Share this article on:
The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.”
The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers.
The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals.
The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was limited in scope, but highlighted a number of security weaknesses. The results of the initial review, coupled with the severity of the data breaches suffered by the Utah DOH, was deemed to warrant a full security audit. That audit took place between July and December 2013. The report of that audit was made public late last month.
OIG Audit Uncovered 39 High Impact Security Vulnerabilities
The full audit of Utah DOH included a much broader assessment of information system general controls, and looked at access controls management, security operations, configuration management, security program planning, and service continuity. Utah DOH received five restricted audit reports detailing the security vulnerabilities uncovered by OIG auditors, with the summary of the security review and audit recently made public.
Auditors discovered the lack of an effective enterprise security control structure, and determined that the Utah DTS had not established formal procedures covering access controls management controls, security operations, configuration management, security program planning, and service continuity.
39 high impact security vulnerabilities were discovered which demonstrated a lack of commitment to security management at DTS that placed Medicaid data at a high risk of unauthorized disclosure. Auditors also determined that Utah DOH did not provide sufficient oversight of DTS to ensure that the security controls required under federal law were put in place and the minimum data security standards were being met.
Because a system had not been implemented to identify inappropriate accessing of data, it is probable that a breach would not be identified if it did occur. Until a system has been implemented, OIG said it would leave “DOH Medicaid eligibility determination and claims processing systems and data vulnerable to additional breaches.”
According to the report, one of the main problems was portions of the network were not accessible to the Enterprise Security Group appointed by DTS to monitor for security weaknesses. DTS campus support groups had blocked the Enterprise Security group from accessing parts of the network, preventing the group from being able to determine whether any security vulnerabilities existed. OIG said DTS should have intervened to resolve the issue, but did not.
OIG Security Recommendations
OIG recommended the Utah DOH and DTS work together to implement effective security management practices, and said the Utah DOH must establish oversight procedures to ensure that appropriate information system general controls are implemented. All security weaknesses must be addressed and system security brought up to the minimum standards required by federal laws.
OIG pointed out that the failure to address these issues would likely result in the security vulnerabilities being carried forward into future Medicaid system implications, leaving Medicaid data vulnerable. Failure to address these issues “could adversely affect the state’s ability to obtain program funding from HHS.”
Utah DOH has agreed with the recommendations made by the OIG and has agreed to update policies and procedures and implement the necessary controls to bolster security and bring standards up to the level required by federal laws.
The full OIG report can be downloaded here.