Centers for Medicare and Medicaid Services
Legacy commercial data center was not capable of meeting the federal government’s demanding FISMA, OMB, and unique HHS and CMS requirements.
The Centers for Medicare and Medicaid Services (CMS) provides health coverage to more than 100 million people through Medicare, Medicaid, the Children’s Health Insurance Program, and the Health Insurance Marketplace. The CMS seeks to strengthen and modernize the Nation’s health care system, to provide access to high quality care and improved health at lower costs.
CMS was looking for an independent and secure government cloud provider to host and maintain its financial claims data warehouse used by both CMS employees and medial industry professionals to audit and analyze medical claims data for accuracy and error detection. The CMS data warehouse is used in CMS daily financial analysis operations, as well as to generate an annual congressional report.
Supported by a government-experienced software vendor, the data warehouse was hosted in a legacy commercial data center not capable of meeting federal government’s demanding FISMA, OMB, and unique HHS and CMS requirements for storing Personally Identifiable Information (PII) and electronic protected health information (ePHI) under HIPAA.
Establish a technical transition plan and required security compliance plan to transition the system to a government certified cloud datacenter.
IT-CNP’s GovDataHosting cloud division team collaboratively worked with the CMS data warehouse software vendor to establish a technical transition plan, as well as the required security compliance plan to transition the system to a government certified cloud datacenter while preparing the necessary security compliance documentation and scheduling an independent CMS security control assessment (SCA).
An expedited 3-month system transition phase included deployment of CMS data warehouse Microsoft Windows servers in IT-CNP’s GovDataHosting Cloud Datacenter located in Columbia, Maryland and preparation of over 900+ pages of security compliance documentation including System Security Plan (SSP), Contingency Plan (CP), Configuration Management Plan (CMP), Incident Response Plan (IRP), Plan of Action and Milestones (POAM), and agency-specific documentation. An identical copy of the system was deployed in IT-CNP’s GovDataHosting Cloud Datacenter located in Dallas, Texas as part of a hot stand-by alternate processing site contingency plan strategy to ensure that system service can quickly be restored in an event the primary cloud datacenter becomes unavailable.
In preparations for the upcoming SCA, all CMS data warehouse system network, server and database components were hardened based on IT-CNP’s GovDataHosting Cloud Datacenter hardening standards that are based on Center for Internet Security (CIS) and DoD Security Technical Implementation Guides (STIGs). IT-CNP’s GovDataHosting security team deployed additional custom features through scripting to ensure that full compliance with demanding HHS/CMS security control requirements was met where native Microsoft Widows Server functionality was not available.
As part of technical performance and information security continuous monitoring strategy, IT-CNP’s Network Operations Center (NOC) and Security Operations Center (SOC) were used for advanced 24/7/365 system event monitoring and vulnerability scanning.
IT-CNP’s GovDataHosting security management team coordinated all SCA activities to assist CMS auditors with review of system policies and procedures, collection and review of over 475+ unique system security assessment artifacts, and conducting security-oriented personnel interviews to successfully complete the SCA with only a few minor low risk findings.
CMS data warehouse was issued an Authorization To Operate (ATO) based on CMS Moderate Impact Acceptable Risk Safeguards requirements. Final system service transition was successfully completed to IT-CNP’s GovDataHosting datacenters shortly after receipt of a new ATO with minimal impact for end users.
Full compliance with required levels of security assurance, which in turn contributed to further system functionality improvements.
By transitioning to IT-CNP’s GovDataHosting datacenter infrastructure, the CMS data warehouse software vendor is able to better focus on software enhancements and customer relationship management with CMS program stakeholders, while IT-CNP’s personnel manage all the underlying technical infrastructure components, security compliance, information security continuous monitoring, vulnerability scanning and disaster recovery.
Leveraging a specialized government cloud hosting provider allowed CMS and data warehouse software vendor to establish required levels of security assurance which in turn contributed to further system functionality improvements including implementation of mission-critical secure data exchange with other sensitive CMS information system over the CMSNet secure private network.