An Audit Report on Security of Confidential Electronic Information at Selected Health and Human Services Agencies
February 2003
Report Number 03-017
Overall Conclusion
Some Texas health and human services agencies do not adequately protect the confidential client information in their automated systems. Numerous weaknesses in external and internal controls could allow individuals inside and outside these agencies to gain unauthorized access to automated systems and read, copy, modify, or delete confidential client information. This lack of protection is especially serious because all health and human services agencies are on a consolidated network. Without proper network security measures, any employee or contractor of any agency on the network could potentially access confidential information of other agencies on the network. Each agency reviewed has this weakness.
In addition, the agencies we reviewed lack effective security management programs, which are essential to ensure the cost-effective use of security resources. The agencies have not classified data, assigned data ownership, or determined the resources necessary to secure their data. Without such a program, these agencies may not correctly allocate funds for data security or may not appropriately spend these funds.
All of the issues we identified in this audit are violations of the Texas Administrative Code (TAC) (Title 1, Section 202) for Information Security. TAC 202, revised in June 2002, represents current requirements as well as best practices for information security.
Health and human services agencies' information systems contain highly confidential data relating to physical and mental health, child abuse and neglect, the elderly, Medicaid and Medicare, drug and alcohol abuse, physical and mental disability, and children's health insurance. By not protecting their information, these agencies risk losing the public's confidence and being unable to serve their clients. They also open themselves up to financial losses if they violate federal or state law, if they have to re-create lost data, or if they are sued because of a breach of privacy.
This report contains a general summary of the network security, system access, and TAC compliance issues we identified at selected health and human services agencies. To minimize the risk of public exposure, this report does not include the names of the agencies we audited or identify specific vulnerabilities that could allow someone to exploit their systems. We provided the audited agencies with detailed information regarding the specific vulnerabilities we identified as well as our recommendations for improvements.
Cost and organizational support can hamper security improvements. We understand that cost may be an issue given the current state budget projections. However, the significance of the risk that confidential information will be disclosed requires management to carefully assess the cost-benefit of effectively managing that risk. A few of our recommendations require additional hardware. For agencies of this size, the required hardware is inherently expensive. Wherever possible, we identified interim solutions that can be implemented until the necessary hardware can be obtained. The majority of our recommendations require staff members' time and/or management's commitment to developing and complying with policies and procedures.
Contact the SAO about this report.
Download the PDF version of this report. (.pdf)
HTML Equivalent (utilizing Adobe's PDF Conversion by Simple Form).