Medicaid Management Information Systems Are Increasingly Vulnerable

$30 billion.

That's what the Centers for Medicare and Medicaid Services have spent to encourage the adoption of electronic health records (EHR) in the past six years alone.[1] EHRs are a high priority for healthcare payers and providers because they streamline care, preventing expensive accidents and redundancies.

Just like private-sector insurers, state-run Medicaid programs are adopting EHR systems and consolidating beneficiaries' health and payment records under one digital roof. These changes offer opportunities, but also pose significant security challenges. If states aren't careful to implement strong cyber security protections, their Medicaid systems could suffer enormous and costly data breaches.

Historically, Medicaid Management Information Systems (MMIS) tracked and processed payments to doctors, hospitals, and other healthcare providers[2], with providers being largely responsible for maintaining the actual medical records of beneficiaries.

But times are changing. States are phasing out “fee-for-service” payment models, which sometimes incentivize providers to conduct unnecessary tests and procedures, in favor of managed-care models that pay providers based on how healthy they keep their patients. As part of this switch, the health records of Medicaid enrollees are increasingly managed by a states' MMIS or a complementary system.

That makes the MMIS ecosystem an increasingly rich target for hackers, who can now steal valuable healthcare data on top of the personal and financial information that was always stored in MMIS. On the black market, health records can sell for hundreds of dollars.[3] A single stolen health chart can fetch $50, compared to $1 for a stolen credit card or social security number[4].

Despite holding such valuable data, many states have not adequately protected their MMIS – though that's not necessarily their fault. When program administrators commission a facelift of their MMIS systems, the state and the private contractor “systems integrator” (SI) it employs are often misaligned about ownership of the cyber strategy. State officials might assume the SI is handling cybersecurity, while the SI might believe cybersecurity to be the purview of the owner of the infrastructure: the state.

If hackers exploit such gaps, the resulting data breach could prove stunningly expensive. Healthcare providers spend almost $400 per breached record, on average[5]. Massive attacks, like the one that compromised 80 million health records at a major insurer, pose a severe threat to state MMIS[6].

In addition to holding millions of Social Security numbers, credit card information, and other sensitive data, MMIS are increasingly storing valuable health records. Now more than ever, MMIS are in the hackers’ crosshairs. Medicaid program officials will need to ensure their cybersecurity systems are prepared to respond to inevitable attempted breaches.