Vitalii Gulenok/istock via Getty
OIG reveals Medicaid management, enrollment system security gaps
OIG conducted penetration tests on 10 state Medicaid management information and eligibility and enrollment systems, revealing security gaps.
Cybersecurity gaps in Medicaid IT systems could leave them vulnerable to sophisticated cyberattacks, the HHS Office of Inspector General, or OIG, found after conducting penetration tests on 10 state Medicaid management information and eligibility and enrollment systems.
Every state maintains a Medicaid management information system (MMIS) to monitor member eligibility and manage the submission and processing of claims. OIG conducted penetration tests on select state MMIS and eligibility and enrollment (E&E) systems between 2020 and 2022 to assess how effectively the systems were protected against cyberattacks.
OIG's findings, published in October 2025, showed that the 10 states included in the sampling implemented "generally effective information technology security controls for their web-facing MMIS and E&E systems to prevent unsophisticated or limited cyberattacks."
However, OIG stressed that these states must continue to improve these controls to prevent more sophisticated and persistent cyberattacks. Outstanding security gaps could allow a hacker with a moderate level of sophistication to compromise the systems.
Most of the audited states did not effectively implement four National Institute of Standards and Technology (NIST) controls. The four controls focus on transmission confidentiality and integrity, flaw remediation, information input validation and error handling.
"Developers or contractors were not aware of government standards or industry best practices that require them to adhere to secure coding practices and identify and resolve flaws in systems before deploying to production," OIG stated, elaborating on a common cause of the aforementioned NIST control gaps.
Other states had outdated third-party libraries and plugins for web applications, making it difficult to assess all the components of their MMIS and E&E systems. Certain states also had delays in detecting, reporting and fixing system flaws.
"Ineffective implementation of security controls in some State MMIS and E&E systems may lead to exploitation of vulnerabilities by malicious actors or insiders seeking to commit fraud, steal sensitive data, and evade detection," OIG noted.
"Lapses in security controls significantly increase the likelihood of successful cyberattacks and gaining unauthorized access to sensitive information."
OIG's recommendations
Although OIG's findings revealed that the 10 states were effectively protecting MMIS and E&E systems from unsophisticated cyberthreats, gaps in NIST control coverage and delayed patching procedures highlighted critical areas for improvement.
As such, OIG's 27 recommendations to the 10 states focused on improving cybersecurity controls and further mitigating risk.
OIG recommended that all 10 states update MMIS and E&E systems and software, including patching outdated servers and web applications. The watchdog agency also recommended assessing tools for vulnerabilities, enforcing secure coding practices in accordance with established guidelines and refining vulnerability management strategies.
The states largely concurred with OIG's recommendations. However, as of May 2025, 14 of the 27 recommendations remain unimplemented.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
