On September 14, 2015, the OIG released a Public Summary Report finding that although CMS had implemented controls to secure the Multidimensional Insurance Data Analytics System (MIDAS) and consumer personally identifiable information, there were a number of areas for improvement in CMS’s information security controls.
MIDAS is a central repository for insurance-related data on a number of initiatives mandated by the Patient Protection and Affordable Care Act. OIG conducted its review because MIDAS collects, generates, and stores a high volume of sensitive consumer information.
OIG’s report identified the following four areas for improvement in its information security controls:
-
CMS had not disabled unnecessary generic accounts in its test environment;
-
CMS had not encrypted user sessions;
-
CMS had not conducted automated vulnerability assessments that simulate known attacks, which would have revealed vulnerabilities (e.g., password weaknesses and misconfigurations) specific to the application or databases that support MIDAS; and
-
CMS used a shared read-only account for access to the database that contained personally identifiable information.
In addition to the above, OIG’s analysis identified additional vulnerabilities consisting of 22 “high,” 62 “medium,” and 51 “low” vulnerabilities. OIG shared this information with CMS immediately, and made recommendations to CMS to address the issues OIG identified. CMS began remediation efforts before the OIG completed its fieldwork, and in written comments, concurred with all of OIG’s recommendations. CMS reported to OIG that it remediated all vulnerabilities and addressed all findings that OIG identified before OIG issued its final report. The complete report is available here.
Reporter, John Whittaker, Sacramento, +1 916 321 4808, jwhittaker@kslaw.com .
