The State of North Carolina Did Not Meet Federal Information System Security Requirements for Safeguarding Its Medicaid Eligibility Determination Systems and Data

The U.S. Department of health and Human Services (HHS) oversees States' administration of various Federal programs, including Medicaid. State agencies are required to establish appropriate computer system security requirements and conduct biennial reviews of computer system security used in the administration of State plans for Medicaid and other Federal entitlement benefits. This review is one of a number of HHS OIG reviews of States' computer systems used to administer HHS-funded programs.

Our objective was to determine whether the North Carolina State Medicaid agency (State agency) had implemented adequate information system general controls over the North Carolina Medicaid eligibility determination system in accordance with Federal requirements.

The State agency tasked the Office of North Carolina Families Accessing Services Through Technology (NC FAST) to operate its Medicaid eligibility determination system. We assessed the effectiveness of the information system general controls over computer operations at NC FAST as those controls related to the State's eligibility determination system for State fiscal year 2016. We reviewed NC FAST's information system general controls relating to entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control.

The State agency had not ensured that NC FAST implemented adequate information system general controls over the Medicaid eligibility determination system in accordance with Federal requirements. The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of North Carolina's Medicaid eligibility data.

Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could result in unauthorized access to and disclosure of sensitive information, as well as disruption of critical North Carolina Medicaid eligibility operations. As a result, the vulnerabilities are collectively and, in some cases, individually significant.

We recommended that the State agency improve the protection of sensitive data on its Medicaid eligibility determination system by working with NC FAST to address the vulnerabilities identified during our audit to ensure compliance with Federal requirements. The State agency did not directly address our recommendations but agreed with eight of our nine findings. The State agency partially agreed with one of our findings. When fully implemented, the corrective actions that the State agency described should allow it, working with other State agencies, to resolve the recommendations associated with all nine of our findings.