• Home
• FAQs
• FOIA
• Contact
• Download Reader
• Twitter
• YouTube

• Switch to the full site
• Home
• Report Fraud
• Search Exclusions
• What's New
• Criminal/Civil Enforcement
• Most Wanted Fugitives
• Podcasts
• Advisory Opinions
• Corporate Integrity Agreements
• Videos
• Careers

• Home
• Reports & Publications
• Office of Audit Services
• Center For Medicare and Medicaid Services
• Report

Audit (A-18-09-30200)

02-17-2011
Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2008

Executive Summary

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added information security requirements for Medicare contractors to the Social Security Act (the Act). Each Medicare contractor must have its information security program evaluated annually by an independent entity. To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the contractors using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems. To satisfy this requirement, CMS developed an information security assessment methodology and contracted with JANUS Associates, Inc. (JANUS), to perform technical assessments at Medicare data centers using the methodology.

OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2008.

PwC's evaluations of the contractor information security programs were adequate in scope and sufficiency. We could not determine the scope and sufficiency of the JANUS work for all of the data center technical assessments because of several issues with its working papers. PwC reported a total of 161 gaps at 26 Medicare contractors. JANUS reported a total of 48 gaps at 8 data centers.

We recommended that CMS review all contractor documentation related to future data center technical assessments and ensure that the work performed complies with CMS contractual requirements. At a minimum, this should include a review of test plans to ensure that the contractor has completed all required testing procedures and a review of contractor working papers to verify that reported gaps have been adequately supported, identified, and included in the technical assessment reports. CMS concurred with our recommendation and stated that it would take the appropriate actions to address the identified issues.

Complete Report

Download the complete report (PDF)

Adobe® Acrobat® is required to read PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

Let's start by choosing a topic

X

• Compendium

  Priority recommendations summarized.

• Work Plan

  OIG planned projects.

• Semiannual Report

  Significant OIG activities in 6-month increments.

• Compliance 101

  Free educational resources.

• Advisory Opinions

  Legal opinions issued by the OIG about the application of its fraud and abuse authorities.

• Child Support Enforcement

  OIG plays a role in pursuing deadbeat parents.

• All Reports and Publications
  • Strategic Plan
  • Budget
  • Top Management & Performance Challenges
  • Work Plan
  • Semiannual Reports to Congress
  • Unimplemented Recommendations
  • Office of Audit Services
  • Office of Evaluation and Inspections
  • Portfolio Reports
  • Other Reviews
  • Featured Topics
  • Federal Register
  • Podcasts
  • Testimony and Speeches
  • Videos
• Archives

Get Email Updates

Stay up to date on the latest OIG news and opinions