An HHS report noted serious vulnerabilities affecting 10 state Medicaid agencies.
An HHS report noted serious vulnerabilities affecting 10 state Medicaid agencies.

The Department of Health and Human Services' (HHS) has released a report on “high risk” security issues that impacted 10 state Medicaid agencies.

Released last month by the department's Inspector General's office, the report (PDF) calls attention to concerns discovered during audits performed between 2010 and 2012.

The Office of Inspector General (OIG) released the findings to increase public awareness about “pervasive vulnerabilities across state agencies,” an executive summary of the report said.

The security issues were broken up into three general categories: those affecting entity-wide controls, access controls and network operations controls, with a total of 79 security issues being found across the 10 states.

The impacted state agencies were not named in the report, since certain information was omitted so as not to compromise the security of Medicaid systems, the report said.

Of note, one state agency suffering from an “entity-wide” security control had not encrypted the hard drives of 14 laptops, “leaving them susceptible to unauthorized access.”

The report also shed light on an access control issue at one state agency, which could allow attackers to successfully run “automated login attack tools without detection,” to access sensitive information.

“One state agency had not enabled the network user account lockout function after unsuccessful login attempts…” the report revealed of the incident.

Under the “network operations controls” category, the report also noted one Medicaid agency's inadequate patch management process, where the organization “had not established an automated process for patching its network devices and was attempting to manually patch and monitor more than 500 devices,” the report said.

“Additionally, approximately 30 percent of that same state agency's Microsoft servers and workstations did not have the latest patches,” the report continued.

Just last Wednesday, the U.S. Government Accountability Office (GAO) released a report on federal agencies failing to adequately guard against data breaches and protect Americans' personal identifiable information (PII) from intruders.

The findings revealed that, from 2009 to 2013, the number of data breaches reported by government had more than doubled to 25,566 incidents.

The results of the study, called “Information Security: Federal Agencies Need to Enhance Responses to Data Breaches,” were revealed at a Senate hearing by GAO Director of Information Security Issues Gregory Wilshusen.