Public Summary Report: The State of Colorado Did Not Meet Federal Information System Security Requirements for Safeguarding Its Medicaid Systems and Data 

The Colorado Department of Health Care Policy and Financing (HCPF) had not implemented adequate information system general controls over the Colorado Medicaid eligibility determination and claims processing systems to fully comply with Federal requirements. The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of Colorado's Medicaid data. In evaluating HCPF's risk assessment, database security, Web site security, and universal serial bus (USB) device security for its Medicaid eligibility determination and claims processing information systems, we identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices.