Maryland MMIS and E&E System Security Controls Were Partially Effective and Improvements Are Needed

Date Issued

Thursday, May 25, 2023

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Centers for Medicare and Medicaid Services

Report Number

A-18-21-09003

Report Type

Audit

Location

MD,
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

External Entity

Maryland Department of Health

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
23-A-18-078.01	No	$0	$0
We recommend that the Maryland Department of Health remediate the seven control findings OIG identified.
23-A-18-078.02	No	$0	$0
We recommend that the Maryland Department of Health assess the effectiveness of all required NIST SP 800-53 controls according to the organization's defined frequency.
23-A-18-078.03	No	$0	$0
We recommend that the Maryland Department of Health assess at least annually and if necessary, adjust baseline configurations for its MMIS and E&E public servers.
23-A-18-078.04	No	$0	$0
We recommend that the Maryland Department of Health perform periodic phishing exercises and enhance employee and contractor cybersecurity awareness training based on the results of the phishing exercises, if needed.