Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Alabama MMIS and E&E System Security Controls Were Adequate, but Some Improvements Are Needed

Issued on  | Posted on  | Report number: A-18-22-09010

Why OIG Did This Audit

We are conducting a series of audits of State Medicaid Management Information Systems (MMISs) and Eligibility and Enrollment (E&E) systems of selected States to determine how well these systems are protected when subjected to cyber-attacks.

Our objectives were to determine: (1) whether security controls in operation for Alabama MMIS and E&E system environments were effective in preventing certain cyber-attacks, (2) the likely level of sophistication or complexity an attacker needs to compromise Alabama’s MMIS and E&E system or its data, and (3) Alabama’s ability to detect cyber-attacks against its MMIS and E&E system and respond appropriately.

How OIG Did This Audit

We conducted a penetration test of the Alabama MMIS and E&E system from November through December 2022. The penetration test focused on the MMIS and E&E system’s public IP addresses and web application URLs. We also conducted a simulated phishing campaign that included Alabama personnel in December 2022. We contracted with XOR Security, LLC (XOR), to assist in conducting the penetration test. We closely oversaw the work performed by XOR, and the assessment was performed in accordance with agreed upon Rules of Engagement among OIG, XOR, and Alabama.

What OIG Found

The Alabama MMIS and E&E system had adequate security controls in place to prevent our simulated cyber-attacks from resulting in a successful compromise; however, we found six security controls required by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, that could be improved to better prevent certain cyber-attacks.

In addition, we estimated that an adversary would need a moderate level of sophistication to compromise the Alabama MMIS and E&E system. Finally, Alabama demonstrated that it has implemented adequate controls to detect and block phishing emails sent from a known malicious IP address. However, improvements to its detection controls are needed to better identify certain web application cyber-attacks.

Alabama did not effectively implement some security controls because, in part, its vulnerability scanning tools did not identify the flaws and vulnerabilities we discovered in its systems. Additionally, Alabama did not adequately follow secure coding practices during their software development lifecycle and remediate vulnerabilities before deployment to Alabama’s production systems. As a result of Alabama not effectively implementing security controls or identifying vulnerabilities, an attacker could potentially launch certain cyber-attacks against the Alabama MMIS and E&E system to remotely execute malicious code on a computer or redirect users to malicious websites. Such cyber-attacks could facilitate an attacker’s ability to get initial unauthorized access to an Alabama system and potentially allow them to move deeper into the network and/or extract sensitive information such as Personal Health Information.

What OIG Recommends and Alabama Comments

We made a series of recommendations for Alabama to improve its security controls over its MMIS and E&E system, including that it require its developers to follow secure coding best practice requirements.

Alabama concurred with our recommendations and stated that it has mitigated or has developed plans to mitigate the findings we identified. Although we have not yet confirmed the changes Alabama described in its comments, we commend Alabama for its ongoing efforts to improve the overall security posture of its MMIS and E&E system environments.

24-A-18-056.01 to CMS - Open Unimplemented
Update expected on 04/04/2025
We recommend that the Alabama Medicaid Agency remediate the six control findings OIG identified.

24-A-18-056.02 to CMS - Closed Implemented
Closed on 10/04/2024
We recommend Alabama evaluate its current vulnerability scanning tools and update if necessary in order to better detect system flaws (e.g., common web server vulnerabilities) in its MMIS and E&E system and software components.

24-A-18-056.03 to CMS - Open Unimplemented
Update expected on 04/04/2025
We recommend Alabama require its developers to follow secure coding standards and best practices, at a minimum, such as those recommended by NIST SP 800-218 or the Open Web Application Security Project (OWASP), when developing web applications.

24-A-18-056.04 to CMS - Open Unimplemented
Update expected on 04/04/2025
We recommend Alabama implement procedures to periodically verify that its developers are adhering to secure coding standards and remediating vulnerabilities before releasing code to production.

24-A-18-056.05 to CMS - Open Unimplemented
Update expected on 04/04/2025
We recommend Alabama perform more robust technical testing of web-facing systems that includes the emulation of an adversary's tactics and techniques on a defined reoccurring basis in order to better assess the effectiveness of NIST 800-53 controls.

View in Recommendation Tracker

-