An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.

The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.

The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.

The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.

The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.

Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.

While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.

There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.

The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.

While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.

The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.