Health & Human Services OIG Report Finds Maryland Did Not Properly Secure Its MMIS System

An Inspector General’s (OIG) report from the Federal Department of Health and Human Services (HHS) finds that Maryland failed to secure its Medicaid Management Information System (MMIS) against several avenues of attack.

What Security Violations Did Maryland Commit?

The report, available in summary form at OIG Report on Maryland MMIS Security, does not go into detail for fear of revealing the nature of the vulnerabilities and possibly exposing the MMIS to penetration. It does note that, in addition to other techniques, automated penetration testing tools were used in an attempt to break into the system. The report indicates that these tools succeeded.

How Attacks Are Evolving

Other reports have noted that automated penetration tools are getting more sophisticated over time, and now far exceed the sort of attacks that were driven by “script kiddies” in the last decade. On top of that, despite increased efforts at email security and training workers in cybersecurity hygiene, phishing attacks, in which a phony email is used to get a user to perform an action that leads to system penetration, are all too common.

Because of the lack of detail in the OIG report, we can only speculate about what was attacked and what methods of penetration were used. Consider this, though. The typical MMIS is a mainframe-based system that is communicated with from terminals. It usually runs some version of Windows over networks that often must, of necessity, be routed partially over the public internet. Even if a virtual private network (VPN) is used for the connection, the “attack surface” – the set of points and vulnerabilities that led a bad actor to attack a system – is expansive.

All the attacker has to do is gain access to an unencrypted portion of the traffic. Inserting malware, such as ransomware or keyloggers, is simple from that point on. The lesson is that one must avoid penetration at all costs.

Was There A Cyber Security Attack on the Maryland MMIS?

The OIG report specifically notes that there is no evidence that the Maryland system had, in fact, been penetrated. But consider what might have happened if it had. The MMIS is used to pay Medicaid providers. While providers often complain that Medicaid payments are less than their cost of service, the aggregate amount of money involved is huge. Nationally, Medicaid spent almost 596 billion dollars in 2017. The expense is very roughly split 50/50 between the states and the Federal government for the traditional Medicaid population. For the people that were brought in under the Affordable Care Act (ACA) Medicaid expansion, the Federal government pays 90%.

A Huge Payday for Hackers

So, there is a pool of more than half a trillion dollars, potentially payable to providers, for hackers to attack. The MMIS in most states has modules for beneficiary enrollment, provider enrollment, recording of services rendered, and provider payments. A hacker who had control of the system could create phantom beneficiaries, phantom providers, bill for nonexistent services, and generate checks to pay the nonsexist providers for not providing them. Once the hacker is in the system, a potentially huge piggy bank is opened. The OIG’s principal worry in its report was the possible exposure of Medicaid data to the public, but the possibilities for fraud are equally worrying.

Why Does It Take So Long For Hacking To Be Discovered?

How quickly such a penetration would be detected is a function of the security measures the state has in place. The mere fact of finding a penetration does not, in and of itself, reveal where the miscreant was or what the hacker did. That requires checking of audit logs and development of a trail. Depending on what events are logged, even that might not be enough. In a worst-case scenario, not until some other event – a beneficiary notice returned as undeliverable, a bank questioning an electronic deposit, and so on – would sufficient suspicion be generated to lead to the discovery of phony providers and phony beneficiaries.

Holes In The Medicaid System

The MMIS includes tools for surveillance and utilization review, but their basic functions are still fairly unsophisticated, relying on detection of statistical outliers. Depending on where the limits are set, cases that are truly concerning may be missed. We can draw some instructive lessons from looking at what has been found out about HIV drug prescriptions under Medicare. In one case, a 48-year-old in Miami went to 28 different pharmacies to pick up HIV drugs worth over $200,000 dollars, in doses that were more than ten times what the typical HIV patient gets in a year (see Suspicious Prescriptions for HIV Drugs in Medicare).

Wrap Up

Maryland’s MMIS has parts that first came online in 1996. A contract to replace the system was terminated in 2015 and the case between the state and the prime contractor is now in the courts. Maryland’s experience in attempting to replace its MMIS system is not unique. Despite its surface simplicity, MMIS systems can involve hundreds of modules providing thousands of different functions that often have to interface with other state systems such as finance, enrollment and eligibility, public health, social services, and the state’s education system.

Designing and programming one is not easy. When it has to interface with multiple-aged legacy systems that the MMIS contractor has no control over, the job is even harder.