SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Department of Health and Human Resources (DHHR)
Assistance Listing Number 93.775, 93.777, COVID-19 93.777, 93.778, ARRA 93.778
The Condition section within prior year finding 2022-037 recognized that the DHHR has policies an...
SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Department of Health and Human Resources (DHHR)
Assistance Listing Number 93.775, 93.777, COVID-19 93.777, 93.778, ARRA 93.778
The Condition section within prior year finding 2022-037 recognized that the DHHR has policies and procedures in place for performing periodic risk assessments and security reviews over the Recipient Automated Payment and Information Data System (RAPIDS), which is an internal system; however, the Condition section also proclaimed that the DHHR does not have policies and procedures to perform periodic risk assessments and security reviews over the Medicaid Management Information System (MMIS). The first sentence of the corrective action plan for prior year finding 2022-037 indicates that the MMIS is designed, developed, implemented, and operated by an external service organization. Within the last two paragraphs of the corrective action plan for prior year finding 2022-037, the DHHR opined that it was in compliance with 45 CFR 95.621 since it receives the SOC 1 Type 2 report from the MMIS service organization and since the report documents that the service organization establishes and maintains a program for conducting periodic risk analyses to ensure appropriate, cost effective safeguards are incorporated into new and existing systems or whenever significant system changes occur, as required per 45 CFR 95.621. However, the DHHR also recognized the underlying concern expressed within the finding, in that the DHHR does not include the SOC 1 Type 2 report as part of its own policies and procedures for ADP security over the MMIS. To enhance its controls, the DHHR Bureau for Medical Services (BMS) was going to develop a policy and procedures to document MMIS compliance with 45 CFR 95.621. The procedures were to include but not be limited to a requirement to review and approve the SOC 1 Type 2 report from the MMIS service organization and document the review and approval process (e.g., for such matters as the service organization’s assertions, descriptions of its systems and controls, control objectives, and related controls, and the service auditor’s description of tests of controls and results). Although the DHHR BMS has not developed a comprehensive policy or any written procedures to date, they have developed a form to document internal review of the SOC 1 Type 2 report for such matters as the control environment, systems development and maintenance, logical security, physical access, computer operations, and input controls. The BMS has also discussed this issue with an independent consulting firm that is under contract with the BMS for Medicaid expertise and performs existing services related to information technology and security; modernization and planning for the overall Medicaid Enterprise Systems (MES); organization development, including alignment strategies; project management; and data architecture and governance, which includes managing the availability, usability, integrity, and security of data with comprehensive standards and policies. The BMS and its independent consulting firm will work together to develop a statement of work for an independent review of the existing control environment, if deemed necessary, and any additional services that might need performed in order to ensure the DHHR maintains full compliance with 45 CFR 95.621 and can document compliance for future HHS reviewers, independent auditors, or other authorized officials.