CMS concurred with all of the OIG findings and has already addressed several of the findings and is in the process of addressing the remaining findings.”

It’s unclear if the agency has fixed those remaining bugs since CMS issued the letter, on July 8. An emailed request for comment to CMS was not immediately returned on Thursday.

The OIG’s Office of Audit Services regularly vets government systems for vulnerabilities to ensure agencies are compliant and have adequate information security controls.

Last fall, in addition to calling out the Office of Personnel Management, the OIG reprimanded the Department of Education, claiming its pen testers were able to “gain full access to the Department’s network” and use the access “to pivot from this entry point and launch attacks on other systems connected to the Department, all undetected.”

Suggested articles