Maryland’s Medicaid program is threatened by security gaps exposing data and information systems to unauthorized access and disruption of critical operations.
The conclusion comes from the Department of Health and Human Services (HHS) after auditing the security of computer systems used for the administration of the Medicaid program.
Despite setting up a security program for the Medicaid Management Information System (MMIS), the infrastructure still suffered from a large number of “significant system vulnerabilities.” The explanation for this paradox is the failure to implement sufficient controls over MMIS data and systems.
The assessment did not find evidence of vulnerabilities being leveraged by malicious actors, but doing so “could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations,” the report informs.
Specifics about the vulnerabilities discovered remain unknown, but their severity is conveyed clearly in the brief that they could have compromised the integrity of the state’s Medicaid program.
Before publishing the conclusions of the assessment, the HHS Office of Inspector General (OIG) shared the findings with the state of Maryland. In a draft report, Maryland accepted the proposed recommendations and guidance and described remediation actions it had taken or planned to implement.
The OIG resorted to vulnerability assessment software to scan the program’s infrastructure (network devices, servers, databases, websites) for security holes. This is an automated approach for identifying and classifying vulnerabilities, but it does not exhaust all exploitation possibilities, especially creative ones that could be utilized by attackers.
Maryland is not the only state that received a poor grade for security implementation. Virginia, Alabama, North Carolina, and Massachusetts all received dismal conclusions last year in the assessment report on the security of their Medicaid Management Information System.
Poor information security in the healthcare sector is far from being a new problem. The current state is the result of the slow adoption of modern cybersecurity practices, the use of older operating systems, and not applying patches and updates in order to avoid problems with their installed software. Cybercriminals know this and set their sight on the vast amount of sensitive information managed by this industry.
More and more medical centers fall victim to cyber attacks that seek to exfiltrate patient data or to hold computer systems to ransom. Since much of the medical equipment today are computers, X-Ray or MRI machines are also vulnerable to malware.
In a panel discussing cybersecurity in the healthcare sector, Symantec Technical Architect Alex Wirth offered key points for improving the defenses.
Complying to recommended standards is not enough in a landscape that keeps changing, and doing so at a fast pace. Setting security objectives and updating them to match the threat changes should be the strategic paradigm to follow for implementing defenses, Wirth says.
The full panel discussion is available below: