The U.S. Government Accountability Office (GAO) last week publicly released a report warning the Centers for Medicare and Medicaid Services (CMS) has failed to provide specific security controls guidance to research organizations with whom it shares Medicare beneficiary data.
According to the report, the CMS gives researchers too much leeway to assess their own vulnerabilities and apply the necessary fixes. On the other hand, CMS has instituted considerably stricter guidelines to other partners it shares data with, including Medicare Administrative Contractors (MACs) and "qualified entities" that evaluate the performance of Medicare service providers based on claims data.
The GAO report also notes that CMS has not established an oversight program for security implementations by either researchers or qualified entities. And while MACs are subjected to two independent annual assessments, the CMS does not consistently track vulnerabilities that are categorized as low-risk weaknesses. "Without more consistent tracking of these low-risk weaknesses, it may be difficult for CMS to determine if all weaknesses are being addressed in a timely manner," the report states.