Information security improves at Medicare contractors: OIG

Information security at nine selected Medicare administrative contractors, at least as of two years ago, was improving, according to a recent report by the Department of Health & Human Services Office of the Inspector General. The report's release comes at a time of heightened awareness in government after a series of highly publicized cyberattacks on the Department of Defense and the White House.

In its analysis for fiscal 2013, PricewaterhouseCoopers (PwC) found there were 19% fewer “gaps” in security requirements than the year before. PwC uncovered a total of 119 gaps, which are defined as the difference between the core security requirements and the contractors' implementation of them. Contractors are evaluated based on standards established by the Centers for Medicare & Medicaid Services and the Federal Information Security Management Act of 2002 (FISMA).

The majority of identified gaps were in the areas of policies and procedures to reduce risk and periodic testing of information security controls.

PwC identified 42 policy/procedural gaps in areas that included system configuration, patches and malicious software protection. A total of 39 testing gaps were identified, including areas such as system inventories and security configuration issues and weaknesses. In a third major evaluation area — incident detection, reporting, and response — PwC uncovered gaps in log review policies, reporting of scans and probes and undocumented intrusion detection and monitoring procedures.

Information security requirements for Medicare administrative contractors, fiscal intermediaries and carriers, all of which process and pay Medicare fee-for-service claims, were established under the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. Each Medicare contractor must have its information security program evaluated annually by an independent entity, according to the OIG report.

While heartened by the improvement in information security, the OIG concluded “deficiencies remain” in the FISMA control areas tested. It called on CMS to ensure that contractors close all gaps “in a timely manner.”