GAO Urges CMS to Bolster Medicare Beneficiary Data Security


WASHINGTON, DC – The nonpartisan Government Accountability Office (GAO) today released a new report, as requested by Energy and Commerce and other Congressional committees, calling for greater oversight by the Centers for Medicare and Medicaid Services (CMS) over the data security of its beneficiaries’ information.

GAO found that CMS has created an oversight program for Medicare Administrative Contractors (MAC) data, but that the agency has not established a similar program to monitor security implementation by other entities, such as researchers.

“Without effective oversight measures in place for researchers and qualified entities, CMS cannot fully ensure that the security of Medicare beneficiary data is being adequately protected,” wrote GAO.

Data breaches have become more common in recent months and years, particularly in the health care sector. It is imperative vital Medicare beneficiary data, which can be created and used by a number of different entities, is secure.

GAO recommended CMS provide additional guidance on required security controls, and that they more routinely track their oversight efforts. CMS agreed with GAO’s recommendations and has provided information on their next steps to bolster beneficiary data security efforts.

Energy and Commerce has examined a number of issues within this space. An April 2017 #SubOversight hearing broadly examined ways to bolster cybersecurity efforts in the health care sector, and a June 2017 #SubOversight hearing examined federal cybersecurity efforts in the wake of ‘WannaCry,’ which crippled thousands of computers in hundreds of countries.