OIG: Contractor Increases Vulnerabilities in  Medicaid Processing System

OIG: Contractor Increases Vulnerabilities in Medicaid Processing System

The Office of the Inspector General (OIG) released a report entitled “Weaknesses in Molina Medicaid Solutions’ Information System General Controls Over Idaho’s Medicaid Claims Processing System Increase Vulnerabilities”.  The OIG inspection of the Idaho Department of Health Welfare Medicaid in the spring has extended to one of its contractors, Molina Medicaid Solutions.  OIG highlighted 19 weaknesses in different parts of the Idaho Department of Health and Welfare Medicaid Solution claims processing system this April.  Similar to the Idaho audit, OIG found 21 weaknesses in the Molina system controls and distributed 6 consolidated findings into 3 categories: access controls, configuration management and security management.

In terms of access controls, OIG found issue with user authentication for remote network access, inadequate password history policy, and inadequate encryption of network passwords.  In response to the OIG report Molina said that it had proper authentication methods but would focus on encrypting passwords.  OIG found Molina’s policy and protocols for network access and configuration for devices appeared to be deficient.  The OIG identified a total of 9 weaknesses in the configuration management department, so Molina decided to review its device and network configurations as well as patch management procedures

The report exposes and reports that Molina does not have a system for taking portable device inventory. Molina will now have employee security education/training updates, and change background check policies as well.  While OIG does not think that the addressed weaknesses have been exploited at this point, such weaknesses could lead to compromised patient data within the Medicaid system at some point if the issues are not resolved.  OIG made 6 recommendations that Idaho must impress upon Molina.  These recommendations were:

  1. Implement stronger user authentication for remote network access, strengthen password history policy, and use a secure method to store encrypted network passwords
  2. Implement secure configuration settings for network devices
  3. Implement policies and procedures to secure Medicaid claims database
  4. Implement policies for its patch management program
  5. Implement policies and procedures to periodically review and account for inventory of all portable devices and identify the custodian of the devices
  6. Implement policies and procedures for annual security awareness training and adequate policies and procedures for terminated and transferred employees and for background checks of employees

 

Read the full report here.

Contributing Author

Gabriella Miroglio is the GTSC Government Affairs intern.  Gabriella studied at the University of California, Santa Barbara,w here she earned a B.A. in Political Science with an emphasis in Comparative Politics.  During college she interned with Boxer and Gerson LLP and volunteered with Phi Alpha Delta, the pre-law fraternity.  In addition to internships, she has also worked for UCSB’s Annual Fund and the Disabled Students Program.  Gabriella was also a National Honors Scholar in high school, and completed over 100 hours of community service.

Tags: , , , , , ,