Public Summary Report: Information Technology Control Weaknesses Found in the New Mexico Human Services Department's Medicaid Eligibility Systems
This summary report provides an overview of the results of our audit of the information system general controls over the New Mexico Medicaid eligibility systems. It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We have provided more detailed information and recommendations to New Mexico so that it can address the issues we identified. The findings listed in this summary report reflect a point in time regarding system security and may have changed since we reviewed these systems.
New Mexico had not adequately secured its Medicaid data and information systems in accordance with Federal requirements. Although New Mexico adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed New Mexico's operations at risk. These vulnerabilities existed because New Mexico had not implemented sufficient controls over its Medicaid data and information systems.
Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of New Mexico's critical operations. As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of New Mexico's eligibility systems.
We recommended that New Mexico implement our detailed recommendations to address the findings we identified in its eligibility system security program. In written comments on our draft report, New Mexico stated that it concurred with all of our findings and described corrective actions that it had taken or plans to take. However, New Mexico did not concur with one of our recommendations and described a compensating control and that they elected to accept all risks related to the control.
Filed under: Centers for Medicare and Medicaid Services