Review of Medicare Contractor Information Security Program Evaluations for Fiscal Year 2012

Federal law requires that each Medicare contractor have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the Medicare administrative contractors (MACs), fiscal intermediaries, and carriers using a set of agreed-upon procedures. The Act also requires evaluations of the information security controls for a subset of systems but does not specify the criteria for these evaluations. PwC performed additional testing to eliminate the need to contract with another entity to perform the assessments that had been performed in previous years at the data centers of the MACs, fiscal intermediaries, and carriers.

OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year (FY) 2012.

The scope of the work and sufficiency of documentation for all reported gaps were sufficient for the 10 Medicare contractors reviewed by PwC. The total number of gaps identified at the Medicare contractors increased from the previous year because of new and expanded testing during the FY 2012 evaluations. Deficiencies remain in the FISMA control areas tested. CMS should ensure that all gaps are remediated by the Medicare contractors.