The GAO concluded that information on the network could be disclosed without authorization and that vulnerabilities could be used to disrupt CMS services.
A security breach could allow "unauthorized access to personally identifiable medical data, seriously diminishing the publics trust in CMS ability to protect the sensitive beneficiary data it is entrusted with." The report comes at a time when worries about medical identity theft are growing.
Besides personally identifiable information like name, address, and social security number, potentially compromised information could include treatments for psychiatric disorders and substance abuse problems.
According to the GAO, Medicare helps over 42 million patients obtain health care from over 1 million providers, collecting droves of sensitive data in the process.
To reach its conclusions, GAO researchers visited three network contractor sites that transmit CMS information, examining "routers, network management servers, switches, firewalls and administrator workstations."
CMS did not always encrypt medical data or other sensitive information traveling over these networks, according to the report. CMS also allowed its contractor to use passwords that were too simple and gave workers more access than they needed to do their jobs. These and other vulnerabilities "provide more opportunities for an attacker to escalate their privileges and make unauthorized changes to files" as well as "to gain unauthorized access to network resources," the report said.
The situation did not surprise one manager at a network security firm, who asked not to named. "Its a standard set of problems." The manager had not worked with the CMS network but has worked with other government systems.
In a statement, CMS Administrator Mark McClellan, in Baltimore, said CMS had been aware of and was addressing many of the problems. He downplayed their significance, saying that about half of the identified problems had already been fixed, and that there are no signs that any of the vulnerabilities had been exploited. Because the network transmits rather than houses information, intercepting the information would be difficult, he said.
However, the network security manager said, "Its harder to get the data because you have to watch for it, but the data are still vulnerable." In particular, thieves could monitor for authentication codes that they could then use to gain access to particular information they want.
Sensitive information throughout the network is at risk, the GAO report concluded. Such information is communicated between diverse agencies, said the report, "including the CMS central office and data center, CMS regional offices, financial institutions, Medicare intermediaries and carriers, Medicare data centers, skilled nursing facilities and home health agencies, CMS contractors, state Medicaid offices, other federal agencies, quality information organizations, and CMS disaster recovery services."
The identified vulnerabilities fell into several categories including user identification, authentication and authorization. Additionally, "security-related events" were not monitored or audited, provisions to make sure network configurations were secure were flawed, and different components of the network were not physically or logistically separated, so that people with legitimate access to one part of the network could have an easier time reaching areas for which they are unauthorized.
In some cases, said the report, "certain network devices did not have any users defined, allowing for the execution of unauthorized commands without any means of designating individual accountability for the action."
The study was conducted at the request of the Senate Finance Committee. The full report is available as a pdf.