Information Security
The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network Gao ID: GAO-06-750 August 30, 2006The Centers for Medicare & Medicaid Services (CMS), a component within the Department of Health and Human Services (HHS), is responsible for overseeing the Medicare and Medicaid programs--the nation's largest health insurance programs--which benefit about one in every four Americans. CMS relies on a contractor-owned and operated network to facilitate communication and data transmission among CMS business related entities. Effective information security controls are essential to protecting the confidentiality, integrity, and availability of this sensitive information. At Congress's request, GAO assessed the effectiveness of information security controls over the communication network used by CMS by conducting a technical assessment of the information security controls that are currently in place.
Although CMS had many key information security controls in place--which had been designed to safeguard the communication network--some were missing, and existing ones had not always been effectively implemented. Significant weaknesses in electronic access and other system controls threatened the confidentiality and availability of sensitive CMS financial and medical information when it was transmitted across the network. CMS did not always ensure that its contractor effectively implemented electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive computing resources and devices used to support the communication network. GAO discovered numerous vulnerabilities in several areas: user identification and authentication, user authorization, system boundary protection, cryptography, and auditing and monitoring of security-related events. There were also weaknesses in controls that had been designed to ensure that secure configurations would be implemented on network devices and that incompatible duties would be sufficiently segregated. A key reason for these weaknesses is that CMS did not always ensure that its security policies and standards were implemented effectively. As a result, sensitive, personally identifiable medical data traversing the network is vulnerable to unauthorized disclosure and these weaknesses could lead to disruptions in CMS services.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-750, Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network
This is the accessible text file for GAO report number GAO-06-750
entitled 'Information Security: The Centers for Medicare & Medicaid
Services Needs to Improve Controls over Key Communication Network'
which was released on October 3, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Finance, U.S. Senate:
United States Government Accountability Office:
GAO:
August 2006:
Information Security:
The Centers for Medicare & Medicaid Services Needs to Improve Controls
over Key Communication Network:
CMS Information Security:
GAO-06-750:
GAO Highlights:
Highlights of GAO-06-750, a report to the Chairman, Committee on
Finance, U.S. Senate
Why GAO Did This Study:
The Centers for Medicare & Medicaid Services (CMS), a component within
the Department of Health and Human Services (HHS), is responsible for
overseeing the Medicare and Medicaid programs”the nation‘s largest
health insurance programs”which benefit about one in every four
Americans.
CMS relies on a contractor owned and operated network to facilitate
communication and data transmission among CMS business related entities
(see figure). Effective information security controls are essential to
protecting the confidentiality, integrity, and availability of this
sensitive information.
At your request, GAO assessed the effectiveness of information security
controls over the communication network used by CMS by conducting a
technical assessment of the information security controls that are
currently in place.
What GAO Found:
Although CMS had many key information security controls in place”which
had been designed to safeguard the communication network”some were
missing, and existing ones had not always been effectively implemented.
Significant weaknesses in electronic access and other system controls
threatened the confidentiality and availability of sensitive CMS
financial and medical information when it was transmitted across the
network. CMS did not always ensure that its contractor effectively
implemented electronic access controls designed to prevent, limit, and
detect unauthorized access to sensitive computing resources and devices
used to support the communication network.
GAO discovered numerous vulnerabilities in several areas: user
identification and authentication, user authorization, system boundary
protection, cryptography, and auditing and monitoring of security-
related events. There were also weaknesses in controls that had been
designed to ensure that secure configurations would be implemented on
network devices and that incompatible duties would be sufficiently
segregated. A key reason for these weaknesses is that CMS did not
always ensure that its security policies and standards were implemented
effectively. As a result, sensitive, personally identifiable medical
data traversing the network is vulnerable to unauthorized disclosure
and these weaknesses could lead to disruptions in CMS services.
Figure: Communication Network Interconnections:
[See PDF for Image]
Source: CMS.
[End of Figure]
What GAO Recommends:
GAO recommends that the CMS Administrator direct the Chief Information
Officer to take steps to ensure that information security policies and
standards are fully implemented.
