Thursday, November 02, 2006
FERC, Medicare Unit Have Security Weaknesses
Report: FERC, Medicare Unit Have Security Weaknesses
Linda Rosencrance, Grant Gross
October 09, 2006 (Computerworld) The Federal Energy Regulatory Commission (FERC) and the U.S. Centers for Medicare & Medicaid Services (CMS) both face security vulnerabilities because of IT shortcomings, according to a pair of government reports.
In a report that was written in August and publicly released last week, the Government Accountability Office (GAO) identified 47 weaknesses in the way that the Medicare and Medicaid centers have been using a wide-area network operated by AT&T Inc. to transmit medical claims data. The weaknesses could expose the medical records and other personal information of patients to malicious hackers, the GAO warned.
The GAO said that the CMS and AT&T didn’t use adequate identification and authentication controls for network access, restrict access to only the programs and files needed by individual users, close off all access from the private network to the Internet or consistently encrypt sensitive data.
The report didn’t name AT&T, but the CMS confirmed that the company operates the WAN under a four-year, $76.6 million contract awarded in 2003. In a statement sent via e-mail, AT&T said it and the CMS “are confident that no proprietary data was ever exposed to unauthorized parties.” More than half of the weaknesses identified by the GAO have been resolved, AT&T added.
CMS Administrator Mark McClellan said in a July 10 letter to the GAO that corrective action or new controls had been completed on 22 of the 47 shortcomings at that point. Eight more were scheduled to be fixed by the end of September, according to McClellan. Another 11 weaknesses that “are somewhat more complex” should be addressed by Jan. 7, he wrote, adding that the CMS is still assessing the resource requirements and financial impact of fixing the final six flaws.
Meanwhile, the U.S. Department of Energy’s inspector general said in a report issued Sept. 25 that the systems used by the FERC are vulnerable to cyberattacks because the commission’s current IT security procedures don’t meet federal guidelines.
Although the FERC has strengthened its cybersecurity program, testing by the inspector general’s office revealed continued problems with default, blank or easily guessed passwords and user-account controls, according to the report. In addition, annual security reviews and security assessments done in connection with system certifications either weren’t performed properly or weren’t adequately documented, the report said.
In a written response that was included with the report, Thomas Herlihy, the FERC’s executive director, concurred with the inspector general’s recommendations but said the commission has “an effective security program” that meets the federal mandates.
Linda Rosencrance, Grant Gross
October 09, 2006 (Computerworld) The Federal Energy Regulatory Commission (FERC) and the U.S. Centers for Medicare & Medicaid Services (CMS) both face security vulnerabilities because of IT shortcomings, according to a pair of government reports.
In a report that was written in August and publicly released last week, the Government Accountability Office (GAO) identified 47 weaknesses in the way that the Medicare and Medicaid centers have been using a wide-area network operated by AT&T Inc. to transmit medical claims data. The weaknesses could expose the medical records and other personal information of patients to malicious hackers, the GAO warned.
The GAO said that the CMS and AT&T didn’t use adequate identification and authentication controls for network access, restrict access to only the programs and files needed by individual users, close off all access from the private network to the Internet or consistently encrypt sensitive data.
The report didn’t name AT&T, but the CMS confirmed that the company operates the WAN under a four-year, $76.6 million contract awarded in 2003. In a statement sent via e-mail, AT&T said it and the CMS “are confident that no proprietary data was ever exposed to unauthorized parties.” More than half of the weaknesses identified by the GAO have been resolved, AT&T added.
CMS Administrator Mark McClellan said in a July 10 letter to the GAO that corrective action or new controls had been completed on 22 of the 47 shortcomings at that point. Eight more were scheduled to be fixed by the end of September, according to McClellan. Another 11 weaknesses that “are somewhat more complex” should be addressed by Jan. 7, he wrote, adding that the CMS is still assessing the resource requirements and financial impact of fixing the final six flaws.
Meanwhile, the U.S. Department of Energy’s inspector general said in a report issued Sept. 25 that the systems used by the FERC are vulnerable to cyberattacks because the commission’s current IT security procedures don’t meet federal guidelines.
Although the FERC has strengthened its cybersecurity program, testing by the inspector general’s office revealed continued problems with default, blank or easily guessed passwords and user-account controls, according to the report. In addition, annual security reviews and security assessments done in connection with system certifications either weren’t performed properly or weren’t adequately documented, the report said.
In a written response that was included with the report, Thomas Herlihy, the FERC’s executive director, concurred with the inspector general’s recommendations but said the commission has “an effective security program” that meets the federal mandates.
Labels: FERC, Medicare/Medicaid
