2024-053a: The State (EOHHS) receives quarterly user access reports from the MMIS fiscal agent. Anyone identified on the reports that have not logged in for a period of 60 days will have their access terminated. Terminating the users access locks them out and prevents access the system without fir...
2024-053a: The State (EOHHS) receives quarterly user access reports from the MMIS fiscal agent. Anyone identified on the reports that have not logged in for a period of 60 days will have their access terminated. Terminating the users access locks them out and prevents access the system without first requesting a password reset, which is reviewed and approved/denied by EOHHS systems group. In addition, when a user leaves state service or moves to another agency, their access is terminated immediately. An SOP will be implemented with offboarding procedures to assist in timely removal of access.
Access is maintained and controlled within the GainwellNow system. Email notifications of pending requests for access are sent to Hector Rivera and Kim Tebow (both EOHHS), who must then review the request and attached form and either grant or deny access.
An FTE will be added to the EOHHS/Medicaid Systems team to standardize all user access policies and procedures.
Oversight of all IT security activities performed by the MMIS contractor is the responsibility of the EOHHS/Medicaid Project/Contract Manager assigned to the vendor. This individual is supported by the ETSS AIM assigned to support EOHHS/Medicaid. A SOC audit is completed yearly and provides documentation for penetration and vulnerability testing.
Anticipated Completion Date: Current and Ongoing
Contact Persons: Brian Tichenor, Medicaid Systems Manager, Executive Office of Health and Human Services
brian.tichenor@ohhs.ri.gov
Hector Rivera, Interdepartmental Project Manager, Executive Office of Health and Human Services
hector.l.rivera@ohhs.ri.gov
Kimberly Tebow, Senior Medical Care Specialist, Executive Office of Health and Human Services
kimberly.tebow@ohhs.ri.gov
2024-053b: The 2025 MARS-E Assessment is underway and will be completed by 4/30/2025. The results will be reviewed to assure the items in the previous MARS-E assessment have been addressed as expected by the state. Documentation lacking to evaluate security controls; Complete pending MARS-E Assessment
Continued use of unsupported applications in need of update or patching; major upgrade of the end of life frameworks is planned for SFY2026 start. This expensive upgrade structurally supports most of the modernization platforms that the state is considering. Start SFY 2026; Completion SFY 2027
Lack of contractor tracking of exceptions and risk assessments; Exceptions for vulnerabilities are tracked in JIRA. Risk assessments are performed in all security tests and periodically on security controls. CISO approves all vulnerability exceptions. Complete pending MARS-E Assessment
Contractor only sharing partial vulnerability scanning results; Raw report results are provided in Sharepoint in support of the risk assessment process. Complete pending MARS-E Assessment
Lack of a robust triage process for security vulnerabilities; Complete pending MARS-E Assessment
Inadequate consideration of IT security vulnerabilities with industry best practices. Security vulnerability assessments are performed using the CMS method of impact X probability. The method has been reviewed by state and MARS-E assessor. Complete pending MARS-E Assessment
Anticipated Completion Dates: See above
Contact Person: Deb Merrill, Security Officer, Enterprise Technology System Services, Department of Administration
deb.merrill@doit.ri.gov
2024-053c: The State (EOHHS) collaborates with system vendors (MMIS/Gainwell and Deloitte/RI Bridges) Maintenance & Operations (M&O) and Security teams to ensure annual risk assessment/vulnerability best practices and lessons learned are integrated into annual planning and scope of work for future FYs.
Anticipated Completion Date: Current and Ongoing
Contact Persons: Brian Tichenor, Medicaid Systems Manager, Executive Office of Health and Human Services
brian.tichenor@ohhs.ri.gov
Hector Rivera, Interdepartmental Project Manager, Executive Office of Health and Human Services
hector.l.rivera@ohhs.ri.gov
2024-053d: Our controls for User Access are in place. Depending on the access requested by the type of user and the program being administered, access are provided accordingly.
Anticipated Completion Date: Current and Ongoing
Contact Persons: Saurabh Gosai, Director – Technology, Strategy and Innovation, Department Human Services
saurabh.u.gosai@dhs.ri.gov
Sherri Kennedy, Chief - Human Services Policy and Systems Specialist, Department of Human Services
sherri.kennedy@dhs.ri.gov