Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2009
Federal law requires that each Medicare contractor have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002. To comply with this provision, the Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the Medicare administrative contractors, fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. To satisfy this requirement, CMS developed an information security assessment methodology and contracted with iFed, LLC (iFed), to perform technical assessments at Medicare data centers using the methodology.
OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2009.
Our review found that PwC's evaluations of the contractor information security programs were adequate in scope and were sufficient. iFed's assessments for most of the data centers tested were adequate in scope and were sufficient. PwC reported a total of 94 gaps at 21 Medicare contractors. iFed reported a total of 67 gaps at 7 data centers.
We recommended that CMS review all contractor documentation related to future data center technical assessments and ensure that the work performed complies with CMS contractual requirements. At a minimum, this should include a review of test plans to ensure that the contractor has completed all required testing procedures and a review of contractor working papers to verify that reported gaps have been adequately supported. CMS concurred with our recommendation and stated that it would take the appropriate actions to address the identified issues.