Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2011

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added to the Act information security requirements for Medicare administrative contractors (MACs), fiscal intermediaries, and carriers, which process and pay Medicare fee-for-service claims. To comply with these requirements, the Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs, fiscal intermediaries, and carriers.

PwC's evaluations of the contractor information security programs were adequate in scope and were sufficient. PwC reported a total of 127 gaps at 11 Medicare contractors for FY 2011, which was a decrease of 23 percent from FY 2010. Gaps are defined as the differences between Federal Information Security Management Act of 2002 or CMS core security requirements and the contractors' implementation of them.