In commenting on a draft of the report, the CMS Administrator stated
that CMS has moved aggressively to implement corrective actions for the
reported weaknesses.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-750].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Objective, Scope, and Methodology:
Significant Network Weaknesses Place Medical Data at Risk:
Conclusions:
Recommendation for Executive Action:
Agency Comments:
Appendix I: Comments from the Centers for Medicare & Medicaid Services:
Appendix II: GAO Contacts and Staff Acknowledgments:
Figure:
Figure 1: Communication Network Interconnections:
Abbreviations:
CMS: Centers for Medicare & Medicaid Services:
FISCAM: Federal Information System Controls Audit Manual:
FISMA: Federal Information Security Management Act:
HHS: Department of Health and Human Services:
United States Government Accountability Office:
Washington, DC 20548:
August 30, 2006:
The Honorable Charles E. Grassley:
Chairman:
Committee on Finance:
United States Senate:
The Centers for Medicare & Medicaid Services (CMS), a component within
the Department of Health and Human Services (HHS), is responsible for
overseeing the Medicare and Medicaid programs--the nation's largest
health insurance programs--which benefit about one in every four
Americans.
CMS relies on a contractor-owned and operated network to facilitate
communication and data transmission among CMS business-related
entities. Effective information security controls are essential to
protecting the confidentiality, integrity, and availability of
sensitive information transmitted over the network. A security breach
in this communication network could lead to interruptions in the
processing of medical claims or to unauthorized access to personally
identifiable medical data, seriously diminishing the public's trust in
CMS's ability to protect the sensitive beneficiary data it is entrusted
with.
At your request, we assessed the effectiveness of information security
controls over the communication network used by CMS. This report
summarizes the vulnerabilities and information control weaknesses that
we identified during our review and our recommendation to help
strengthen and improve the communication network. We also issued a
separate report, for limited distribution, that contains sensitive
information. It describes in more detail the information security
weaknesses that we identified and our specific recommendations for
correcting them.
Results in Brief:
Information security controls over the communication network were
ineffective in protecting the confidentiality and availability of
information and information resources. Although CMS had many
information security controls in place that had been designed to
safeguard the communication network, key information security controls
were missing. In addition, the controls that were in place had not
always been effectively implemented. Specifically, CMS did not always
ensure that its contractor effectively implemented controls designed to
prevent, limit, and detect electronic access to sensitive computing
resources and to devices used to support the communication network. For
example, the network had control weaknesses in areas such as user
identification and authentication, user authorization, system boundary
protection, cryptography, and audit and monitoring of security-related
events. Taken collectively, these weaknesses place financial and
personally identifiable medical information transmitted on the network
at increased risk of unauthorized disclosure and could result in a
disruption in service. A key reason for these weaknesses is that CMS
did not always ensure that its security policies and standards were
fully implemented.
We are making a recommendation to the CMS Administrator to take steps
to ensure that information security policies and standards are fully
implemented. In a separate report, for limited distribution, we made
recommendations to address the specific weaknesses identified.
In commenting on a draft of the report, the CMS Administrator stated
that CMS has moved aggressively to implement corrective actions for the
reported weaknesses.
Background:
Information security is a critical consideration for any organization
that depends on information systems and computer networks to carry out
its mission or business. It is especially important for government
agencies, where the public's trust is essential. The dramatic expansion
in computer interconnectivity and the rapid increase in the use of the
Internet are changing the way our government, the nation, and much of
the world communicate and conduct business. Without proper safeguards,
systems are unprotected from individuals and groups with malicious
intent who can intrude and use their access to obtain sensitive
information, commit fraud, disrupt operations, or launch attacks
against other computer systems and networks. These concerns are well
founded for a number of reasons, including the dramatic increase in
reports of security incidents, the ease of obtaining and using hacking
tools, the steady advance in the sophistication and effectiveness of
attack technology, and the dire warnings of new and more destructive
attacks to come.
