Home

Cover Story

Table of Contents

E-Newsletter

Article Archive

Editorial Calendar

Datebook

Writers' Guidelines

Orgs/Links

Opinion Polls

Reprints

Search

December 11, 2006

Fair Warning
By Tracy Meadowcroft
For The Record
Vol. 18 No. 25 P. 23

A report from the Government Accountability Office spotlighted holes in the CMS’ computer network, which renewed questions about the price of interoperability in terms of patient privacy.

The push is on to digitize the healthcare industry, whether it be through the adoption of electronic medical records, networks for information sharing, or computerized physician order entry. But along with the push for digitization comes the pull to maintain the privacy and security of patients’ personal information. In many circles, medical identity theft continues to be a growing fear.

Many organizations have outlined security measures to address such concerns, but if those measures aren’t acted upon or properly enforced, the possibility remains for a security breach that opens a world of personal information to an attacker.

Recently, such a scenario was uncovered at the Centers for Medicare & Medicaid Services (CMS) when an assessment by the Government Accountability Office (GAO) exposed 47 weaknesses in the CMS’ contractor-owned-and-operated computer network used to facilitate communication among CMS business-related entities.

The findings, compiled from information gathered from January to May following a request by Sen Charles Grassley (R-Iowa), chairman of the Senate’s finance committee, were released this summer in the GAO report, “Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network.”

The Report
According to the GAO report, “Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network. CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network.

“GAO discovered numerous vulnerabilities in several areas: user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and monitoring of security-related events,” the report continues. “There were also weaknesses in controls that had been designed to ensure that security configurations would be implemented on network devices and that incompatible duties would be sufficiently segregated. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were implemented effectively. As a result, vulnerability to unauthorized disclosure and these weaknesses could lead to disruptions in CMS services.”

What Did the GAO Spot?
“We found that there are a number of vulnerabilities that could lead to [a security breach] happening and we also found that the controls over the network did not provide for adequate logging or user accountability on the network,” explains Gregory C. Wilshusen, director of information security issues with the GAO who worked on the assessment and subsequent report about the CMS network.

“For example, there are certain devices that didn’t have users defined and it could allow for unauthorized execution of commands without really any means for determining whether that individual had authorization to use it,” Wilshusen says.

Among the organizations connected through the CMS communication network are financial institutions, skilled nursing facilities and home health agencies, state Medicaid offices, CMS contractors, quality information organizations, CMS disaster recovery services, the CMS central office and its regional offices, and Medicare intermediaries and carriers, according to the GAO report. Information such as patients’ names, sex, dates of birth, Social Security numbers, and addresses are transmitted across the network along with medical diagnoses, prescribed medications and dosages, and the type of treatment facility, including substance abuse or psychiatric treatment centers, where a patient is receiving care.

Payment and billing information is also transmitted across the network, but there is no Medicare or Medicaid information housed in the network, according to the GAO report.

During its assessment, the GAO examined routers, network management servers, switches, firewalls, and administrator workstations at the CMS headquarters, business partners, and several network contractor sites. Based on the Federal Information System Controls Audit Manual, the report says the GAO more specifically examined security controls intended to:

• limit, detect, and monitor electronic access to sensitive computing resources, thereby safeguarding them from misuse and protecting them from unauthorized disclosure and modification;

• maintain operating system integrity through effective administration and control of powerful computer programs and utilities that execute privileged instructions;

• prevent the introducing of unauthorized changes to application or system software; and

• ensure that work responsibilities are segregated so one individual does not perform or control all key aspects of computer-related operations and thereby have the ability to conduct unauthorized actions or gain unauthorized access to assets or records.

Control over servers used to store Medicare or Medicaid data were not examined or evaluated, according to the report.

The GAO acknowledged in the report that the CMS does have numerous information security controls in place for its network but that weaknesses still exist in spite of the controls.

In addition to the problems with user authorization, the GAO reported these additional issues with the network:

• failure to restrict the network access and privileges to only the users required to perform authorized tasks, such as not restricting access paths on certain network devices;

• failure to consistently apply encryption to protect sensitive data traveling across the network or configuration data stored on network devices; and

• failure to apply timely and comprehensive patches to fix system software, meaning some workstations and servers were missing patches to address known vulnerabilities. Some patches also used operating system software that was known to be vulnerable.

