The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network
GAO-06-750: Published: Aug 30, 2006. Publicly Released: Oct 3, 2006.
The Centers for Medicare & Medicaid Services (CMS), a component within the Department of Health and Human Services (HHS), is responsible for overseeing the Medicare and Medicaid programs--the nation's largest health insurance programs--which benefit about one in every four Americans. CMS relies on a contractor-owned and operated network to facilitate communication and data transmission among CMS business related entities. Effective information security controls are essential to protecting the confidentiality, integrity, and availability of this sensitive information. At Congress's request, GAO assessed the effectiveness of information security controls over the communication network used by CMS by conducting a technical assessment of the information security controls that are currently in place.
Although CMS had many key information security controls in place--which had been designed to safeguard the communication network--some were missing, and existing ones had not always been effectively implemented. Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network. CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network. GAO discovered numerous vulnerabilities in several areas: user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and monitoring of security-related events. There were also weaknesses in controls that had been designed to ensure that secure configurations would be implemented on network devices and that incompatible duties would be sufficiently segregated. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were implemented effectively. As a result, sensitive, personally identifiable medical data traversing the network is vulnerable to unauthorized disclosure and these weaknesses could lead to disruptions in CMS services.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: According to officials at the Department of Health and Human Services, Centers for Medicare and Medicaid Services, the agency has addressed this recommendation by taking action on recommendations in the related Limited Official Use Only report. GAO has verified the actions in 2010 and determined a substantial number of findings have been closed.
Recommendation: To help strengthen information security controls over the CMS communication network, the CMS Administrator should direct the Chief Information Officer to take steps to ensure that information security policies and standards are fully implemented.
Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services