| National Archives and Records Administration

'Significant' security holes in Medicare/Medicaid data

Medicare and Medicaid have “significant” vulnerabilities in their wireless networks that jeopardize the personal information of millions of citizens, according to a report issued Wednesday. 

If exploited, the security holes at certain Centers for Medicare and Medicaid Services data operations could result in “unauthorized access” to personally identifiable information and a possible “disruption of critical operations,” said a Department of Health and Human Services inspector general report. 

The report comes on the heels of a likely breach of the National Security Agency by a group called the “ShadowBrokers” that was revealed earlier this week.

That breach, which occurred in 2013, dumped sensitive hacking tools and source codes from “The Equation Group,” which has been linked to the NSA. The “ShadowBrokers” claim they will auction off additional pieces of the hacked information for a minimum of one million bitcoin (roughly $575 million).

The HHS inspector general office conducted a simulated “wireless penetration test” of 13 CMS “data centers and employee and contractor facilities” between Aug. 31, 2015 and Dec. 4, 2015. It used “tools and techniques commonly used by attackers to gain unauthorized access to wireless networks and sensitive data.”

The report said that, while CMS “had security controls that were effective in preventing certain types of wireless cyber attacks,” the tests identified “four vulnerabilities in security controls over wireless networks.”

It provided few specifics on the types of tests used, but did say the vulnerabilities were a result of “improper configurations and failure to complete necessary upgrades that CMS previously identified and reported as having been currently underway.”

“The vulnerabilities that we identified were collectively and, in some cases, individually significant,” the report said.

Although the inspector general said there was no evidence hackers had exploited the vulnerabilities it found, it warned that hackers could have accessed and disclosed “personally identifiable information, as well as disruption of critical operations.”

“In addition,” the report said, “exploitation could have compromised the confidentiality, integrity, and availability of CMS’s data and systems.”

The inspector general recommended CMS improve its wireless network security controls, but purposely did not disclose specific recommendation in its public report.

In response to the report, Andrew Slavitt, the acting administrator of the CMS, said his agency "has procedures and processes in place to quickly identify, mitigate, and remove threats.”

Slavic said that while he agrees with all of the inspector general’s recommendation, the CMS has "already addressed several of the findings and is in the process of addressing the remaining findings."

Data breaches are a big problem for health care providers across the country.

An October, 2012 inspector general’s report on data breaches at the CMS said there were 14 such incidents affecting 13,775 Medicare beneficiaries between Sept. 23, 2009 and Dec. 31, 2011.

According to a May, 2016 report from the Ponemon Institute, which researches information security policy, almost 90 percent of health care insurers and providers it reviewed had at least one data breach in the past two years. Forty-five percent had more than five data breaches in the same time period.

The institute said half of all data breaches were the result of "criminal attacks," with the rest stemming from “internal problems,” including, "unintentional employee actions, third-party snafus, and stolen computing devices.”

"In 2016, ransomware, malware, and denial-of-service (DOS) attacks are the top cyber threats facing healthcare organizations,” the institute said.