The report also states when outlining the various vulnerabilities that these weaknesses could allow unauthorized users to gain access to the network and make unauthorized changes to information and launch attacks against certain network devices, among other actions.

CMS Response
After reviewing a draft of the GAO’s report, Mark B. McClellan, MD, PhD, CMS administrator, sent a letter addressing the vulnerabilities discovered during the network assessment, a copy of which was included with the final report.

McClellan wrote that the CMS’ contractor had already been instructed to address the weaknesses and that many of them had already been or were on the path to being corrected.

“Because data does not reside on the network, intercepting or compromising information during transit across the network would be difficult,” McClellan wrote. “In addition, the GAO found no evidence that confidential or sensitive information had actually been compromised and our analysis found no instances where beneficiary information had actually be exploited.”

However, Wilshusen notes, “some of the [network] devices were not configured to provide adequate logging and auditing capabilities which would allow you to determine if a breach had occurred or not.”

As of July when McClellan penned his response to the GAO report, corrective actions or new controls had been put in place for 22 of the 47 weaknesses identified in the network. “As of the date of this response, the network contractor has provided evidence of implementation acceptable to CMS for 16 of the weaknesses,” McClellan wrote. “An additional 6 await validation of closure by CMS. Of the remaining weaknesses, 8 are scheduled for closure by September 30, 2006. An additional 11 are somewhat more complex and are scheduled for closure by January 7, 2007, to coincide with the contractor’s fourth-quarter update of the network.”

The letter also stated that the contractor was instructed to conduct an independent test of the corrective actions that were necessary following the fourth-quarter update. “In addition to addressing each of the individual weaknesses identified by GAO, we conducted a separate internal assessment of the risk of inappropriate disclosure of financial and personally identifiable medical data traversing the network,” McClellan wrote.

In response to For The Record’s request for further comment about the situation, the CMS issued this statement: “Generally, CMS actions include addressing the individual recommendations proposed by the GAO. These include clarifying and strengthening security requirements for the network. CMS also plans to independently validate changed procedures to mitigate control weaknesses identified during the GAO review as a check to ensure the new methods have been implemented and are operating as agreed to with CMS.”

What It Means
While the weaknesses found in the CMS computer network may or may not have allowed an unauthorized release or access to personal information, the possibility still exists for such a breach if the proper controls are not more thoroughly implemented and enforced.

“Until the CMS ensures that these information security policies are fully implemented on this network, there’s limited assurance that this sensitive data will be adequately protected against unauthorized disclosure and that these network services will not be interrupted,” says Wilshusen.

Wilshusen does point out, however, that when examined for the first time, many computer systems exhibit vulnerabilities that must be addressed. And while there may be policies and procedures in place designed to protect the network and they are well-documented, it all comes down to the execution of the plans.

“[The CMS] have the policies and processes that they want to have the contractor use, but they just didn’t use them and no one checked up to see that they did it. So, if anything, it’s a lesson learned,” says Peter Paulli, manager of consulting services with Boston-based Beacon Partners.

He adds that the weaknesses found in the CMS network should not necessarily be an immediate cause for alarm or a roadblock to continuing the digitization of healthcare. He notes, though, that if an organization contracts services, it needs to make sure the contractor is doing what is intended of them, including maintaining outlined security controls.

“There’s going to be a thousand vulnerabilities on any network that is constructed,” says Pam Dixon, executive director of the World Privacy Forum.

But she adds that even though the digitization of the healthcare industry could reduce expenses and improve patient care, “we’re not going to reduce cost and save lives if it’s not done correctly, and there’s not enough consumer involvement to date.”

Dixon also says there may be a rush to drive the push toward digitization, which could also contribute to the lack of risk assessments, policies to protect information systems, and enforcement of the guidelines.

“You don’t have to dump privacy or security in order to build a network, but I think there are plenty of people out there who are so worried that a bunch of privacy advocates or security folks are going to come in and say, ‘no, you can’t do this,’ that they’re pushing too far the other way and not being careful enough,” Dixon says.

— Tracy Meadowcroft is an editorial assistant at For The Record.

Subscribe to For the Record Magazine!