CMS Enrollment System Needs To Enhance Resiliency

The Centers for Medicare & Medicaid Services (CMS) Enrollment Database (EDB) is the primary source of Medicare enrollment information for the entire population of beneficiaries who have ever received Medicare benefits. Based on CMS officials' estimates, we calculated the daily financial impact of a nonfunctional EDB to be approximately $47 million. Our objective was to determine whether CMS implemented security controls within the EDB to protect the confidentiality, integrity, and availability of Medicare enrollee data, in accordance with Federal requirements.

We reviewed CMS's policies and procedures, interviewed staff, reviewed system security documentation, and conducted visits to contingency planning sites to determine whether EDB security controls were adequate.

CMS needs to improve existing Information Technology controls to enhance the resiliency of the Medicare enrollment system. We found that CMS could improve its risk management oversight and the current controls in place to ensure the availability of the EDB.

During our audit fieldwork we notified CMS management of our preliminary findings. We provided actionable recommendations for CMS to implement in an effort to timely mitigate the vulnerabilities we identified.

We provided a restricted report to CMS that included five recommendations. CMS concurred with all of our recommendations and stated the current system is being integrated into a larger Medicare system. We do not believe CMS's system consolidation will have a significant impact on our findings and recommendations.