CMS security holes expose patient data

A new study by the Government Accountability Office has concluded that the systems used by the Centers for Medicare and Medicaid Services (CMS) to send and receive bills and communicate with providers are riddled with at least 47 security holes. According to the GAO, the CMS network hasn't implemented sufficiently secure user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and security event monitoring. CMS also failed to make sure that network users' duties were adequately segregated and that network devices were configured securely, GAO said. It seems that the contractor managing the CMS network--for how much longer, we wonder?--has not always followed CMS security guidelines.

As a result, intruders could theoretically have accessed highly confidential data, including a patient's name, sex, date of birth, Social Security number, mailing address, diagnosis, prescribed drugs and physician's name. In a public statement responding to the report, CMS administrator Mark McClellan said that 22 of the holes have been patched since the audit was done in late 2005, though he admitted that as many as 17 others might not be fixed until January 2007 or beyond. McClellan did insist that no one had discovered and exploited these vulnerabilities as of yet. Still, something is definitely broken: in fact, a previous GAO study found that 40 percent of CMS Medicaid, Medicare and Tricare contractors had seen breaches of private healthcare information. Would security-lax contractors still have a job if they were working for private industry? If not, why are they still getting tax dollars? Your guess is as good as mine.

To get more details on CMS's security woes:
- check out this piece from TechWeb
- read the GAO report (.pdf)