Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems
HHS oversees States' use of various Federal programs, including Medicaid. State agencies are required to establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of State plans for Medicaid and other Federal entitlement benefits (45 CFR � 95.621). This review is one of a number of HHS OIG reviews of States' computer systems used to administer HHS-funded programs. Our objective was to determine whether Alabama adequately secured its Medicaid data and information systems in accordance with Federal requirements.
We reviewed Alabama's Medicaid Management Information System (MMIS) policies and procedures, interviewed staff, and reviewed supporting documentation that Alabama provided. In addition, we used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, Web sites, servers, and databases. We communicated to Alabama our preliminary findings in advance of issuing our draft report.
Alabama did not adequately secure its Medicaid data and information systems in accordance with Federal requirements. Although Alabama had adopted a security program for its MMIS, numerous significant system vulnerabilities remained. These vulnerabilities remained because Alabama neither implemented sufficient controls over its MMIS data and information systems nor provided sufficient oversight to ensure that HP, Alabama's Medicaid fiscal agent, implemented contract security requirements. Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Alabama's Medicaid program.
We recommend that Alabama improve its Medicaid security program to secure Medicaid data and information systems in accordance with Federal requirements, provide adequate oversight to its contractors, and address the vulnerabilities identified during our audit.
Alabama concurred with our recommendations and described steps that it had taken or planned to take to address our recommendations. However, in its comments on our draft report Alabama objected to the title of our report, stating, "Alabama has always, and will continue to always, strive to secure its Medicare data and information systems."
We acknowledged in our draft report that Alabama had adopted a security program to protect its Medicaid data and information systems. However, we identified significant vulnerabilities, which increased the risks of Medicaid data and information systems being exploited. Therefore, we did not change the title of our report.
Filed under: Center for Medicare and Medicaid Services