Maryland did not adequately secure its Medicaid data and information systems

Aug. 17, 2018

HHS oversees States’ use of various Federal programs, including Medicaid. State agencies are required to establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of State plans for Medicaid and other Federal entitlement benefits (45 CFR § 95.621). This review is one of a number of HHS, Office of Inspector General, reviews of States’ computer systems used to administer HHS-funded programs.

The objective was to determine whether Maryland adequately secured its Medicaid Management Information System (MMIS) and data and whether it claimed certain Medicaid administrative costs in accordance with Federal requirements.

HHS reviewed Maryland’s MMIS policies and procedures, interviewed staff, and reviewed supporting documentation that Maryland provided. In addition, HHS used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, websites, servers, and databases. They communicated to Maryland our preliminary findings in advance of issuing our draft report.

Maryland did not adequately secure its Medicaid data and information systems in accordance with Federal requirements and guidance. Although Maryland had adopted a security program for its MMIS, numerous significant system vulnerabilities existed.

These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems. Although HHS did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland’s Medicaid program.

HHS did not review Maryland’s Medicaid administrative costs that resulted from the failed MMIS replacement project. At the time of the audit, Maryland was engaged in ongoing litigation with the contractor. Accordingly, there are no recommendations regarding those costs.

HHS recommend that Maryland improve its Medicaid security program to secure Medicaid data and information systems in accordance with Federal requirements.

In written comments on the draft report, Maryland concurred with our recommendations and described actions that it had taken or plans to take to implement them.

HHS – Office of Inspector General has the release

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...