CMS dinged for Medicare beneficiary data security
- By Sara Friedman
Recent data breaches in the health care industry have the chairmen of three congressional committees concerned about the security of health information, including the personally identifiable information of Medicare beneficiaries. A recent report from the Government Accountability Office found the Center for Medicare & Medicaid Services isn’t doing enough to secure the Medicare beneficiary data that is accessed by external entities.
CMS shares Medicare beneficiary data with Medicare Administrative Contractors (MACs) who process claims for hospital stays, doctor’s visits and durable medical equipment on behalf of the agency. It also shares data with researchers and what it calls "qualified entities," which assess the effectiveness of Medicare service providers and equipment suppliers.
All of this information is stored in CMS Virtual Data Centers, which MACs connect to through the CMSNet telecommunications network.
Researchers and qualified entities can also access Medicare data stored in the CMS Chronic Conditions Data Warehouse and Virtual Research Data Center. They can access the data through a CMS-provided secure network connection that takes them to a computing environment where copies of the specific beneficiary data they have been authorized to use is stored. They can then analyze the data in this secure environment using software tools provided by CMS.
CMS can also give researchers and qualified entities data access by mailing them an encrypted copy of the data. Once researchers receive the data, they transfer it to their own systems and secure it according to the data use agreement they've signed. The data security policies and procedures of researchers' systems, however, "may or may not be consistent with CMS requirements,” GAO found.
CMS has not given researchers specific security requirements to adequately protect data received from CMS, GAO said.
The agency has developed security controls for MACs and qualified entities, but it has not applied those requirements to researchers because the agency does not consider them contractors. Researchers have “only broad federal guidance,” such as the National Institute of Standards and Technology's Special Publication 800-53, as a reference point.
"Without providing comprehensive, risk-based requirements for implementing security controls to all external entities that have access to Medicare beneficiary data, CMS increases the risk that external entities possessing CMS data may not have applied security controls that meet CMS standards," GAO said.
GAO recommended CMS give researchers guidance on implementing security controls and develop to ensure those controls have been implemented. CMS concurred with the findings.
Read the full report here.