Maryland did not adequately secure its Medicaid data and information systems

Aug. 17, 2018

HHS oversees States’ use of various Federal programs, including Medicaid. State agencies are required to establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of State plans for Medicaid and other Federal entitlement benefits (45 CFR § 95.621). This review is one of a number of HHS, Office of Inspector General, reviews of States’ computer systems used to administer HHS-funded programs.

The objective was to determine whether Maryland adequately secured its Medicaid Management Information System (MMIS) and data and whether it claimed certain Medicaid administrative costs in accordance with Federal requirements.

HHS reviewed Maryland’s MMIS policies and procedures, interviewed staff, and reviewed supporting documentation that Maryland provided. In addition, HHS used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, websites, servers, and databases. They communicated to Maryland our preliminary findings in advance of issuing our draft report.

Maryland did not adequately secure its Medicaid data and information systems in accordance with Federal requirements and guidance. Although Maryland had adopted a security program for its MMIS, numerous significant system vulnerabilities existed.

These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems. Although HHS did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland’s Medicaid program.

HHS did not review Maryland’s Medicaid administrative costs that resulted from the failed MMIS replacement project. At the time of the audit, Maryland was engaged in ongoing litigation with the contractor. Accordingly, there are no recommendations regarding those costs.

HHS recommend that Maryland improve its Medicaid security program to secure Medicaid data and information systems in accordance with Federal requirements.

In written comments on the draft report, Maryland concurred with our recommendations and described actions that it had taken or plans to take to implement them.

HHS – Office of Inspector General has the release