Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2010

Issued on  | Posted on  | Report number: A-18-12-30100

Report Materials

01-08-2013

Summary

Federal law requires that each Medicare contractor have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002. To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the Medicare administrative contractors, fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded the scope of its evaluations in fiscal year (FY) 2010 to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the fiscal intermediaries, carriers, and MACs. CMS also contracted with iFed, LLC (iFed), to perform technical assessments at two enterprise data centers using an information security assessment methodology.

OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for FY 2010.

Our review found that PwC's evaluations of the contractor information security programs were adequate in scope and were sufficient. iFed's assessments for one of the two enterprise data centers tested were adequate in scope and were sufficient. However, at the other enterprise data center, we could not determine whether the scope and sufficiency of the review were adequate because of issues with the working papers, such as lack of evidence that all testing procedures had been completed and that all identified weaknesses were adequately supported. PwC reported a total of 303 gaps at 21 Medicare contractors. iFed reported a total of 51 gaps at 2 data centers.

We recommended that CMS ensure that its enterprise data center technical assessments are adequately supported. CMS concurred with our recommendation and stated that it would take the appropriate actions to address the identified issues.

Copies can also be obtained by contacting the Office of Public Affairs at .

Report Type
Audit
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
-
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.