Report: Security plans, training among Medicare contractors not up to HHS standards

The number of problems in Medicare Administrative Contractors' information security programs is on the rise, according to a federal audit published this week.

The MAC security evaluation, required by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, found that a total of 149 security gaps existed in the nine MACs reviewed for Fiscal Year 2015.

That number marked a 16% jump, as 129 gaps were identified in the same nine contractors for FY 2014, the Department of Health and Human Services' Office of Inspector General said in its report. More than half of the gaps were considered low-risk, although 22 were noted as high-risk.

Despite the increase in the number of gaps reported, additional controls were tested for the 2015 report which may have contributed to the results, OIG said.

The majority of those gaps were identified in policies and procedures to reduce risk (45), periodic testing of information security controls (41) and system security plans (15). Gaps also were reported in security awareness training, as well as incident detection, reporting and response.

The report recommends that CMS keep up its oversight visits, and ensure that MACs remedy the high- and medium-risk gaps “in a timely manner.”

The report's findings mirror similar security gaps seen throughout the healthcare industry, Mac McMillan, CEO of security consulting firm CynergisTek, told Gov Info Security on Tuesday.

"Vulnerability management as a whole - hardening, patching, configuration management, change control, regular testing - seems to be a struggle for many health systems, large and small," McMillan said. “Legacy systems and applications, end-of-life platforms, medical devices and other devices - such as the internet of things - that cannot be secured properly just add to this challenge.”