Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

HHS OIG Audit of MIDAS – central system managing citizen health care insurance data

Public Summary Report: The Centers for Medicare & Medicaid Services’ Implementation of Security Controls Over the Multidimensional Insurance Data Analytics System Needs Improvement (A-06-14-00067). September 21, 2015.

“This summary report provides an overview of the results of the Office of Inspector General’s (OIG) review of the Multidimensional Insurance Data Analytics System (MIDAS). It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We have provided more detailed information and recommendations to officials responsible for the MIDAS so that they can address the issues we identified. The findings listed in this summary reflect a point in time regarding system security and may have changed since we reviewed these systems.

WHY WE DID THIS REVIEW – Analytics and database systems that are not secured properly create vulnerabilities that could be exploited by unauthorized individuals to compromise the confidentiality of personally identifiable information (PII) or other sensitive data. Data and systems security is a top oversight priority for OIG. The MIDAS is a central repository for insurance-relate data intended to provide reporting and performance metrics to the Department of Health and Human Services for various initiatives mandated by the Patient Protection and Affordable Care Act. The MIDAS collects, generates, and stores a high volume of sensitive consumer information, and it is critical that it be properly secured. Therefore, we performed the audit described in this summary report. Our objective was to assess whether CMS had implemented information security controls to secure the PII related to the MIDAS and a certain number of its supporting databases.

WHAT WE FOUND AND RECOMMENDED – Although CMS had implemented controls to secure the MIDAS and consumer PII data in the systems and databases we reviewed, we identified areas for improvement in its information security controls. At the time of our field work, CMS: had not disabled unnecessary generic accounts in its test environment; had not encrypted user sessions; had not conducted automated vulnerability assessments that simulate known attacks, which would have revealed vulnerabilities (e.g., password weaknesses and misconfigurations) specific to the application or databases that support the MIDAS; and used a shared read-only account for access to the database that contained the PII…”

Sorry, comments are closed for this post.