Computer-supported federal operations are likewise at risk. Our
previous reports, and those of agency inspectors general, describe
persistent information security weaknesses that place a variety of
federal operations at risk of disruption, fraud, or inappropriate
disclosure of sensitive data. We have designated information security
as a governmentwide high-risk area since 1997[Footnote 1]--a
designation that remains today[Footnote 2].
Recognizing the importance of securing federal agencies' information
systems, Congress enacted the Federal Information Security Management
Act (FISMA) in December 2002 to strengthen the security of information
and systems within federal agencies. FISMA requires each agency to
develop, document, and implement an agencywide information security
program to provide information security for the information and systems
that support the operations and assets of the agency, including those
operated or maintained by contractors or others on behalf of the
agency, using a risk-based approach to information security management.
CMS Oversees the Medicare & Medicaid Programs:
CMS, a component of HHS, is responsible for overseeing two major health
programs. It administers the Medicare program--the nation's largest
health insurance program--which covers more than 42 million Americans.
This program was enacted to extend affordable health insurance coverage
to the elderly and was later expanded to cover some people with
disabilities who are under the age of 65 years. CMS also works with the
states to administer the Medicaid program, enacted in 1965 as a jointly
funded program, in which the federal government matches state spending
according to a formula to provide medical and health-related services
to low-income Americans.
CMS relies extensively on computerized systems to support its mission-
critical operations and to transmit and store the sensitive information
it collects. In particular, CMS relies on a contractor-owned and
operated network from which it purchases networking services to provide
connectivity to its business partners. This network supports
communication and data transmission between CMS business-related
entities, including the CMS central office and data center, CMS
regional offices, financial institutions, Medicare intermediaries and
carriers, Medicare data centers, skilled nursing facilities and home
health agencies, CMS contractors,[Footnote 3] state Medicaid offices,
other federal agencies, quality information organizations, and CMS
disaster recovery services (see fig. 1).
Figure 1: Communication Network Interconnections:
[See PDF for image]
Source: CMS.
[End of figure]
The communication network transmits Medicare claims data containing
personally identifiable information such as name, sex, date of birth,
social security number, and address. It also transmits medical
information, such as a patient's diagnosis, prescribed drug and drug
dosage, type of treatment facility--which includes substance abuse
facilities or psychiatric treatment centers--requested service, and the
physician's name and ID number. The communication network also
transmits payment information, such as payment amount and billing
information. The communication network does not house either Medicare
or Medicaid data.
Objective, Scope, and Methodology:
The objective of our review was to determine whether CMS has
implemented information security controls over the communication
network to effectively protect the confidentiality, integrity, and
availability of its information and information resources.
To evaluate the effectiveness of the security controls over the
communication network, we examined routers, network management servers,
switches, firewalls, and administrator workstations, at CMS
headquarters, its business partners, and at several network contractor
sites. Our evaluation was based on our Federal Information System
Controls Audit Manual (FISCAM), which provides guidance for reviewing
information system controls.
Specifically, we evaluated information security controls intended to:
* limit, detect, and monitor electronic access to sensitive computing
resources, thereby safeguarding them from misuse and protecting them
from unauthorized disclosure and modification;
* maintain operating system integrity through effective administration
and control of powerful computer programs and utilities that execute
privileged instructions;
* prevent the introduction of unauthorized changes to application or
system software; and:
* ensure that work responsibilities are segregated, so that one
individual does not perform or control all key aspects of computer-
related operations and thereby have the ability to conduct unauthorized
actions or gain unauthorized access to assets or records.
We did not evaluate controls over servers used to store Medicare or
Medicaid data.
We performed our work at three network contractor sites and at the CMS
Central Office. This review was performed from January through May 2006
in accordance with generally accepted government auditing standards.
Significant Network Weaknesses Place Medical Data at Risk:
Although CMS has many information security controls in place that are
designed to safeguard the communication network, there were significant
weaknesses in electronic access controls and other controls designed to
protect the confidentiality, integrity, and availability of the
sensitive, personally identifiable medical information it transmits.
Our review of the communication network revealed 47 weaknesses in
electronic access controls and other controls. A key reason for these
weaknesses was that CMS did not always ensure the effective
implementation of its security policies and standards. As a result,
sensitive, personally identifiable, medical data traversing this
network are vulnerable to unauthorized disclosure, and these weaknesses
could lead to disruptions in CMS operations.
Electronic Access Controls Are Inadequate:
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access. Organizations accomplish this objective by designing and
implementing electronic controls that are intended to prevent, limit,
and detect unauthorized access to computing resources, programs, and
information. Inadequate electronic access controls diminish the
reliability of computerized information and increase the risk of
unauthorized disclosure, modification, and destruction of sensitive
information and disruption of service. Electronic access controls
include those related to user identification and authentication,
authorization, boundary protection, cryptography, and auditing and
monitoring of security-related events. CMS's contractor did not
consistently implement effective electronic access controls in each of
these areas, as the following sections demonstrate.
User Identification and Authentication:
A computer system must be able to identify and authenticate different
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system is able to distinguish one user from
another--a process called identification. The system must also
establish the validity of a user's claimed identity by requesting some
kind of information, such as a password, that is known only by the
user--a process known as authentication. CMS policy requires the
implementation of automated identification and authentication
mechanisms that enable the unique identification and authentication of
individual users or processes acting on behalf of CMS information
system users.
CMS did not ensure that its contractor adequately identified and
authenticated users responsible for managing the communication network.
For example, CMS's contractor did not enforce sufficiently complex
passwords for access to certain network devices. This increases the
risk that unauthorized users could gain access to CMS systems and
sensitive information.
Authorization:
Authorization is the process of granting or denying access rights and
privileges to a protected resource, such as a network, system,
application, function, or file. A key component of granting or denying
access rights is the concept of "least privilege." Least privilege is a
basic principle for securing computer resources and data. It means that
users are granted only those access rights and permissions that they
need to perform their official duties. To restrict legitimate users'
access to only those programs and files that they need in order to do
their work, organizations establish access rights and permissions.
"User rights" are allowable actions that can be assigned to users or to
groups of users. File and directory permissions are rules that are
associated with a particular file or directory, regulating which users
can access it--and the extent of that access. To avoid unintentionally
giving users unnecessary access to sensitive files and directories, an
organization must give careful consideration to its assignment of
rights and permissions. CMS policy requires that each user or process
be assigned only those privileges needed to perform authorized tasks.
CMS did not ensure that its contractor sufficiently restricted network
access and privileges to only those users and processes requiring them
to perform authorized tasks. For example, CMS's contractor did not
adequately restrict access paths on certain network devices. In
addition, the contractor had several sensitive world-writable files on
network management servers, granting inappropriate privileges to these
files. These conditions provide more opportunities for an attacker to
escalate their privileges and make unauthorized changes to files.
Boundary Protection:
Boundary protections demarcate logical or physical boundaries between
protected information and systems and unknown users. Organizations
physically allocate publicly accessible information system components
to separate subnetworks with separate physical network interfaces, and
they prevent public access into their internal networks--except as
appropriately mediated. Unnecessary connectivity to an organization's
network increases not only the number of access paths that must be
managed and the complexity of the task, but the risk of unauthorized
access in a shared environment. CMS policy requires that automated
boundary protection mechanisms be established to monitor and control
communications at the external boundary of the information system and
at key internal boundaries within the system. Additionally, CMS
requires that any connections to the Internet or to other external
systems be through controlled interfaces.
CMS did not ensure that its contractor adequately implemented controls
used to protect its external and key internal boundaries. For example,
certain network devices did not adequately restrict external
communication traffic. In addition, although the communication network
was considered a secure closed private network, indirect paths existed
between it and the Internet. Consequently, an unauthorized individual
could exploit these vulnerabilities to launch attacks against other
sensitive network devices.
Cryptography:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information.
One primary principle of cryptography is encryption. Encryption can be
used to provide basic data confidentiality and integrity for data, by
transforming plain text into cipher text using a special value known as
a key and a mathematical process known as an algorithm. CMS policy
requires that technical controls be established and implemented to
protect the confidentiality of sensitive CMS data while it is in
transit. CMS also requires the encryption of highly sensitive system
files.
CMS did not consistently apply encryption to protect the sensitive data
traversing the communication network. In addition, its contractor did
not consistently apply encryption to protect network configuration data
stored on network devices. For example, medical data and sensitive
network management traffic traverse the network unencrypted. This could
allow an attacker to view medical information, or system data
transmitted over the network, increasing the risk that malicious users
could capture this information and use it to gain unauthorized access
to network resources.
Audit and Monitoring:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to determine what, when, and by whom specific actions have been taken
on a system. Organizations accomplish this by implementing system or
security software that provides an audit trail that they can use to
determine the source of a transaction or attempted transaction and to
monitor users' activities. The way in which organizations configure
system or security software determines the nature and extent of
information that the audit trails can provide. CMS policy requires the
enforcement of auditing and accountability by configuring information
systems to produce, store, and retain audit records of specific system,
application, network, and user activity. CMS also requires that audit
records contain sufficient information to establish what events
occurred, when the events occurred, the source of the events, the cause
of the events, and the event outcome.
However, CMS's contractor did not provide adequate logging or user
accountability on the communication network. For example, certain
network devices did not have any users defined, allowing for the
execution of unauthorized commands without any means of designating
individual accountability for the action.
Other Control Weaknesses:
In addition to electronic access controls, other important controls
should be in place to ensure the confidentiality, integrity, and
availability of an organization's information and systems. These
controls include techniques designed to ensure the implementation of
secure configurations on network devices and to provide sufficient
segregation of incompatible duties. Our review of the communication
network revealed weaknesses in each of these areas. These weaknesses
increase the risk that unauthorized individuals can gain access to
network devices and inadvertently or deliberately disclose financial
and medical data needed to process Medicare claims, or disrupt
operations.
Configuration Management:
To protect an organization's information, it is important to ensure
that only authorized applications and programs are placed in operation.
This process, known as configuration management, consists of
instituting policies, procedures, and techniques to help ensure that
all programs and program modifications are properly authorized, tested,
and approved. Patch management, a component of configuration
management, is an important element in mitigating the risks associated
with software vulnerabilities. Up-to-date patch installation could help
mitigate vulnerabilities associated with flaws in software code which
could be exploited to cause significant damage--ranging from Web site
defacement to the loss of control of entire systems--thereby enabling
malicious individuals to read, modify, or delete sensitive information,
disrupt operations, or launch attacks against other organizations'
systems. CMS policy requires the maintenance of system hardware and
software on all CMS information systems. Software maintenance includes
the installation of all relevant patches and fixes that are required to
correct security flaws in existing software and to ensure the
continuity of business operations.
CMS did not ensure the application of timely and comprehensive patches
and fixes to system software. For example, certain administrative
workstations and network management servers reviewed were missing
critical patches addressing known vulnerabilities. In addition, certain
network devices used vulnerable operating system software. Failure to
keep system patches up to date could lead to denial-of-service attacks
or to individuals gaining unauthorized access to network resources. A
malicious user can exploit these vulnerabilities to gain unauthorized
access to network resources or disrupt network operations. As a result,
there is increased risk that the integrity of these network devices and
administrator workstations could be compromised.
Segregation of Duties:
Segregation of duties refers to the policies, procedures, and
organizational structure that help ensure that no single individual can
independently control all key aspects of a process or computer-related
operation and thereby gain unauthorized access to assets or records.
Often, segregation of duties is achieved by dividing responsibilities
among two or more individuals or organizational groups. This diminishes
the likelihood that errors and wrongful acts will go undetected,
because the activities of one individual or group will serve as a check
on the activities of the other. Inadequate segregation of duties
increases the risk that erroneous or fraudulent transactions could be
processed, improper program changes implemented, and computer resources
damaged or destroyed. CMS policy requires that separation of duties be
observed in order to eliminate conflicts of interest in the
responsibilities and duties assigned to individuals.
CMS did not always ensure that its contractor sufficiently segregate
incompatible responsibilities and duties. For example, the CMS network
contractor allowed developer and test access to production network
management servers, potentially allowing unauthorized and unnecessary
access to sensitive network management data. Granting this type of
access to individuals who do not require it to perform their specific
job responsibilities, increases the risk that sensitive information or
programs could be improperly modified, disclosed, or deleted.
Consequently, increased risk exists that these individuals could
introduce software errors into production or perform unauthorized
system activities without being detected.
Security Policies Were Not Always Fully Implemented:
Although CMS has developed and documented information security
policies, a key reason for the communication network weaknesses was
that CMS did not always ensure the effective implementation of its
security policies and standards.
Establishing and implementing appropriate policies and related controls
are key elements of an effective information security program. In order
to ensure the implementation of effective information security
controls, agencies need to develop comprehensive information security
policies that fully address the inherent risks associated with today's
highly distributed, interconnected, network-based computing
environments. In addition, agencies need to take actions to ensure that
the established policies and controls are fully implemented.
CMS has established a set of information security policies, standards,
and guidelines that generally provides appropriate guidance to
personnel responsible for securing its information systems and data.
For example, it has developed information security policies that
address topics such as access controls, configuration management, and
system integrity.
However, in some instances, CMS did not ensure the effective
implementation of its policies and standards. Although CMS had
developed policies requiring the use of certain network devices, it did
not always ensure that the network contractor followed these policies.
In addition, CMS had developed configuration requirements for its
operating systems and network devices; however, some of these standards
were marked as "draft" and, therefore, had not been distributed to the
network contractor.
Conclusions:
Although CMS had many information security controls designed to
safeguard the communication network, missing controls and ineffective
implementation of certain controls, when considered collectively,
threaten the confidentiality and availability of the sensitive,
personally identifiable medical information it transmits. Further, CMS
did not always effectively implement certain information security
policies and standards. Until CMS ensures that all information security
policies are being fully implemented, there is limited assurance that
its sensitive data will be adequately protected against unauthorized
disclosure and that network services will not be interrupted.
Recommendation for Executive Action:
To help strengthen information security controls over the CMS
communication network, we recommend that the CMS Administrator direct
the Chief Information Officer to take steps to ensure that information
security policies and standards are fully implemented.
Agency Comments:
In providing written comments on a draft of the report, the CMS
Administrator stated that CMS is taking steps to ensure that
information security policies and standards are fully implemented. The
Administrator added that CMS had conducted a review of its network
security requirements, as well as an evaluation of potential updates in
security services requirements provided through its network services
contract. The agency is working to enhance the security requirements
defined in the current task order to reflect its expectations more
precisely and to provide further assurances that controls follow the
most current acceptable guidelines.
In addition, the Administrator stated that CMS has moved aggressively
to implement corrective actions for the reported weaknesses and that
corrective action or new compensating controls had already been
completed for 22 of the 47 weaknesses. An additional 19 weaknesses are
scheduled for closure. The remaining six weaknesses are under review to
determine what additional resources are needed and their financial
impact. His written comments are reprinted in appendix I.
CMS also provided technical comments, which we incorporated where
appropriate.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to
congressional committees with jurisdiction over CMS, the Secretary of
the Department of Health and Human Services, the CMS Administrator and
Chief Information Officer, the HHS Inspector General, and other
interested parties. We will also make copies available to others upon
request. In addition, this report will be available at no charge on the
GAO Web site at [Hyperlink, http://www.gao.gov].
If you have any questions regarding this report, please contact Gregory
C. Wilshusen at (202) 512-6244 or Keith A. Rhodes at (202) 512-6412. We
can also be reached by e-mail at wilshuseng@gao.gov and
rhodesk@gao.gov, respectively. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report are listed in
appendix II.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
[End of section]
Appendix I: Comments from the Centers for Medicare & Medicaid Services:
Department Of Health & Human Services:
Centers for Medicare & Medicaid Services:
Administrator:
Washington, DC 20201:
Date: Jul 1 0 2006:
TO: Gregory C. Wilshusen:
Director, Information Security Issues:
Government Accountability Office:
FROM: Mark B. McClellan, M.D., Ph.D.
Administrator:
Centers for Medicare & Medicaid Services:
SUBJECT: Government Accountability Office (GAO) Draft Report:
"Information Security: The Centers for Medicare & Medicaid Services
Needs to Improve Controls over Key Communication Network" (GAO-06-750):
Thank you for the opportunity to comment on this draft report. In this
report, the Government Accountability Office (GAO) describes weaknesses
it has identified in the contractor-owned and contractor-operated
network used by CMS to facilitate communications and data transmission
to its business partners. We have already directed our contractor to
address these weaknesses, and most have already been or will be
corrected. We are taking further steps to assure that none result in
actual security breaches.
The Centers for Medicare & Medicaid Services (CMS) takes all aspects of
data security very seriously, including the contractor-owned and
contractor-operated network. As you note, no beneficiary information
resides on this network. Because data does not reside on the network,
intercepting or compromising information during transit across the
network would be difficult. In addition, the GAO found no evidence that
confidential or sensitive information had actually been compromised,
and our analysis found no instances where beneficiary information had
actually been exploited. Nonetheless, security of our beneficiaries'
data is paramount and we appreciate GAO's assistance in identifying
important opportunities for the contractor to strengthen network
security.
For this reason, we were pleased to support GAO's efforts to conduct an
independent audit of our contractor's security procedures. We are
encouraged that GAO mentioned numerous information security controls in
place at CMS that help to safeguard the communications network. These
security controls are not delineated in the GAO report, but the current
management, operational and technical controls for the network are set
forth in the security plan, risk assessment and other network
documentation that were made available to GAO during the audit
engagement.
The CMS has been aware of potential weaknesses in the network security
and has been proactive in addressing them. For the past several years,
we have independently tested segments of the communications network. In
2005, the testing was conducted from multiple locations for the first
time. The GAO report provided a useful opportunity to validate a number
of findings we had already identified in our own testing, and
identified other weaknesses that we are already working to address.
Based on our experience, we understand the difficulty of the task
undertaken by the GAO in its review.
We are very concerned about the specific control weaknesses and
specific aspects of security policy implementation by our contractor
that GAO found could create increased risk of unauthorized disclosure,
modification, or destruction of our information and computer resources.
The deficiencies in the management controls are especially troublesome
given that CMS purchases communications and data transmissions services
from a shared network that is supposed to maintain the privacy of each
customer's data. Our contract with the network vendor requires that the
vendor embed security features in the system configuration and controls
to protect all data and facilities against potential threats, attacks,
or failures. This shared network configuration should address all
security requirements, but especially those controls needed to mitigate
the fundamental risks of the type set forth in the GAO report (e.g.,
password and patch management). Security is degraded when generally
accepted controls to implement these very basic requirements are not
effectively implemented or maintained.
With respect to the individual findings identified by the GAO, upon
receipt of the preliminary GAO report we engaged working processes we
have in place to mitigate vulnerabilities regardless of risk level. We
immediately requested a Corrective Action Plan (CAP) for each weakness
from the contractor-owner and contractor-operator of the network. In a
series of in-depth meetings with the contractor, CMS reviewed each
proposed corrective action to ensure that it would correct not only the
immediate issue identified by the GAO, but also the root cause or
environment conditions contributing to the weakness. Adjustments were
made to the proposed CAPS as a result of these meetings. Concurrently,
the contractor-owner and contractor-operator commenced aggressive
implementation of the accepted plans.
