Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

Change Font Size

Audit (A-18-07-30291)

Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2007

Executive Summary

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 requires that each Medicare contractor must have its information security program evaluated annually by an independent entity. To comply with this provision, CMS contracted with PricewaterhouseCoopers to evaluate information security programs at the Medicare administrative contractors, fiscal intermediaries, and carriers. CMS also contracted with JANUS Associates, Inc. (JANUS), to perform technical assessments at Medicare data centers.

PricewaterhouseCoopers’ reviews of the Medicare contractor information security program evaluations were adequate in scope and sufficiency. We could not determine the extent and sufficiency of the JANUS work for the data center technical assessments because of several issues with its working papers.

We recommended that CMS review all contractor documentation related to future data center technical assessments and ensure that the work performed complies with CMS contractual requirements. At a minimum, this should include a review of test plans to ensure that the contractor has completed all required testing procedures and a review of contractor working papers to verify that reported gaps have been adequately supported, identified, and included in the technical assessment reports. We also recommended that CMS test security control areas in which a considerable number of gaps have consistently been identified in the past 2 fiscal years at all CMS Medicare data centers every year. CMS concurred with our recommendations.

Complete Report

Download the complete report (PDF)

Adobe® Acrobat® is required to read PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201