CMS wireless networks have vulnerabilities, watchdog finds

A wireless penetration test of certain Centers for Medicare & Medicaid Services Data Centers revealed security vulnerabilities
A wireless penetration test of certain Centers for Medicare & Medicaid Services Data Centers revealed security vulnerabilities

A wireless penetration test of certain Centers for Medicare & Medicaid Services Data Centers revealed security vulnerabilities, according to a new report from the HHS Office of the Inspector General.

The overwhelming majority of payment for U.S. nursing home care originates through the Medicare and Medicaid programs, which collect exhaustive data on each beneficiary.

Wireless networks provide “tremendous cost savings” when compared with traditional wired infrastructures, the OIG noted. However, while the public report did not list specifics, it dinged CMS on four vulnerabilities in security controls over its wireless networks.

“The vulnerabilities that we identified were collectively and, in some cases, individually significant,” reported Amy J. Frontz, Assistant Inspector General for Audit Services. CMS told the watchdog agency the vulnerabilities existed due to improper configurations and a failure to finish necessary upgrades.

While there was no evidence of the vulnerabilities leading to problems, “exploitation could have resulted in unauthorized access to and disclosure of personally identifiable information, as well as disruption of critical operations. In addition, exploitation could have compromised the confidentiality, integrity, and availability of CMS's data and systems,” Frontz wrote.

In his July 8 response, acting administrator Andy Slavitt said CMS had a number of wireless security controls that would be effective in a cyber-attack, and reiterated the OIG found “no evidence of unauthorized access to or disclosure of personally identifiable information.”

However, CMS agreed that “as technology progresses, additional safeguards will be needed,” he wrote.

CMS concurred with all of the OIG findings, has already addressed several of the points and is in the process of addressing the remaining findings, Slavitt added.

The penetration testing ran from August 31 to December 4, 2015.