GAO: CMS' IT controls need strengthening

A review of the effectiveness of information security controls used by the Center for Medicare and Medicaid Services found 47 weaknesses in its communication networks ' electronic access and other system controls ' according to the Government Accountability Office.

CMS, an agency within the Health and Human Services Department, is responsible for overseeing the nation's largest health insurance programs, Medicare and Medicaid.

CMS uses a contractor-owned and operated network to relay communication and data transmission throughout the agency and related entities. The review found CMS had many controls in place, but some were missing, and existing ones were not always applied.

'CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit and detect unauthorized access to sensitive computing resources and devices used to support the communication network,' auditors said.

According to the report, CMS did not make certain its contractors implemented electronic access controls to areas related to user identification and authentication, authorization, boundary protection, cryptography, auditing and monitoring of security-related events.

Other controls that should be in place but are not implemented correctly are secure configurations of network devices and segregation of incompatible duties, GAO said.

'Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network,' auditors said.

In a letter to Gregory Wilshusen, director of information security issues for GAO, commenting on the review, Mark McClellan, CMS administrator, noted that even with the weaknesses, the agency maintained the security of the information was in tact.

'GAO found no evidence that confidentiality or sensitive information had actually been compromised, and our analysis found no instances where beneficiary information had actually been exploited,' McClellan said.

According to McClellan, corrective action has been taken or new compensating controls have been applied to 22 of the 47 weakness outlined in the review; 19 are scheduled for closure, and the remaining six are under review.

Despite McClellan's assurance that CMS data is protected, GAO said when electronic access controls are inadequate, reliability of computer information is diminished and it increases the risk of unauthorized disclosure, modification and destruction of sensitive information and disruption of services.

Information that travels across the communication network includes:
  • Medicare claims data ' name, sex, date of birth, Social Security number, address

  • Medical information ' patient diagnosis, prescribed drugs and dosage, type of treatment facility, requested services and physician's name and identification number

  • Other ' payment information, including amount paid and billing information.

The report notes that Medicare and Medicaid data is not stored on the communication network.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected