The State of New Mexico did not adequately secure its Medicaid data and information systems, according to an HHS Office of Inspector General audit completed earlier this month.
OIG auditors reviewed the state's Human Services Department to evaluate risks related to the department's move from its legacy eligibility systems to the Automated System Program and Eligibility Network in 2014. HSD completed the ASPEN implementation June 2014 and moved into operation July 2017.
The audit revealed the HSD did not meet certain federal requirements for securing its Medicaid data and information systems.
"Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of HSD's critical operations," the audit reads. "The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity and availability of HSD's eligibility systems."
In its response, the HSD agreed with all of the audit's findings, however, it opted not to implement one of the OIG's recommendations. Instead, the HSD described a compensating control and plans to accept all associated risks. OIG emphasized it continued to recommend its initial recommendation.
More articles on cybersecurity:
OIG: North Carolina did not meet federal standards for Medicaid claims processing
Philips to update radiation application after discovering security vulnerability
Milestone: Hacking incidents overtake insider breaches for 1st time in 2017