The Idaho Department of Health and Welfare (State agency) did not ensure that Molina Medicaid Solutions (Molina) implemented adequate information system general controls over the State agency’s Medicaid Management Information System (MMIS). We identified 21 reportable weaknesses, which we consolidated into 6 findings.
Specifically, Molina had weak user authentication for remote network access, an inadequate password history policy, and inadequate encryption of network passwords; inadequate security settings for network devices, inadequate management of the Medicaid claims database, and no written policies for patch management; and no security policies and procedures to periodically review and account for inventory of portable devices, no policies and procedures for annual security awareness training, and inadequate policies and procedures for terminated and transferred employees and for background checks of employees.
We recommended that the State agency ensure that Molina implements adequate information system general controls over the State agency’s MMIS. The State agency concurred with all of our specific recommendations except for parts of two recommendations.