Information systems used by the Utah Department of Health (UDH) for its Medicaid program were left at risk, with numerous weaknesses in the technology discovered during a review of the agency by the Department of Health and Human Services' Office of Inspector General (OIG).
The report stemmed from a breach of more than 780,000 Medicaid files from UDH in March 2012, as well as an incident in January 2013 where an employee of an outside contractor lost an unencrypted USB memory stick containing data for 6,000 Medicaid clients.
After these incidents were reported, the OIG conducted a "limited review" of the UDH's information systems. That review revealed weaknesses related to system security controls, leading to a broader review.
That review, recently published by OIG, reveals that UDH did not have an "effective enterprise security control structure to ensure that adequate information system general controls were implemented."
The agency did not have in place policies for access controls, configuration management, security operations, security program planning and service continuity, the report adds. Those vulnerabilities, according to OIG, are "high impact" and could lead to "a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals."
In a letter to the OIG dated June 26, 2015, Michael Hales, deputy director of UDH, said that the department agrees with OIG's recommendations to remediate the weaknesses and outlined the actions the department has taken and will continue to take to meet those recommendations.
The agency, so far, has created a security operations center that monitors IT operations 24/7, implemented a data owner security awareness program and set up an information governance system, among other actions, according to Hales.
Other healthcare agencies that have been taken to task by the OIG over IT security include HHS, in which it found "problems, abuses, deficiencies and investigative outcomes on the administration of the agency's programs," and the Palo Alto VA Healthcare System, which was found to have put patient health information at risk during a pilot program with an outside vendor meant to improve its IT capabilities.
To learn more:
- check out the OIG's review (.pdf)