On November 28, 2018, CGS pushed a security update to the myCGS portal that may be unruly to manage. As a result of new instructions outlined in the CMS Change Request 10576, CMS directed the MACs to assess and comply with the latest CMS security protocols referred to as Acceptable Risk Safeguards (ARS). In response, CGS engaged a number of security enhancements that will impact portal users and administrators through new:
User Recertification Protocol
Under these new directives, a Designated Approver (DA), appointed by the supplier’s Authorized Official (AO) to approve and manage employee access to myCGS, must recertify all related users every 90 days. Previously, the DA recertified users once per year. The initial 90-day recertification period began on November 30, 2018, for all existing myCGS users.
DAs are shown an Approve/Deny User screen upon login that indicates how many days remain in the recertification period for each user. The list should display first those users with the least amount of time left for recertification. DAs can start the recertification process at any time during the countdown, and the counter will reset for another 90 days from the completed recertification.
If the counter ticks down to zero, however, CGS will revoke the account and the user must reregister. To avoid deactivations, we recommend DA’s set recurring calendar reminders to proactively recertify all users every 60 days.
DA’s can easily complete the recertification process with just a few clicks. From the Approve/Deny screen, click the blue recertify button to affirm the user is still active with the organization.
- User recertification protocols.
- Designated approver recertification protocols.
- Settings for automatic logout due to session inactivity.
- Procedures to suspend accounts due to prolonged inactivity.
- Procedures to deactivate accounts due to prolonged inactivity.
- Procedures to suspend accounts after multiple failed attempts.
- Rigorous password protocols.
User Recertification Protocol
Under these new directives, a Designated Approver (DA), appointed by the supplier’s Authorized Official (AO) to approve and manage employee access to myCGS, must recertify all related users every 90 days. Previously, the DA recertified users once per year. The initial 90-day recertification period began on November 30, 2018, for all existing myCGS users.
DAs are shown an Approve/Deny User screen upon login that indicates how many days remain in the recertification period for each user. The list should display first those users with the least amount of time left for recertification. DAs can start the recertification process at any time during the countdown, and the counter will reset for another 90 days from the completed recertification.
If the counter ticks down to zero, however, CGS will revoke the account and the user must reregister. To avoid deactivations, we recommend DA’s set recurring calendar reminders to proactively recertify all users every 60 days.
DA’s can easily complete the recertification process with just a few clicks. From the Approve/Deny screen, click the blue recertify button to affirm the user is still active with the organization.
Designated Approver Recertification Protocol
Similarly, CGS must directly recertify DAs every 90 days. CGS will usually contact the DA via email 60 days prior to recertification by sending an email from CGS.DO.NOT.REPLY.MYCGS@cgsadmin.com. The email will contain the word “recertification” in the subject line. To avoid disruption, please prioritize communications from this email address.
CGS will direct the DA to forward a recertification form to the Authorized Official (AO) listed in the supplier’s PECOS record. The AO must complete the form and fax it back to CGS before the end of DA’s 90-day expiration date.
If the DA is not recertified timely, CGS will revoke the DA’s account. To restore access, the authorized official will have to re-authorize the DA by completing, signing, and faxing the myCGS Approver Designation Form. Then the DA must create a new account using an authorization code from CGS after the designation form is processed. In the interim, all users will be locked out.
Automatic Logout for Session Inactivity
After 15 minutes of session inactivity, myCGS will automatically log users out. The previous time limit was 30 minutes. If a session is automatically terminated, users will have to re-enter their username, password, and multi-factor authentication.
Suspension Due to Prolonged Inactivity
To keep an account active, every user and approver must log into the portal at least once every 30 days. Otherwise, CGS will temporarily lock the account. If suspended, the user must call CGS and ask an associate to unlock the account. CGS can only unlock accounts up to the 89th day after the last access date. When CGS pushed the update on November 28, the system automatically suspended any user that had not logged in to myCGS in the past 30 days (since October 29).
Deactivation Due to Prolonged Inactivity
CGS will deactivate accounts when users fail to login for 90 days. When a login is deactivated, the user will have to restart the account registration from scratch.
Suspension Due to Failed Attempts
CGS will temporarily lock an account if a user makes three failed attempts in a two-hour period. After the first failed attempt, check the caps lock and num lock settings on the keyboard before advancing the second try. After the second failed attempt, consider using the reset password function or wait two hours before making another attempt. If an account is suspended, the user must call CGS and ask an associate to unlock it. A new temporary password will be issued by the associate, but the user will save time by using the self-service option to reset the password before the account gets locked.
Password Complexity
CGS’ password protocols require a minimum of eight characters in length, must start with a letter, and have at least 1 element from four distinct categories:
Additionally, users cannot recycle any of their previous 12 passwords.
On top of that, new passwords cannot contain any of the first 12 characters used in the most recent password (or temporary password in the case of a password reset). This requirement is not a common cyber-security protocol, so it will be unfamiliar to most users and not covered by most password generating tools.
