CMS Computer Network Has Security Weaknesses
The computer network used by CMS to send and receive personal information about Medicare beneficiaries has 47 weaknesses that could lead to unauthorized disclosures of personal information and disruptions in agency operations, according to a report released on Tuesday by the Government Accountability Office, the AP/San Francisco Chronicle reports.
The network, which is owned and operated by a private company, transmits Medicare claims that include information about beneficiary diagnoses, the medications they take and the health care facilities they visit. In addition, the Medicare claims include personal information, such as beneficiary Social Security numbers, addresses and dates of birth. The report -- which focuses on network security for transmission of personal information about Medicare beneficiaries, not for the servers used to store the data -- finds 47 weaknesses, such as inadequate:
- Ability to identify and authenticate users who manage the network;
- Control of network access and privileges;
- Ability to protect the network from external attacks; and
- Audit trails to determine the source of transactions within the network.
CMS officials said that they have corrected 22 of the 47 weaknesses in the network and that they will correct 19 additional weaknesses in the near future. CMS has begun a review to determine the resources required to correct the other six weaknesses, agency officials said.
According to CMS Administrator Mark McClellan, the report "found no evidence that confidential or sensitive information had actually been compromised" and that "intercepting or compromising information during transit across the network would be difficult." McClellan added, "Security of our beneficiaries' data is paramount, and we appreciate GAO's assistance in identifying important opportunities for the contractor to strengthen network security."
Senate Finance Committee Chair Chuck Grassley (R-Iowa) said, "Program officials need to get on top of these shortcomings immediately," adding, "Beneficiaries and providers expect that sensitive health information is protected, and it's up to the agency officials to ensure the system is secure" (Freking, AP/San Francisco Chronicle, 10/4).