GAO: Medicare Data Network Vulnerable

The communications network used to transmit medical data for the U.S. government’s Medicare and Medicaid programs has security vulnerabilities that could expose patients’ medical data and other personal information, according to a report released Tuesday.

The report, released by the U.S. Government Accountability Office (GAO), identified 47 weaknesses in the way the U.S. Centers for Medicare and Medicaid Services (CMS) used a WAN operated by contractor AT&T. CMS uses the network to transmit claims data—including patient names, dates of birth, Social Security numbers, addresses and medical information—to health-care facilities, contractors, financial institutions and state Medicaid offices.

“A security breach in this communication network could lead to interruptions in the processing of medical claims or to unauthorized access to personally identifiable medical data, seriously diminishing the public’s trust in CMS’s ability to protect the sensitive beneficiary data it is entrusted with,” the GAO said in the report.

GAO, in its review of CMS security procedures early this year, found that the agency and AT&T did not use adequate identification and authentication controls for access to the network, did not restrict user access to only those programs and files workers need, did not close off all access from the private network to the Internet and did not consistently encrypt sensitive data. CMS did not always ensure security policies it has in place, GAO said.

The GAO did not include AT&T’s name in its report, but CMS confirmed that AT&T operated the network. In May 2003, AT&T won a four-year, US$76.6 million contract to manage the CMS data network. An AT&T spokeswoman did not immediately respond to a message seeking comment on the GAO report.

“CMS did not always ensure that its contractor effectively implemented controls designed to prevent, limit, and detect electronic access to sensitive computing resources and to devices used to support the communication network,” the GAO said.

GAO gave CMS an early copy of the report, and Dr. Mark McClellan, CMS administrator, said in a July 10 letter the agency took quick action to fix the problems. CMS, working with AT&T, had fixed 22 of the 47 vulnerabilities identified by the July letter, and an additional 14 were scheduled to be fixed within weeks. The final 11 vulnerabilities were “somewhat more complex” and were scheduled to be fixed by Jan. 7, he wrote.

“We are taking further steps to assure that none result in actual security breaches,” McClellan added. “We have been proactive in our oversight of the network but are taking further steps to enhance security.”

CMS takes data security “very seriously,” added Jeff Nelligan, director of media affairs at CMS. “No beneficiary information resides on this network, and because data does not reside on the network, intercepting or compromising information during transit across network would be difficult,” he said. “Security of our beneficiaries’ data is paramount, and we will continue our vigilance in ensuring our systems are secure.”

The Medicare program is the nation’s largest health-insurance program, covering 42 million U.S. citizens.

-Grant Gross, IDG News Service (Washington Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.