[ISN] Medicare and Medicaid Security Gaps Are Found

From: InfoSec News (alerts@private)
Date: Mon Oct 09 2006 - 05:31:26 PDT


http://www.nytimes.com/2006/10/08/washington/08health.html

By ROBERT PEAR
October 8, 2006

WASHINGTON, Oct. 7  Federal investigators say they have found serious 
computer security flaws that could lead to the improper disclosure of 
sensitive medical information on people enrolled in Medicare and 
Medicaid.

In a new report, the investigators, from the Government Accountability 
Office, said key information security controls were missing from a huge 
communication network used by the federal Centers for Medicare and 
Medicaid Services.

As a result, they said, sensitive, personally identifiable information 
could be improperly modified, disclosed or deleted. Moreover, the report 
said, these weaknesses could lead to disruptions in services to millions 
of Medicare and Medicaid beneficiaries.

The network is used to pay claims and to communicate with state Medicaid 
agencies, health care providers and many private contractors.

Dr. Mark B. McClellan, administrator of the Centers for Medicare and 
Medicaid Services, said none of the flaws had led to actual security 
breaches. Dr. McClellan said he was taking steps to fix the problems.

But the G.A.O. said Medicare officials would not necessarily know if a 
security breach had occurred because they had no audit trail to document 
use of the computer network, or a reliable way to detect intrusions into 
their computers.

In their report, the investigators described several problems:

The potential for unauthorized users to gain access to the agencys 
computers because of a lack of strict password controls. Passwords are 
often so simple that outsiders can guess them.

Medicare and Medicaid data not being encrypted. This could allow an 
attacker to view medical information on beneficiaries.

A failure to keep complete records of who uses the network, so it cannot 
be determined who views or modifies files.

Senator Charles E. Grassley, Republican of Iowa, who requested the 
investigation, said Medicare officials needed to get on top of these 
shortcomings immediately.

?Beneficiaries not only rely on Medicare for their health care coverage, 
said Mr. Grassley, chairman of the Finance Committee, which oversees 
Medicare and Medicaid, they expect that the private information they 
entrust to the government is kept private, safe and secure.

Concern about computer security has increased since May, when the 
Department of Veterans Affairs reported a laptop computer with personal 
information on millions of veterans had been stolen from the home of an 
agency employee.

Dr. McClellan said, We are very concerned about the specific control 
weaknesses identified in the latest report. The computer network carries 
immense amounts of data with personal information on beneficiaries, 
including name, sex, date of birth, Social Security number and home 
address. The network also transmits medical and financial information, 
showing the diagnosis of a patients illness, prescriptions, names of 
doctors and hospitals, services provided and the amounts paid.

Daniel R. Levinson, the inspector general at the Department of Health 
and Human Services, and his predecessors have expressed concern about 
weaknesses in Medicare computer security. The weaknesses could 
ultimately result in unauthorized disclosure of sensitive information, 
improper Medicare payments or disruption of critical operations, Mr. 
Levinson warned last year.

The computer network connects the Centers for Medicare and Medicaid 
Services with banks, insurance companies, hospitals, nursing homes, 
health plans, other federal agencies and private contractors that pay 
claims for the government.

Medicare paid more than 1.1 billion claims last year. The size of its 
computer network and the number of transactions increased this year with 
the addition of a prescription drug benefit. The new program fills more 
than three million prescriptions a day. Insurers must file detailed data 
on each transaction.

In June, Medicare officials warned Humana after a company employee left 
personal information on 17,000 Medicare beneficiaries unsecured on a 
hotel computer in Baltimore.

The Bush administration is encouraging adoption of electronic health 
records and is urging doctors to send prescriptions electronically to 
drugstores. It is also asking beneficiaries to keep track of their 
health information, including Medicare claims and prescriptions, by 
using a new online service at www.MyMedicare.gov. In fine print, the 
government says it does not warrant the accuracy of information on the 
Web site.

Copyright 2006 The New York Times Company


_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Mon Oct 09 2006 - 05:48:19 PDT