A GAO report found that the Centers for Medicare and Medicaid Services isn’t ensuring beneficiary data is secure.
CMS shares Medicare beneficiary data with Medicare Administrative Contractors (MAC) that perform processing and distribution functions in support of the payment of Medicare benefits, research organizations (researchers) that use Medicare beneficiary data to study how healthcare services are provided to beneficiaries and qualified public or private entities that use claims data to evaluate the performance of Medicare service providers and equipment suppliers.
While CMS has developed guidance for MACs and qualified entities, it has not developed equivalent guidance for researchers. Researchers must adhere to broad government wide standards, but are not given guidance on which specific controls to implement.
CMS has also established an oversight program for the security of MAC data, but has not established a corresponding program to oversee security implementation by researchers and qualified entities. Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected.
GAO recommends that the administrator of the Centers for Medicare and Medicaid Services develop and distribute guidance for researchers defining minimum security controls and implementation guidance for those controls that is consistent with the National Institute of Standards and Technology guidance. It also recommends developing processes and procedures to ensure that findings from all MAC assessments are classified consistently and tracked appropriately, and developing processes and procedures to ensure that qualified entities and researchers have implemented information security controls effectively throughout their agreements with CMS.