GAO: Medicare Agency Isn’t Doing Enough to Ensure Beneficiary Data Is Secure

The Health and Human Services division that manages Medicare and Medicaid data hasn’t established special security rules for health care researchers that access beneficiaries’ data, an auditor said Thursday.

Those researchers must follow broad rules that apply to all government data but, unlike Medicare contractors, they aren’t required to follow stringent data security rules designed for Medicare and Medicaid data, according to the Government Accountability Office report.

The Centers for Medicare and Medicaid Services hasn’t applied special rules to researchers because it wants to give them “more flexibility to independently assess their security risks and determine which controls are appropriate,” the report states.

However, the lack of specific guidance increases the risk that beneficiary data will be breached, GAO said.

The auditor recommended the health benefits agency establish minimum security guidelines for researchers. Those guidelines should be based on security controls developed by the National Institute of Standards and Technology.

The Medicare and Medicaid agency also isn’t vetting researchers to make sure they’re adhering to the security guidelines they say they are, GAO said, nor is it vetting or organizations that track the performance of Medicare service providers.

The agency does vet security performance by contractors, GAO said, but doesn’t sufficiently track the security weaknesses it deems “low risk.”

GAO also recommended that the agency begin vetting the security performance of all the people and groups that access beneficiary data and track all security weaknesses.

“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” the auditor said.

The agency agreed with all the recommendations.

The House Energy and Commerce Committee requested the review.