Sunday, October 08, 2006

Security Gaps in Medicare and Medicaid

The New York Times
Security Gaps in Medicare and Medicaid

WASHINGTON, Oct. 7 — Federal investigators say they have found serious computer security flaws that could lead to the improper disclosure of sensitive medical information on people enrolled in Medicare and Medicaid.

In a new report, the investigators, from the Government Accountability Office, said “key information security controls were missing” from a huge communication network used by the federal Centers for Medicare and Medicaid Services.

As a result, they said, sensitive, personally identifiable information “could be improperly modified, disclosed or deleted.” Moreover, the report said, “these weaknesses could lead to disruptions in services” to millions of Medicare and Medicaid beneficiaries.

The network is used to pay claims and to communicate with state Medicaid agencies, health care providers and many private contractors.

Dr. Mark B. McClellan, administrator of the Centers for Medicare and Medicaid Services, said none of the flaws had led to “actual security breaches.” Dr. McClellan said he was taking steps to fix the problems.

But the G.A.O. said Medicare officials would not necessarily know if a security breach had occurred because they had no “audit trail” to document use of the computer network, or a reliable way to detect intrusions into their computers.

In their report, the investigators described several problems:

¶The potential for unauthorized users to gain access to the agency’s computers because of a lack of strict password controls. Passwords are often so simple that outsiders can guess them.

¶Medicare and Medicaid data not being encrypted. “This could allow an attacker to view medical information” on beneficiaries.

¶A failure to keep complete records of who uses the network, so it cannot be determined who views or modifies files.

Senator Charles E. Grassley, Republican of Iowa, who requested the investigation, said Medicare officials needed “to get on top of these shortcomings immediately.”

“Beneficiaries not only rely on Medicare for their health care coverage,” said Mr. Grassley, chairman of the Finance Committee, which oversees Medicare and Medicaid, “they expect that the private information they entrust to the government is kept private, safe and secure.”

Concern about computer security has increased since May, when the Department of Veterans Affairs reported a laptop computer with personal information on millions of veterans had been stolen from the home of an agency employee.

Dr. McClellan said, “We are very concerned about the specific control weaknesses” identified in the latest report. The computer network carries immense amounts of data with personal information on beneficiaries, including name, sex, date of birth, Social Security number and home address. The network also transmits medical and financial information, showing the diagnosis of a patient’s illness, prescriptions, names of doctors and hospitals, services provided and the amounts paid.

Daniel R. Levinson, the inspector general at the Department of Health and Human Services, and his predecessors have expressed concern about weaknesses in Medicare computer security. The weaknesses “could ultimately result in unauthorized disclosure of sensitive information, improper Medicare payments or disruption of critical operations,” Mr. Levinson warned last year.

The computer network connects the Centers for Medicare and Medicaid Services with banks, insurance companies, hospitals, nursing homes, health plans, other federal agencies and private contractors that pay claims for the government.

Medicare paid more than 1.1 billion claims last year. The size of its computer network and the number of transactions increased this year with the addition of a prescription drug benefit. The new program fills more than three million prescriptions a day. Insurers must file detailed data on each transaction.

In June, Medicare officials warned Humana after a company employee left personal information on 17,000 Medicare beneficiaries unsecured on a hotel computer in Baltimore.

The Bush administration is encouraging adoption of electronic health records and is urging doctors to send prescriptions electronically to drugstores. It is also asking beneficiaries to keep track of their health information, including Medicare claims and prescriptions, by using a new online service at In fine print, the government says it “does not warrant the accuracy” of information on the Web site.