Security Vulnerabilities at Medi-Cal MCOs Revealed in OIG Audit

by | Dec 16, 2015

The Department of Health & Human Services Office of Inspector General has recently published the results of information system reviews conducted on three Californian Medicaid managed-care organizations (MCOs), revealinf numerous, significant security vulnerabilities.

Overall, 74 high-risk security vulnerabilities were found across 14 separate security control areas. Many of the vulnerabilities were present at all three Medi-Cal MCOs suggesting similar security vulnerabilities may well exist at all Medi-Cal MCOs. Each of the potential vulnerabilities had potential to place patient data at risk of exposure.

The vulnerabilities were filed into three broad areas: Access controls, security management and configuration control.

Access measures included password and login controls, database security controls, the use of backup storage media, and portable device security. Physical security controls to secure devices and systems, as well as the management of remote network access and Wi-Fi networks were also included in this category.

Thirty one separate access control security vulnerabilities were found during the audits. 10 of those weaknesses related to the use of portable and backup media such as flash drives. These specific devices are too easily lost or stolen, yet the data stored on the devices had not been encrypted.

Database controls were also not present. One of the MCOs had not encrypted its database, while access logs were not maintained. This made it impossible to see who had accessed sensitive data.

When members leave an organization, policies must exist to destroy logins and dormant accounts. One of the MCO’s under reviewwas not terminating access to systems in a timely manner.

WLAN activity was also not logged by one body, while restrictions were not implemented on the websites which could be accessed. Two-factor authentication was not used by one MCO for remote network access. One MCO did not securely store back up devices off site and under protection.

Security management controls included system security plans, contingency planning, destruction of devices used to store data, sanitization of data, and background checks on new employees. 14 separate security risks were discovered in this category.

Disaster recovery plans and contingency planning were foundd to be inadequate at one of the audited MCOs. One MCO had not carried a security control review of the claims processing system, while the disposal and sanitization of devices were not effectively recorded, in particular, for portable storage devices such as flash drives.

While it was not discovered whether a background check had actually been completed, there was no documentation to show that a director of technology and security had been subjected to a background check prior to being hired to the role.

Configuration management included the setup of network devices, out of date software, administration and management of software patches and management of antivirus software. 29 potential vulnerabilities existed in this category.

One MCO did not perform timely updates of anti-virus software definitions. Software programs were not kept up to date to the latest version in a reasonable time frame by one MCOs, potentially allowing systems to be attacked via a well-known vulnerability. The installation of software patches was also found not properly managed, resulting in security risks existing for an excessive period of time.

Worryingly, one of the MCOs had not properly configured its router, allowing any attacker to view and intercept data, including user passwords. The router had clear text protocol running to allow the monitoring and management of network devices by network administrators. This serious security vulnerability potentially placed all ePHI at risk.

Out of the 14 subdivisions within the above three general control categories, possible dangers existed in six of the categories which were shared by all three audited Medi-Cal organizations. These vulnerabilities made up 53 of the 74 security vulnerabilities discovered.

As stated in the report, the number of shared vulnerabilities “raise concerns about the integrity of the systems used to process Medicaid managed-care claims.” While it was not possible to find whether all Medi-Cal MCOs have the same security vulnerabilities as those audited, OIG concluded that many of the vulnerabilities are high risk, systemic, and pervasive. They could potentially be in place at all Medi-Cal MCOs.

Consequently, they ruled that action should be taken by all MCOs to assess their organizations for potential risks. The full report can be viewed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy