MassHealth Did Not Annually Update or Test Its Disaster Recovery Plan.

MassHealth had not updated its disaster recovery plan (DRP) since June 18, 2009 and did not test the DRP annually. Further, although the Executive Office of Technology Services and Security (EOTSS) provides offsite storage of MMIS in the form of electronic backup copies and magnetic media copies, MassHealth does not have an offsite location to restore MMIS in the event of an unforeseen interruption in its business operations.

As a result, MassHealth is vulnerable to a disruption of services that could negatively affect its members if its IT capabilities are inoperable for an extended period. The “MA21 Disaster Recovery Exercise March 2021 Postmortem Report,” dated May 11, 2021, from EOTSS to EOHHS states,

Not having the Medicaid Management Information System (MMIS) severely impacts the ability of MassHealth as an organization to perform their function in providing members with . . . access to benefits.

EOTSS’s Business Continuity and Disaster Recovery Management Standard IS.005, effective October 15, 2018, states,

6.2.1     Commonwealth Executive Offices . . . must develop and maintain processes for disaster recovery plans at both onsite primary Commonwealth locations and at alternate offsite locations. . . .

6.2.2     Commonwealth Executive Offices . . . must ensure that [DRPs] shall be tested annually.

MassHealth does not have any policies and procedures regarding the updating and testing of its DRP.

1. MassHealth should establish written policies and procedures for assigning, managing, and monitoring its DRP.
2. MassHealth should identify an offsite disaster recovery location to use for MMIS. Once the site has been selected, MassHealth should test the updated DRP and incorporate the results into it.

MassHealth will finalize and publish the policies and procedures for the MMIS Disaster Recovery Plan (DRP) by the end of calendar year 2022. This will include steps to monitor and review the plan on an annual basis.

MassHealth is preparing to migrate to Amazon Web Services (AWS) for MMIS disaster recovery. Due to the complexity of the technology implementation, significant cyber security reviews, and the involvement of multiple agencies, this migration will take time but expects completion by Summer 2024. This migration will be done in close coordination with the Executive Office of Technology Services and Security (EOTSS), which is in the process of closing its Chelsea and Springfield data centers and migrating to AWS as part of its Cloud First strategy. When the migration is complete, MMIS will take advantage of DRP services available within AWS. The MMIS DRP will then be updated, tested, and integrated into the regular DRP monitoring schedule.

Based on its response, MassHealth is taking measures to address our concerns on this matter.