Penetration testing conducted on ten State Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) systems has revealed vulnerabilities that could potentially be exploited in advanced cyberattacks. A third-party penetration testing company conducted the penetration testings for the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) from 2020 to 2022 to assess the productivity of IT system controls in stopping attacks on web-facing MMIS and E&E systems.
The penetration tests had been performed because of the rising number of cyberattacks on MMIS and E&E systems. Attackers target these systems because they have substantial amounts of important and sensitive information. HHS-OIG has noticed a rise in several threat types attacking these systems, which include denial-of-service attacks, ransomware attacks, and phishing attacks. From 2012 to 2023, at least six U.S. states have encountered cyberattacks that allowed access to substantial amounts of Medicaid information, like the 2021 attack in Texas that impacted around 1.8 million people, the data breach in Utah that impacted 780,000 Medicaid beneficiaries, and the data breach in South Carolina that impacted 228,000 Medicaid beneficiaries.
The penetration testing mimicked cyberattacks. Although the security controls were considered generally effective at stopping unsophisticated or minimal cyberattacks, improvements are necessary to avoid more advanced attacks and persistent threats. Nine states and Puerto Rico implemented the cybersecurity controls and blocked a number of the HHS-OIG’s simulated cyberattacks, but not all. Simulated phishing attacks were likewise done on some employees to find out if they had received sufficient HIPAA security awareness training. The nine states were Alabama, Illinois, Massachusetts, Maryland, Minnesota, Michigan, South Dakota, South Carolina, and Utah.
In the majority of the audited states, the NIST security controls that were commonly found ineffective include:
- website transmission confidentiality and integrity controls
- vulnerability remediation controls to appropriately discover, report, and fix software vulnerabilities
- data input validation controls to confirm the validity or appropriately sanitize the data system input for public-facing systems
- error handling controls to stop the disclosure of data
The common reasons were programmers and contractors that were not aware of government specifications or industry guidelines; the inability to safely set up and patch vulnerabilities promptly; the inability to evaluate all parts in MMIS and E&E systems (for example, third party plug-ins and libraries); inadequate procedures for evaluating security controls; and slow detection, report, and repair of systems vulnerabilities.
HHS-OIG gave the nine states and Puerto Rico 27 suggestions for enhancing security controls, guidelines, and procedures. The top recommendations included: fixing obsolete servers; enhancing input sanitization on web servers; improving vulnerability discovery solutions; performing regular evaluations of the efficiency of security controls; changing cryptographic configurations; enhancing vulnerability administration strategies; and ensuring server configurations strengthen secure practices.