High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies
This report summarizes the high-risk security vulnerabilities that we noted as audit findings in our previous, restricted reviews of information system general controls related to the Medicaid Management Information Systems (MMIS) at 10 State agencies between calendar years 2010 and 2012. Information system general controls are the structure, policies, and procedures that apply to an entity's overall computer operations, ensure proper operations of information systems, and create a secure environment for application systems. Some primary objectives of general controls are to safeguard data, protect computer applications, prevent unauthorized access to system software, and ensure continued computer operations after unexpected interruptions.
We identified a total of 79 findings in the 10 State Medicaid agencies whose information system general controls we audited between calendar years 2010 and 2012. We grouped these 79 individual findings into 15 security control areas within 3 information system general control categories: entitywide controls, access controls, and network operations controls. In the area of entitywide controls, we identified significant and pervasive findings involving the need to develop or strengthen formal, comprehensive plans for system security, contingency planning, and configuration management, among other findings. Findings in the area of access controls included frequently-noted vulnerabilities related to logical access and user account management, login identification and authentication, and remote access. In the area of network operations controls, we identified significant and pervasive findings regarding the need for formalized policies and procedures for network device management and patch management, among other findings.
In some of the general control areas, we noted findings with similar vulnerabilities in different State agencies, which indicated that the vulnerabilities identified in these findings were systemic and pervasive. However, because we did not test all of the same information system general controls at each State agency and because we did not use a methodology that would permit us to extrapolate our findings to all State agencies, we cannot conclude that all Medicaid information system security environments have similar vulnerabilities.
Officials from several State agencies described some common causes when we discussed these findings with them. They pointed most frequently to resource constraints that made information system security a lower priority. Officials also described a lack of formal policies and procedures when explaining the causes of the vulnerabilities. The effectiveness of these information system general controls directly affects the State agencies' ability to sustain secure Medicaid systems.
Filed under: Center for Medicare and Medicaid Services