Data security concerns still haunt Medicare contractors

PwC found there were 19% fewer “gaps” in security in FY 2013.
PwC found there were 19% fewer “gaps” in security in FY 2013.

Information security at nine selected Medicare administrative contractors, at least as of two years ago, was improving, but deficiencies remain, according to a report from the Department of Health & Human Services Office of the Inspector General. 

The report's release comes at a time of heightened awareness in government after a series of highly publicized cyberattacks on the Department of Defense and the White House.

In its analysis for fiscal 2013, PricewaterhouseCoopers (PwC) found there were 19% fewer “gaps” in security requirements than the year before. PwC uncovered a total of 119 gaps, which are defined as the difference between the core security requirements and the contractors' implementation of them. These 119 gaps were consolidated into 67 findings. 

The majority of identified gaps were in the areas of policies and procedures to reduce risk and periodic testing of information security controls.

PwC identified 42 policy/procedural gaps in areas that included system configuration, patches and malicious software protection. A total of 39 testing gaps were identified, including areas such as system inventories and security configuration issues and weaknesses. In a third evaluation area — incident detection, reporting, and response — PwC uncovered gaps in log review policies, reporting of scans and probes and undocumented intrusion detection and monitoring procedures.

Perhaps most disappointing were the number of reoccurring findings from fiscal 2012. PwC identified nearly 30% of the 2013 issues as repeat findings. More than half of the repeat findings were identified as high risk.

Information security requirements for Medicare administrative contractors, fiscal intermediaries and carriers were established by law in 2003. Each Medicare contractor must have its information security program evaluated annually.