To assist readers with compliance, we created a free tool to validate new passwords against the enhanced rules.
Designated Approver Recertification Protocol
Similarly, CGS must directly recertify DAs every 90 days. CGS will usually contact the DA via email 60 days prior to recertification by sending an email from CGS.DO.NOT.REPLY.MYCGS@cgsadmin.com. The email will contain the word “recertification” in the subject line. To avoid disruption, please prioritize communications from this email address.
CGS will direct the DA to forward a recertification form to the Authorized Official (AO) listed in the supplier’s PECOS record. The AO must complete the form and fax it back to CGS before the end of DA’s 90-day expiration date.
If the DA is not recertified timely, CGS will revoke the DA’s account. To restore access, the authorized official will have to re-authorize the DA by completing, signing, and faxing the myCGS Approver Designation Form. Then the DA must create a new account using an authorization code from CGS after the designation form is processed. In the interim, all users will be locked out.
Automatic Logout for Session Inactivity
After 15 minutes of session inactivity, myCGS will automatically log users out. The previous time limit was 30 minutes. If a session is automatically terminated, users will have to re-enter their username, password, and multi-factor authentication.
Suspension Due to Prolonged Inactivity
To keep an account active, every user and approver must log into the portal at least once every 30 days. Otherwise, CGS will temporarily lock the account. If suspended, the user must call CGS and ask an associate to unlock the account. CGS can only unlock accounts up to the 89th day after the last access date. When CGS pushed the update on November 28, the system automatically suspended any user that had not logged in to myCGS in the past 30 days (since October 29).
Deactivation Due to Prolonged Inactivity
CGS will deactivate accounts when users fail to login for 90 days. When a login is deactivated, the user will have to restart the account registration from scratch.
Suspension Due to Failed Attempts
CGS will temporarily lock an account if a user makes three failed attempts in a two-hour period. After the first failed attempt, check the caps lock and num lock settings on the keyboard before advancing the second try. After the second failed attempt, consider using the reset password function or wait two hours before making another attempt. If an account is suspended, the user must call CGS and ask an associate to unlock it. A new temporary password will be issued by the associate, but the user will save time by using the self-service option to reset the password before the account gets locked.
Password Complexity
CGS’ password protocols require a minimum of eight characters in length, must start with a letter, and have at least 1 element from four distinct categories:
- Uppercase letter (A-Z).
- Lowercase letter (a-z).
- Number (0-9).
- One of the following special characters: ! @ # $ % ^ & * ( ) _ + - = < > ? / .
Additionally, users cannot recycle any of their previous 12 passwords.
On top of that, new passwords cannot contain any of the first 12 characters used in the most recent password (or temporary password in the case of a password reset). This requirement is not a common cyber-security protocol, so it will be unfamiliar to most users and not covered by most password generating tools.
To assist readers with compliance, we created a free tool to validate new passwords against the enhanced rules.
Password Strategy
Using a formula to create passwords may help users create and remember compliant passwords. For example, alternate between two different base passwords that do not repeat characters in the other string. For example, BrassBall does not share or repeat any characters with GoodNet. In addition to the base, add a new number and special character prefix or suffix at the beginning or end of the base for each cycle.
The following list of 12 monthly passwords demonstrates the results of using a formula:
- BrassBall11@ (next password cannot have: B-R-A-S-L-1-@)
- GoodNet22$ (next password cannot have: G-O-D-N-E-T-2-$)
- BrassBall33@
- GoodNet44$
- BrassBall55@
- GoodNet66$
- BrassBall77@
- GoodNet88$
- BrassBall99@
- GoodNet00$
- BrassBall12@ (change up the number combination to avoid repeating the first password)
- GoodNet34$
Remember to always store written passwords securely. For example, do not write your password on a Post-It note and stick it to your computer monitor. Ahem …
MiraVista acknowledges the data housed on the portal is particularly sensitive and valuable on the black market. As such, we support purposeful security enhancements. We anticipate, however, users will struggle with the non-repeating character requirement. It is very difficult to create passwords that do not overlap on the fly, especially when temporary password resets force non-repeating characters in the next password. Without a password generator to work out the complicated algorithms, users will likely resort to weaker passwords or unsecure password storage.
Though Noridian updated their password protocols in May 2018, MiraVista expects additional modifications are coming to the security provisions for the Noridian Medicare Portal (NMP).
MiraVista spoke with CGS officials who are intimately aware of the challenges posed by the non-repeating character restriction. While empathetic, they are unable to diverge from this CMS requirement.
SOURCE LINKS
https://www.cgsmedicare.com/jc/pubs/news/2018/1118/cope10038.html
https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/2018downloads/R14SS.pdf
https://www.noridianmedicareportal.com/web/nmp/alert-details?articleId=45859239&groupId=10195