Public Summary Report: South Carolina Did Not Meet Federal Information System Security Requirements for Safeguarding Medicaid Management Information System Data and Supporting Systems

South Carolina (the State) did not safeguard Medicaid Management Information System (MMIS) data and supporting systems in accordance with Federal requirements. Specifically, the State had not implemented an adequate risk management process that included contractor oversight, established a security plan for the MMIS, implemented media protection for laptop computers, met Federal requirements for the security of software and data, adequately addressed vulnerabilities on network devices or Web sites, or implemented adequate security awareness and role-based training programs. These weaknesses occurred because the State had not established priorities or allocated the resources necessary to secure Medicaid systems and information.

We recommended that the State establish priorities and allocate the resources necessary to implement our detailed recommendations for improving the controls necessary to safeguard its Medicaid information and systems The State concurred with all our recommendations and described actions that it had taken or planned to take to implement them.