Health Information Management

Security risks identified at three Medi Cal managed-care organizations

HIM-HIPAA Insider, December 14, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The Office of Inspector General (OIG) raised concerns about the security of information system general controls used to process Medicaid claims at three California Medi Cal managed-care organizations (MCO) in a report released December 9. The OIG identified these vulnerabilities as “high risk.” A total of 74 vulnerabilities were found. The OIG grouped them in three information system general control categories:

  • Access controls
  • Configuration management
  • Security management


Access controls showed 31 vulnerabilities in the areas of:

  • Portable and backup media
  • Database security controls
  • Password and login controls
  • Wireless local area network controls
  • Remote network access
  • Physical security controls


Among the access control vulnerabilities cited, OIG called attention to failure to encrypt portable devices that contain ePHI and failure to encrypt claims processes databases. OIG also found that some of the audited MCOs allowed the user accounts of terminated employees to remain active. Another audited MCO was cited for not blocking access to inappropriate websites or tracking WLAN usage. One MCO failed to use two-factor authentication for remote access.

The OIG found 29 vulnerabilities in configuration management related to:

  • Configuration of network devices
  • Patch management
  • Antivirus management
  • Out-of-date software


The OIG found that one MCO configured its router using a clear text protocol. This protocol can allow a hacker to view and intercept any data on the network. The OIG also found the MCOs had not upgraded all software to the most recent patches or kept anti-virus software updated, and one was found to be using an out-of-date email program.

Security management vulnerabilities included:

  • Contingency planning
  • Required system security plan elements
  • Sanitization of data and disposal of devices
  • Background checks


Among the contingency planning vulnerabilities, one MCO did not have a disaster recovery plan or perform system recovery tests. Security plan vulnerabilities included inadequate security plans or significant gaps in security plans. OIG found problems with documentation relating to the sanitization and disposal process for devices, such as USB flash drives.

The following categories showed vulnerabilities across all three Medi Cal systems:

  • Portable and backup media
  • Database security controls
  • Password and login controls
  • Configuration of network devices
  • Patch management
  • Sanitization of data and disposal of devices


The OIG believes these represent systemic flaws which may be present across all Medi Cal organizations due to system similarities. California’s Department of Health Care Services has promised to address these issues, according to the OIG report.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular