GAO: Medicare data network vulnerable

The communications network used to transmit medical data for the U.S. government's Medicare and Medicaid programs has security vulnerabilities that could expose patients' medical data and other personal information, according to a report released Tuesday.

The report, released by the U.S. Government Accountability Office (GAO), identified 47 weaknesses in the way the U.S. Centers for Medicare and Medicaid Services' (CMS) used a WAN (wide-area network) operated by an unnamed contractor. CMS uses the network to transmit claims data -- including patient names, dates of birth, Social Security numbers, addresses and medical information -- to health-care facilities, contractors, financial institutions, and state Medicaid offices.

"A security breach in this communication network could lead to interruptions in the processing of medical claims or to unauthorized access to personally identifiable medical data, seriously diminishing the public's trust in CMS's ability to protect the sensitive beneficiary data it is entrusted with," the GAO said in the report.

GAO, in its review of CMS security procedures early this year, found that the agency and contractor did not use adequate identification and authentication controls for access to the network, did not restrict user access to only those programs and files workers need, did not close off all access from the private network to the Internet and did not consistently encrypt sensitive data. CMS did not always ensure security policies it has in place, GAO said.

"CMS did not always ensure that its contractor effectively implemented controls designed to prevent, limit, and detect electronic access to sensitive computing resources and to devices used to support the communication network," the GAO said.

GAO gave CMS an early copy of the report, and Dr. Mark McClellan, CMS administrator, said in a July 10 letter the agency took quick action to fix the problems. CMS, working with its contractor, had fixed 22 of the 47 vulnerabilities identified by the July letter, and an additional 14 were scheduled to be fixed within weeks. The final 11 vulnerabilities were "somewhat more complex" and were scheduled to be fixed by Jan. 7, he wrote.

"We are taking further steps to assure that none result in actual security breaches," McClellan added. "We have been proactive in our oversight of the network but are taking further steps to enhance security."

GAO does not typically name contractors in its reports because its focus is on agency performance, a GAO spokesman said.

A CMS spokesman said he did not know which contractor was involved in the network targeted by the GAO report. CMS uses multiple contractors, he said.

The Medicare program is the nation's largest health-insurance program, covering 42 million U.S. citizens.