“Why OIG Did This Review
The Social Security Act requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity. The Centers for Medicare & Medicaid Services (CMS) contracted with Guidehouse, LLP (Guidehouse), to evaluate information security programs at the MACs, using a set of agreed-upon procedures (AUPs). HHS OIG must submit to Congress annual reports on the results of these evaluations, to include assessments of their scope and sufficiency. This report fulfills that responsibility for fiscal year 2018…”
“What OIG Found
Guidehouse’s evaluations of the contractor information security programs were adequate in scope and sufficiency. Guidehouse reported a total of 112 gaps at the 7 MACs for FY 2018, which was 26 percent more than the number of gaps for the same 7 contractors in FY 2017. The increase was due in part to the addition of database and web server testing. Deficiencies remained in eight of the nine Federal Information Security Modernization Act of 2014 control areas that were tested. CMS should continue its oversight visits and ensure that the MACs remediate all gaps to improve the MACs’ information technology security…”
“What OIG Recommends and CMS Comments
This report contains no recommendations. CMS had no comments on the draft report.” Access the full 18-page report here.
Source: Review of Medicare Administrative Contractor Information Security Program Evaluations for Fiscal Year 2018 – August 23, 2019. Oversight.gov.
