Recent OIG Audit Finds CMS Did Not Detect Cyber Threats

Sarasota, FL (WorkersCompensation.com) – According to the U.S. Department of Health and Human Services breach portal, there have already been 26 reports of healthcare data breaches reported so far this month. Of those, 18 cases were hacking incidents on a network server. The number of patients affected total over 6.5 million, with the largest case reported by PharMerica Corporation in Kentucky at over 5.8 million records breached. Uintah Basin Healthcare of Virginia came in second with 345,523 records compromised as a business associate. 

The Centers for Medicare & Medicaid Services (CMS) oversees two of the largest Federal health care programs known as Medicare and Medicaid. That includes not only Medicare, Medicare Advantage patients, and Medicaid patients, but CMS also oversees Health Insurance Exchanges and the Children’s Health Insurance Program. In total, CMS estimates that in 2023 it will handle the claims information of over of 150 million patients, making it a large target for cyber criminals. 

In fact, a ransomware attack on a CMS federal subcontractor corporate network in late 2022 may have resulted in the release of protected patient health information, as well as bank routing and account information for up to 254,000 Medicare enrollees. A previous attack also occurred in 2018 that compromised more than 75,000 patients. In the 2018 attack, hackers were able to gain access via a system that was utilized by agents and brokers for coverage applicants. 

Earlier this month, the OIG released a damaging audit report regarding CMS’s cyber threat vulnerabilities. The OIG conducted a cyber threat assessment of CMS’s information systems to determine the effectiveness of their defenses, determine potential compromises, and to assess whether any cyber incidents may have occurred and gone undetected. Additionally, the OIG reviewed CMS’s incident response capabilities. 

The evaluation time that was reviewed was August through November 2020, reviewing approximately 8,400 end points that are managed by CMS. Federal contractor, Accenture Federal Services (AFS) performed the cyber threat hunt. 

In the course of the hunt, IT professionals searched for data that potentially indicated malicious activity on a system or network. Examples would be unusual outbound network traffic, connections to unusual IP addresses, system file changes, and digital signatures of malware files. 

While CMS had implemented security protocols to identify and prevent threats on their network, the investigators found multiple security controls that were not operating effectively. The most critical of these were related to monitoring and controlling communications at the CMS external network boundary, as well as settings to provide only essential capabilities, and controls to lock down the ability to install unauthorized software.

While investigators did not find evidence of a potential data breach, they did find multiple unauthorized programs with a high probability of being malware, one of which was confirmed by CMS to be malicious. Additionally, a CMS server that was available by internet access was scanned multiple times throughout the day by multiple malicious IP addresses. While those connections were not established, the scans were not detected or stopped by the CMS controls. 

Overall, the OIG found that CMS did not consistently detect the threats that could lead to a potential breach. Because an actual threat was not detected, the OIG auditors had no opinion about CMS’s ability to appropriately respond to a data breach. The full findings and recommendations are available on the OIG website. 

Share This Article: