Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Internal Controls Established by EOHHS and MassHealth over Selected Information System Applications

August 13, 2012 · Read the full official report (PDF) ↗

Published August 13, 2012 Audit covers January 1, 2010 – June 30, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
MassHealth’s major computer systems had some solid controls, but the audit found weak spots: too many old user accounts were still active, and emergency planning was incomplete.
source
“However, as discussed in the Audit Results section of this report, we found that improvements were needed in EOHHS’s user access security controls and both EOHHS’s and MassHealth’s contingency planning.”
Read the plain-English breakdown
Why was it audited?

Auditors reviewed whether MassHealth and EOHHS were protecting system access, personal information, background-check processes, and emergency backup plans.

“The scope of our audit included a review of the internal controls established by EOHHS and MassHealth in the following areas: access security over the applications reviewed, Criminal Offender Record Information (CORI) background checks on employees working with these applications, the protection of personal identifiable information within these applications, continuity of operations planning, business continuity planning, and disaster recovery planning, including on-site and off-site storage of backup magnetic media.”
What's in it for me?

If you rely on MassHealth, this audit is about whether the systems that determine eligibility and pay providers are secure and can keep working during disruptions.

“The MA21 system is MassHealth’s eligibility determination system used to capture MassHealth member data as it is received on MassHealth’s benefit application forms; requests for updated information forms; and eligibility-related data from other sources such as pay stubs, birth records, and other documents supplied by applicants and members for the purposes of determining applicants’ and members’ eligibility for benefits and their level of benefits.”
The bottom line

The biggest problem was that access rules existed but were not always followed, leaving accounts active for people who no longer worked at MassHealth.

“As a result, we found that a significant number of user accounts remained active for individuals who were no longer authorized to have access to the MassHealth network or the MA21 and MMIS systems.”
What happens next

The auditor recommended stronger account removal procedures, regular access reviews, completed security policies, data masking, and updated emergency and business continuity plans.

“We recommend that EOHHS’s user access security controls be strengthened by:”
Why it's significant

The scale is large: MassHealth served about 1.3 million people and paid more than $12.2 billion to providers in fiscal year 2011.

“In fiscal year 2011, MassHealth paid in excess of $12.2 billion to health care providers, of which approximately 40% was funded with Commonwealth funds.”
Jargon, unpacked

A Continuity of Operations Plan is the agency’s plan for keeping essential work going, including alternate facilities and key records, if normal operations are disrupted.

“An updated COOP will help ensure the continuation of EOHHS’s essential functions, mission-critical systems, provisions for alternative facilities, orders of succession, delegations of authority, and vital records.”

What the Auditor checked

What the Auditor found

EOHHS did not consistently deactivate unauthorized user accounts or maintain enterprise-wide access policies.
cybersecurityinternal controlsdata privacyvendor oversight

Why it matters: Unauthorized users could access restricted MassHealth network resources and sensitive protected health information.

Standard: ITO policies, the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996, and formal access-control requirements for IT resources. ( Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 )

5 recommendations
  • Ensure that access privileges for unauthorized users are deactivated or modified when employee status, position, or responsibilities change.agency: agreed
  • Implement formal notification procedures for human resources or department management to notify ITO of employee status changes.agency: agreed
  • Conduct annual reviews of user IDs with access to applications containing personally identifiable information.agency: agreed
  • Complete enterprise-wide IT security policies and procedures.agency: agreed
  • Use data-masking software during program changes to obscure sensitive personal information.agency: agreed
EOHHS and MassHealth did not have adequate contingency planning for continuity of operations and business continuity.
internal controlspublic safetyrecordkeeping/documentation

Why it matters: MassHealth and EOHHS could experience disrupted services or delays restoring essential functions during an emergency or extended IT outage.

Standard: Executive Order No. 490 and generally accepted business continuity practices and industry standards for computer operations. ( Executive Order No. 490 )

5 recommendations
  • Update the COOP to comply with Executive Order No. 490 and provide it to MEMA.agency: already implemented
  • Ensure the updated COOP works with business continuity and disaster recovery plans.agency: already implemented
  • Develop a comprehensive BCP with ITD and EOHHS for mission-critical applications and recovery at an alternate site.agency: partially agreed
  • Include detailed staff instructions for disaster and recovery scenarios.agency: partially agreed
  • Identify the overall disaster recovery strategy to be executed by EOHHS and ITD.agency: partially agreed
Agency response & Auditor reply
Agency: "We believe the modifications to the content of our COOP serves the function of both a traditional COOP and BCP."