How Secure is Your Medicaid Management Information System?

As the healthcare industry changes and healthcare data systems evolve, so do the tactics of the bad guys looking to steal information and patient records. Anything that holds data is a potential target, and of particular concern are state-run Medicaid Management Information Systems (MMIS) that store countless records and remain extremely vulnerable.

Looking back, we’ve seen federal auditors uncover more than 20 weak spots in one state's MMIS[1] environment, and in another state, hackers were able to breach the Department of Health and Human Services server and potentially expose the information of up to 1.3 million people.[2]

The shift towards value-based reimbursement models has resulted in the healthcare records of millions of Americans now being stored in MMIS environments – and that is on top of the personal and financial information those systems have traditionally stored. Bad actors target this data for a variety of purposes, including extortion, espionage and simple commercial gain. The increasing value of medical records on the black market only amplifies the need to better defend MMIS systems against data pilfering attackers.

Thankfully security solutions exist to help administrators of MMIS environments to check whether their systems have been compromised, allowing them to proactively find and repair any system vulnerabilities before the hackers strike. The trick is in making it a priority to implement the appropriate compensating controls amidst all the other priorities facing MMIS administrators.

It’s critical to remain vigilant and act fast, as uncovering a breach quickly can prevent significant damage from escalating. The data shows one-third of the companies that discovered their own breaches were compromised for an average of 56 days, while the remaining two-thirds, which were notified of the breach by external sources, averaged 319 days from compromise to discovery[3].

One way to get ahead of this problem is for states to commission compromise assessments to determine whether hackers have already infiltrated their MMIS systems[4]. These assessments comb through network, endpoint, and login data to identify evidence that indicates a breach[5], such as custom malware or communication with known attackers. Improving speed to detection is vital. Currently, it takes organizations an average of 146 days to realize that their system has been compromise[6]. In that time, hackers can quietly exfiltrate petabytes of valuable data.

Officials overseeing MMIS systems shouldn't relax their guard if a compromise assessment concludes there is no ongoing breach at that point in time. Just because hackers haven't struck yet doesn't mean they won't try soon, and penetration tests can aid in securing MMIS environments by exposing vulnerabilities[7] an attacker could exploit. These tests involve ethical "white hat" hackers who attempt to break into a system. Since real humans perform the "hack" using atypical strategies, penetration tests can find vulnerabilities that automated technologies may miss. MMIS officials can then reverse engineer safeguards to defend against any tactics that proved successful.

Of course, as effective as compromise assessments and penetration tests are at discovering active breaches and preventing sensitive information from falling into the wrong hands, they only evaluate a system's security at one point in time. Constant monitoring and checkups are essential for ongoing protection. It is the responsibility of the state to ensure that constituents' protected healthcare information is kept safe, confidential, and secure.

[1] http://oig.hhs.gov/oas/reports/region9/91303001.pdf  

[2] http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/1278872
[3] https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
[4] https://www.fireeye.com/services/mandiant-compromise-assessment.html
[5] https://www.fireeye.com/content/dam/fireeye-www/global/en/services/pdfs/ds-compromise-assessment.pdf
[6] https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
[7] https://www.fireeye.com/services/mandiant-vulnerability-assessment.html