Dive Brief:
- The Office of Inspector General's (OIG) annual review of Medicare administrative contractors' (MACs) health IT security programs found 129 data security gaps in 2014, up 8% from 2013.
- CMS is required to evaluate information security programs via independent organizations and contracted PricewaterhouseCoopers (PwC) in 2014 to evaluate nine MACs.
- The report showed 18 data security gaps were high-risk, 45 medium-risk and 66 low-risk.
Dive Insight:
MACs are required to develop corrective plans for the high- and medium-risk gaps and CMS has to ensure the plans are implemented.
The report said MACs had the most difficulty with the Federal Information Security Management Act of 2002 (FISMA) control area regarding periodic testing of information security controls. There were 38 security gaps in this area in 2014.
Violations included inventory processes in health IT systems not implemented according to CMS requirements, system security configurations not meeting CMS requirements and security vulnerabilities. There were 36 security gaps related to risk management policies and procedures.
The third most common FISMA control area for data security gaps was system security plans with 16 gaps reported.
PwC found most MACs lacked appropriate access control procedures, didn't review policies within a year as required by CMS and failed to submit a healthcare security plan to CMS.
The report indicated CMS and MACs may have to re-evaluate how corrective action plans are implemented and whether they improve healthcare data security gaps.