Security problems found in Medicare computer network

Washington -- The computer network that the federal government uses to transmit Medicare claims data is riddled with security weaknesses that could result in the inappropriate disclosure of sensitive information, according to a new report.

The Government Accountability Office identified nearly 50 significant flaws in the system that controls access to the Medicare claims information while it is being sent from one federal entity to another.

The Centers for Medicare & Medicaid Services contracts with a private firm to manage the network that handles transmission of these data.

The names and ID numbers of physicians treating Medicare patients, as well as information about the medical services and diagnoses that individual doctors provide, could be open to discovery by someone who takes advantage of one of the weaknesses, the GAO said.

The study found that the ability of the contractor to authenticate users who manage the communications network was inadequate. In the event that the network does suffer an external attack, auditing systems would not necessarily be able to identify how the breach occurred.

In some cases, the government is not ensuring that its own network security policies are being followed when it comes to transmitting Medicare claims data, the report said. The oversight agency urged CMS' chief information officer to close these security gaps.

"Until CMS ensures that all information security policies are being fully implemented, there is limited assurance that its sensitive data will be adequately protected against unauthorized disclosure and that network services will not be interrupted," the GAO said.

The report, conducted at the behest of Senate Finance Committee Chair Charles Grassley (R, Iowa), focused on the potential misuse of beneficiaries' personal information, such as Social Security numbers and dates of birth.

Some medical information in the claims also could be particularly sensitive, such as what drugs a patient is taking or whether a patient had visited a psychiatric treatment center or a substance abuse facility.

Outgoing CMS Administrator Mark McClellan, MD, PhD, in his response to the report, said the agency already had corrected more than half of the security flaws and had plans to close most of the remaining gaps by early January.

He stressed that the GAO had found no evidence that sensitive beneficiary or physician information had been subject to a security breach or that confidential data had been misused.

The network communications system does not actually store any of the Medicare claims information after it has transmitted it, Dr. McClellan noted. The GAO did not investigate the security of network servers designed for storage purposes. "Because data do not reside on the network, intercepting or compromising information during transit across the network would be difficult," he said.