TELECOM Digest OnLine - Sorted: Security of Medicare Information Questioned

Security of Medicare Information Questioned

Julie Appleby (
Thu, 23 Mar 2006 13:09:52 -0600

By Julie Appleby, USA TODAY

Medical and financial information gathered on millions of Americans by
Medicare, Medicaid and other government programs is vulnerable to
thieves or pranksters because of inadequate computer security, federal
investigators say.

"Significant weaknesses in information security controls" increase the
risk from those who would "inadvertently or deliberately disclose,
modify or destroy" sensitive data, the U.S. Government Accountability
Office says.

The soon-to-be-released GAO review focuses on the Department of
Health and Human Services (HHS), whose agencies use computer systems to pay
more than a billion Medicare claims worth more than $290 billion each year,
track medical research at the National Institutes of Health and manage Food
and Drug Administration programs.

"Instead of firewalls to safeguard sensitive data, we have Swiss
cheese," says Sen. Chuck Grassley, R-Iowa, chairman of the Senate
Finance Committee, which requested the report. Grassley's office says
Medicare keeps a variety of information on beneficiaries, including
Social Security numbers, addresses, birth dates and medical

In a written response in the report, HHS officials said
investigators do "not provide an accurate or complete appraisal" of its
security programs and fail to note a 2005 effort that resulted in a
reduction of 57% in reportable deficiencies.

"The frequent use of the word 'significant' to describe control
weaknesses ... evokes a negative connotation that is not reflective of the
progress or current state of HHS' information security program," the
department said.

The review comes as the federal government is pushing computer
technology as key to improving medical quality and slowing costs. In
fiscal 2005, HHS will spend nearly $5 billion on information
technology, the report says, much of it to help process Medicare
payments to doctors and hospitals.

Investigators for the GAO reviewed management and audit reports from
2004 and 2005 that outline security practices at 13 HHS divisions and

.Anti-virus software not installed or up to date.

.Lack of adequate control over computer passwords.

.Employees and contractors serving without background checks.

.Inadequate physical controls to prevent spying or theft, such
as non-working surveillance cameras and unrestricted access to a data

"Fundamentally, it's an organization that is behind in making security
part of its regular operations," says Alan Paller, who has seen the
report but was not involved in writing it. Paller is research director
at security firm the SANS Institute in Bethesda, Md. "It's very
dangerous for health care data."

Find this article at:

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Srikanth_V: "Empplyment Opporutnity: Network Provisioner"
Go to Previous message: Roger Yu: "Fliers Privacy Safe"
TELECOM Digest: Home Page