By Focusing on Security Up Front, Medicaid Officials Can Avoid Long-Term Pain

Consider this scenario: After allocating money for education, law enforcement, pension contributions, and a host of other expenses, officials in a coastal city decide there simply isn't enough left over in the budget to fund upgrades to the city’s sea wall. The old barrier will have to suffice for at least another year, they say, hoping a major hurricane doesn’t hit and flood the city.

Some public officials feel they have no choice but to make this same gamble when it comes to another type of storm – the deluge of bad actors looking to breach government cyber defenses. Fortunately, there are ways officials can stretch existing sources of funding, as well as find new ones, so that cyber security doesn’t take a back seat to other priorities.

It is no secret that government cybersecurity budgets are tight. Three of four Chief Information Security Officers have named lack of funding as the “number one barrier” to establishing strong state cybersecurity.[1] Federal spending on cybersecurity is growing at less than half the rate of private sector spending.[2]

Good defenses are needed now more than ever. Attacks are increasing in complexity and scope, and government organizations – particularly health and human services related entities such as state Medicaid programs – are at heightened risk. These organizations increasingly store valuable information on their Medicaid Management Information Systems and other complementary systems. Among this valuable information are electronic health records, and a single stolen health record can fetch $100 on the black market.[3]

Losing this information to hackers could cost states tens of millions of dollars in liability and clean-up expenses. Cyber breaches cost the healthcare sector $6 billion in 2014.[4]

To beef up cyber defenses, Medicaid leaders could redirect a relatively small percentage of funding from large healthcare services budgets to much smaller cybersecurity budgets, where the funds would have a proportionally greater impact. To keep cyber expenses stable, officials can outsource many of their security needs to private contractors. That way, states don't find themselves on the hook for growing compensation or infrastructure costs.

Additionally, state and local governments could request cyber-funding from the federal government, which funds 90 percent of Medicaid IT initiatives.[5]

State and local governments can submit an Advanced Planning Document (APD) to the Centers for Medicare and Medicaid Services if they wish to have a healthcare project funded. Building cybersecurity components into a larger APD proposal is one method to increase cyber funding.

Private contractors can assist with such APDs and help states align their cyber strategies with the Medicaid Information Technology Architecture framework, which aims to "foster IT transformation."[6]  

Turning to the Department of Homeland Security for cyber security grants, and raising state and federal homeland security employee awareness of cyber defense needs, can also help Medicaid officials obtain new funding.

In an era of heightened threats, maintaining strong cyber defenses is crucial for state and local governments. Reallocating money from other areas and reaching out to CMS and DHS for IT infrastructure funding can help prevent a hurricane of hackers from breaching cyber sea walls.

This is the last in a series of posts on the challenges facing the cyber security practices for Medicaid and Medicare. See our first blog on the increasing vulnerability of Medicaid Management Information Systems and our second blog on the security of those systems.


[1] pg. 11 fig. 8