Alabama MMIS and E&E System Security Controls Were Adequate, but Some Improvements Are Needed

Date Issued

Tuesday, April 23, 2024

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Report Number

A-18-22-09010

Report Type

Audit

Location

AL
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
24-A-18-056.01	No	$0	$0
We recommend that the Alabama Medicaid Agency remediate the six control findings OIG identified.
24-A-18-056.02	No	$0	$0
We recommend Alabama evaluate its current vulnerability scanning tools and update if necessary in order to better detect system flaws (e.g., common web server vulnerabilities) in its MMIS and E&E system and software components.
24-A-18-056.03	No	$0	$0
We recommend Alabama require its developers to follow secure coding standards and best practices, at a minimum, such as those recommended by NIST SP 800-218 or the Open Web Application Security Project (OWASP), when developing web applications.
24-A-18-056.04	No	$0	$0
We recommend Alabama implement procedures to periodically verify that its developers are adhering to secure coding standards and remediating vulnerabilities before releasing code to production.
24-A-18-056.05	No	$0	$0
We recommend Alabama perform more robust technical testing of web-facing systems that includes the emulation of an adversary's tactics and techniques on a defined reoccurring basis in order to better assess the effectiveness of NIST 800-53 controls.