Security Vulnerabilities at Medi-Cal MCOs Revealed in OIG Audit

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs), revealinf numerous, significant security vulnerabilities.

Overall, 74 high-risk security vulnerabilities were found across 14 separate security control areas. Many of the vulnerabilities were present at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the potential vulnerabilities had potential to place patient data at risk of exposure.

The vulnerabilities were filed into three broad areas: Access controls, security management and configuration control.

Access measures included password and login controls, database security controls, the use of backup storage media, and portable device security. Physical security controls to secure devices and systems, as well as the management of remote network access and Wi-Fi networks were also included in this category.

Thirty one separate access control security vulnerabilities were found during the audits. 10 of those weaknesses related to the use of portable and backup media such as flash drives. These specific devices are too easily lost or stolen, yet the data stored on the devices had not been encrypted.

Database controls were also not present. One of the MCOs had not encrypted its database, while access logs were not maintained. This made it impossible to see who had accessed sensitive data.

When members leave an organization, policies must exist to destroy logins and dormant accounts. One of the MCO’s under reviewwas not terminating access to systems in a timely manner.

WLAN activity was also not logged by one body, while restrictions were not implemented on the websites which could be accessed. Two-factor authentication was not used by one MCO for remote network access. One MCO did not securely store back up devices off site and under protection.

Security management controls included system security plans, contingency planning, destruction of devices used to store data, sanitization of data, and background checks on new employees. 14 separate security risks were discovered in this category.

Disaster recovery plans and contingency planning were foundd to be inadequate at one of the audited MCOs. One MCO had not carried a security control review of the claims processing system, while the disposal and sanitization of devices were not effectively recorded, in particular, for portable storage devices such as flash drives.

While it was not discovered whether a background check had actually been completed, there was no documentation to show that a director of technology and security had been subjected to a background check prior to being hired to the role.

Configuration management included the setup of network devices, out of date software, administration and management of software patches and management of antivirus software. 29 potential vulnerabilities existed in this category.

One MCO did not perform timely updates of anti-virus software definitions. Software programs were not kept up to date to the latest version in a reasonable time frame by one MCOs, potentially allowing systems to be attacked via a well-known vulnerability. The installation of software patches was also found not properly managed, resulting in security risks existing for an excessive period of time.

Worryingly, one of the MCOs had not properly configured its router, allowing any attacker to view and intercept data, including user passwords. The router had clear text protocol running to allow the monitoring and management of network devices by network administrators. This serious security vulnerability potentially placed all ePHI at risk.

Out of the 14 subdivisions within the above three general control categories, possible dangers existed in six of the categories which were shared by all three audited Medi-Cal organizations. These vulnerabilities made up 53 of the 74 security vulnerabilities discovered.

As stated in the report, the number of shared vulnerabilities “raise concerns about the integrity of the systems used to process Medicaid managed-care claims.” While it was not possible to find whether all Medi-Cal MCOs have the same security vulnerabilities as those audited, OIG concluded that many of the vulnerabilities are high risk, systemic, and pervasive. They could potentially be in place at all Medi-Cal MCOs.

Consequently, they ruled that action should be taken by all MCOs to assess their organizations for potential risks. The full report can be viewed here.