We are pleased to report that corrective action or new compensating
controls have been completed for 22 of the 47 weaknesses. As of the
date of this response, the network contractor has provided evidence of
implementation acceptable to CMS for 16 of the weaknesses. An
additional 6 await validation of closure by CMS. Of the remaining
weaknesses, 8 are scheduled for closure by September 30, 2006. An
additional 11 are somewhat more complex and are scheduled for closure
by January 7, 2007, to coincide with the contractor's 4t" quarter
update of the network. CMS is awaiting further refinement to estimate
the additional resources and the financial impact of 6 of the
corrective actions for possible inclusion in the CMS information
technology investment review process. The network contractor has been
directed to submit monthly reports to CMS on the implementation of the
corrective actions until all weaknesses have been remediated.
CMS has also directed its contractor to support an independent test of
the completed corrective actions following the 4t" quarter update. This
special test is in addition to our annual penetration testing of the
network, and will be broader in scope. It will cover all weaknesses
identified by GAO. The testing will be performed by the same entity
responsible for our independent systems testing and evaluation of
security controls as a precondition for certification and
accreditation. The additional controls put in place will be further
reviewed each year as part of our ongoing annual testing program to
ensure they are sustained not just for the short-term but the long-run
duration of our contract.
In addition to addressing each of the individual weaknesses identified
by GAO, we conducted a separate internal assessment of the risk of
inappropriate disclosure of financial and personally identifiable
medical data traversing the network. Our risk determination included
consideration of the likelihood of occurrence and severity of impact.
Our determination followed guidelines promulgated by the National
Institute of Standards and Technology (NIST) in their Special
Publication 800-30, Risk Management Guide for Information Technology
Systems. Using these criteria, CMS staff categorized the 47 weaknesses
as follows: no high risk findings, 22 medium risk findings, and 25 low
risk findings.
In arriving at these determinations, we were mindful that the
contractor-owned and contractor-operated network is a shared logical
network adapted for CMS. We observed that CMS data is not stored in the
network, and there are no CMS data file servers or application servers
located in the network. The business partners connected to the network
have their own controls, such as firewalls and intrusion detection
systems, to protect them from the network and other sites. These
protections were beyond the scope of the GAO review, but do provide
additional assurances to CMS that, in the event of a breach in the
network, the local controls would provide a defense in depth for our
data. The defense in depth strategy is a basic security principle and
one that CMS observes in the security architecture of systems. These
controls at the connected sites are tested regularly by CMS and our
business partners.
Finally, in conjunction with supporting the GAO's efforts on this
report, we have conducted a review of our network security requirements
and an evaluation of potential updates in security services
requirements provided through the General Services Administration (GSA)
network services contract. The CMS is working with GSA on enhancing the
security requirements as defined in the current CMS task order to
reflect CMS expectations more precisely and to provide further
assurances that controls follow the most current acceptable guidelines.
The NIST Special Publication 800-53, Recommended Security Controls for
Federal Information Systems, and the CMS acceptable risk safeguards,
are the basis for reviewing and amending our network security posture.
In summary, we have been proactive in our oversight of the network but
are taking further steps to enhance security. We have provided
information that we hope will be helpful in understanding the network,
an assessment of the current risk to CMS of the inappropriate
disclosure of private health information, and our plans for further
reducing the risk of inappropriate disclosure. We have moved
aggressively in cooperation with the contractor-operator of the network
to identify and implement corrective actions for each of the weaknesses
described in the report. We will continue to track and report on these
actions using the Office of Management and Budget-approved Plan of
Actions and Milestones process until each milestone is completed.
Attachment:
[End of section]
Appendix II: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, Director, Information Security Issues, (202) 512-
6244 Keith A. Rhodes, Chief Technologist, (202) 512-6412:
Acknowledgments:
In addition to those named above, Idris Adjerid, Mark Canter, Lon Chin,
West Coile, Jeffrey Knott, Joanne Landesman, Duc Ngo, Ronald Parker,
and Christopher Warweg made key contributions to this report.
FOOTNOTES
[1] GAO, High-Risk Series: Information Management and Technology, GAO/
HR-97-9 (Washington, D.C.: Feb. 1997).
[2] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
Jan. 2005).
[3] This reference to contractors does not include Medicare
intermediaries, carriers, and data centers, which are sometimes also
referred to as "contractors."
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
