health data (Supphachai Salaeman/

GAO: CMS needs better security for its Medicare beneficiary data

Recent data breaches in the health care industry have the chairmen of three congressional committees concerned about the security of health information, including the personally identifiable information of Medicare beneficiaries.  A recent report from the Government Accountability Office found the Center for Medicare & Medicaid Services isn’t doing enough to secure the Medicare beneficiary data that is accessed by external entities.

CMS shares Medicare beneficiary data with Medicare Administrative Contractors (MACs) who process claims for hospital stays, doctor’s visits and durable medical equipment on behalf of the agency. It also shares data with researchers and what it calls "qualified entities," which assess the effectiveness of Medicare service providers and equipment suppliers.

All of this information is stored in CMS Virtual Data Centers, which MACs connect to through  the CMSNet telecommunications network.

Researchers and qualified entities can also access Medicare data stored in the CMS Chronic Conditions Data Warehouse and Virtual Research Data Center. They can access the data through a CMS-provided secure network connection that takes them to a computing environment where copies of the specific beneficiary data they have been authorized to use is stored. They can then analyze the data in this secure environment using software tools provided by CMS.

CMS can also give researchers and qualified entities data access by mailing them an encrypted copy of the data. Once researchers receive the data, they transfer it to their own systems and secure it according to the data use agreement they've signed. The data security policies and procedures of researchers' systems, however, "may or may not be consistent with CMS requirements,” GAO found.

CMS has not given researchers specific security requirements to adequately protect data received from CMS, GAO said.

The agency has developed security controls for MACs and qualified entities, but it has not applied those requirements to researchers because the agency does not consider them contractors. Researchers have “only broad federal guidance,” such as the National Institute of Standards and Technology's Special Publication 800-53, as a reference point.

"Without providing comprehensive, risk-based requirements for implementing security controls to all external entities that have access to Medicare beneficiary data, CMS increases the risk that external entities possessing CMS data may not have applied security controls that meet CMS standards," GAO said.

GAO recommended CMS give researchers guidance on implementing security controls and develop to ensure those controls have been implemented. CMS concurred with the findings.

Read the full report here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.