GAO: CMS needs to improve oversight of Medicare data security

Jessica Kim Cohen - Print  | 

The U.S. Government Accountability Office released a report April 5 outlining recommendations to improve CMS' oversight of Medicare beneficiary data security.

For the report, the GAO analyzed information about how external entities accessed Medicare beneficiary data; compared federal guidance on data security with CMS security requirements; evaluated the results of independent security reviews; and interviewed CMS officials about their oversight practices.

The GAO determined CMS shares Medicare beneficiary data with three major types of external entities:

For MACs and qualified entities, CMS has developed security requirements aligned with federal guidance, according to the report. However, the GAO determined CMS has not developed sufficient guidance for implementing security controls when it comes to researchers, and has not established an adequate program to oversee the implementation of security controls by researchers or qualified entities.

"According to CMS, the lack of specific guidance gives the researchers more flexibility to independently assess their security risks and determine which controls are appropriate to implement," the report reads. "However, without providing comprehensive, risk-based security guidance to researchers, CMS increases the risk that external entities possessing agency data may not have applied security controls that meet CMS standards."

CMS agreed with the GAO's recommendations to develop additional guidance for researchers on implementing security controls, track results of independent assessments and provide oversight of researchers and qualified entities.

To access the GAO's report, click here.

More articles on cybersecurity:
IBM: Why fewer breached records in 2017 is bad news
Report: 7 medical device, supply chain vulnerabilities in hospitals
HHS OIG confirms cybersecurity center under investigation

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.