Maryland Did Not Adequately Secure Its Medicaid Data and Information Systems

HHS oversees States' use of various Federal programs, including Medicaid. State agencies are required to establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of State plans for Medicaid and other Federal entitlement benefits (45 CFR ''95.621). This review is one of a number of HHS, Office of Inspector General, reviews of States' computer systems used to administer HHS-funded programs.

Our objective was to determine whether Maryland adequately secured its Medicaid Management Information System (MMIS) and data and whether it claimed certain Medicaid administrative costs in accordance with Federal requirements.

We reviewed Maryland's MMIS policies and procedures, interviewed staff, and reviewed supporting documentation that Maryland provided. In addition, we used vulnerability assessment scanning software to determine whether security-related vulnerabilities existed on selected MMIS supporting network devices, websites, servers, and databases. We communicated to Maryland our preliminary findings in advance of issuing our draft report.

in accordance with Federal requirements and guidance. Although Maryland had adopted a security program for its MMIS, numerous significant system vulnerabilities existed. These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems. Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Maryland's Medicaid program.

We did not review Maryland's Medicaid administrative costs that resulted from the failed MMIS replacement project. At the time of our audit, Maryland was engaged in ongoing litigation with the contractor. Accordingly, we make no recommendations regarding those costs.

We recommend that Maryland improve its Medicaid security program to secure Medicaid data and information systems in accordance with Federal requirements.

In written comments on our draft report, Maryland concurred with our recommendations and described actions that it had taken or plans to take to implement them.