The Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) identified an uptick in security gaps in the Centers for Medicare & Medicaid Services’ (CMS) Medicare administrative contractors (MACs) information security programs in fiscal year 2018, according to an OIG report released Aug. 23.
CMS contracts with MACs to administer Medicare benefits, and OIG said that in FY 2018 seven different organizations served as MACs for Medicare Parts A and B to “process and pay Medicare fee-for-service claims.”
MACs must meet FISMA (Federal Information Security Modernization Act) requirements, and in reviewing the contractors’ information security programs from FY2018, OIG identified 112 total gaps, “of which 13 were high-risk gaps, 33 were medium-risk gaps, and 66 were low-risk gaps.”
“The total number of gaps reported for the 7 MACs … evaluated increased by 26 percent in FY 2018 (from 89 in FY 2017 to 112 in FY 2018),” OIG said. It added that high-risk gaps increased by 63 percent, medium-risk by 27 percent, and low-risk by 20 percent.
OIG said the year-over-year increase was largely due to “the addition of database and web server testing,” and that all seven MAC information security programs had gaps in periodic testing of information security controls, policies and procedures to reduce risk, and system security plans.
CMS did not provide comment on the OIG report.