News Feature | May 17, 2016

OIG Finds 129 Medicare Security Gaps

By Megan Williams, contributing writer

Data Security

The OIG, the nation’s largest office dedicated to combatting waste and fraud within HHS programs, has released its review of Medicare contractors for fiscal year 2014. While some improvements were found, overall, most contractors have room for growth.

The evaluation was conducted by PwC and revealed a total of 129 security gaps across the nine Medicare administrative contractors (MACs) for FY 2014. That number is up 8 percent from 2013 for the same nine contractors. The gaps were categorized into three groups: high, medium, and low risk, and broke down as follows:

  • high-risk: 18
  • medium-risk: 45
  • low-risk: 66

A notable number of high- and medium-risk gaps were found to be repeats from 2013 (18, or 29 percent) with five of those 18 being identified as high-risk in both years.

Individual MACs

Gaps for each MAC came in at an average of 14, ranging between 11 and 18. The most gaps occurred in the following FISMA (Federal Information Security Management Act of 2002) control areas:

  • periodic testing of information security controls (38 gaps across nine MACs)
  • policies and procedures to reduce risk (36 gaps across nine MACs)
  • system security plans (16 gaps across 9 MACs)

MACs will be expected to develop corrective action plans to address each medium- and high-risk gap that was identified. The corrective action plans will be tracked by CMS to ensure that they are addressed in a timely manner.

CMS’ Conclusion

To conclude the reports, CMS included the following statement: “The scope of the work and sufficiency of documentation for all reported gaps were sufficient for the nine MACs reviewed by PwC. While the total number of gaps, which includes low-risk gaps, identified at the MACs has increased slightly from FY 2013, the total number of high- and medium-risk gaps decreased slightly. Deficiencies remain in the FISMA control areas tested, including many that were high risk and were repeated from the previous year. CMS should continue its oversight visits and ensure that the MACs remediate all high- and medium-risk gaps in a timely manner.”

The full 12-page document is available here.