Public Summary Report: The State of Colorado Did Not Meet Federal Information System Security Requirements for Safeguarding Its Medicaid Systems and Data

The Colorado Department of Health Care Policy and Financing (HCPF) had not implemented adequate information system general controls over the Colorado Medicaid eligibility determination and claims processing systems to fully comply with Federal requirements. The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of Colorado's Medicaid data. In evaluating HCPF's risk assessment, database security, Web site security, and universal serial bus (USB) device security for its Medicaid eligibility determination and claims processing information systems, we identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices.

We recommended that HCPF implement our detailed recommendations to address the vulnerabilities that we identified related to HCPF's risk assessment policies and procedures, database administration and security, Web site security, and USB port and device security for its Medicaid eligibility determination and claims processing information systems. HCPF concurred with our recommendations and described corrective actions that it had taken or planned to take.