The Government Accountability Office–GAO–released a report exploring how Medicare beneficiary data are being shared with external organizations. When caring for patient record data, it seems government needs a better bedside manner and more.
The Centers for Medicare and Medicaid Services–CMS–share data with outside companies for three main purposes: administrative outsourcing, research into care provision, and performance evaluation of service providers. The report found that CMS isn’t ensuring the same security controls across these three functions.
So while some companies are getting the full-fledged treatment, others are being left in the waiting room, or worse, being told to use their own home remedies to keep the data safe. Here’s what GAO saw as the biggest risks, and what CMS ought to be doing about it.
Research Organizations a Potential Headache
GAO determined that research organizations present the biggest risk group for CMS in terms of data security. While other entities receive specialized instructions regarding what security controls to implement, research organizations were merely expected to adhere to broad government-wide standards, such as the National Institute of Standards and Technology (NIST) framework.
“According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement,” GAO said. “However, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards.”
CMS has not told researchers which specific NIST controls to implement or provided agency-specific procedures. Not telling research organizations how to secure data and simply expecting them to follow generalized best-practice principles opens the door to many different interpretations and outcomes.
GAO also flagged that research entities have received beneficiary data on external hard drives and other physical media, and have transferred that data onto their own systems for review. GAO concludes that this is a surefire way to create more loose ends allowing data to slip into the wrong hands.
Regular Appointments Needed
GAO also looked at oversight and verification of security practices and found disparities.
CMS uses Medicare Administrative Contractors–MACs–to process and distribute payment of Medicare benefits. CMS performs two forms of annual reviews for MACs, and during these reviews evaluates MACs to see that they have implemented CMS guidance regarding agency-specific security controls. While MACs are receiving structured oversight regarding implementation, all other organizations that receive Medicare data are not being similarly checked.
GAO recommends a formalized oversight program, akin to these MAC reviews, for research organizations and other qualified entities that receive data to evaluate Medicare service providers.
Further, GAO flags that MAC reviews could use a checkup. CMS often identifies security control implementation issues with MACs, but it fails to properly catalogue those deemed minor issues. “Without more consistent tracking of these low-risk weaknesses, it may be difficult for CMS to determine if all weaknesses are being addressed in a timely manner,” GAO said.
CMS received the findings of the report prior to its release, and has already described actions it has planned or taken to address the issues. With data breaches becoming a persistent concern across the Federal enterprise, providing prescriptions for the way every outside organization should handle Medicare information is the healthiest way to safeguard data.