Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2011

01-09-2014 | Audit (A-18-13-30100) | Complete Report

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added to the Act information security requirements for Medicare administrative contractors (MACs), fiscal intermediaries, and carriers, which process and pay Medicare fee-for-service claims. To comply with these requirements, the Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs, fiscal intermediaries, and carriers.

PwC's evaluations of the contractor information security programs were adequate in scope and were sufficient. PwC reported a total of 127 gaps at 11 Medicare contractors for FY 2011, which was a decrease of 23 percent from FY 2010. Gaps are defined as the differences between Federal Information Security Management Act of 2002 or CMS core security requirements and the contractors' implementation of them.