A Performance Audit
An Audit Report on Cybersecurity at the Texas Medical Board
May 2020
Summary Analysis
The Texas Medical Board (Board) should strengthen its information security program to meet statutory requirements and the Department of Information Resources' (DIR) information security standards. Specifically:
- The Board did not define and classify the types of data it manages, prioritize its information technology (IT) assets based on their importance, perform a risk assessment, or identify a risk management strategy. That data includes confidential information on licenses for physicians, physicians' assistants, and other medical practitioners.
- Although the Board completed its 2018 Security Plan as required, it should strengthen its documentation of management oversight, staff training, and policies and procedures.
- While the Board had controls in place to protect its network from logical, environmental, and physical threats, it did not always appropriately restrict user access to key information resources. Auditors also identified areas for improvement related to the Board's controls over its change management.
The Board also had significant weaknesses in its controls that weaken its ability to address cybersecurity incidents. Auditors communicated details about the identified weaknesses related to sensitive information technology issues separately to the Board in writing.
Auditors reviewed the Texas Medical Board's (Board) compliance with standard requirements and guidance that all state entities must follow to protect their critical information resources from cybersecurity threats. Those requirements and guidance are included in Title 1, Texas Administrative Code, Chapter 202, the Texas Cybersecurity Framework Control Objectives and Definitions(Framework), and Security Control Standards Catalog (Catalog). The requirements were developed by the Department of Information Resources.
The Texas Medical Board (Board) should strengthen its information security governance to perform steps that will assist the Board in identifying significant cybersecurity risks to its systems, people, assets, data, and capabilities.
Specifically, the Board should:
- Define and classify the types of data it manages;
- Prioritize which information technology (IT) assets are most critical to its operations; and
- Perform a risk assessment of its information and information systems.
In addition, while the Board performed other key activities such as establishing information security policies and procedures, it should improve its documentation of those activities to further strengthen its ability to identify and manage cybersecurity risks. For example, the Board should regularly review its policies and procedures for needed updates and document whether services provided by a third-party vendor meet security needs.
The Board had controls in place to secure its network and IT assets from logical, environmental, and physical security threats. It also ensured that users accessed information resources with unique user accounts and had adequate authentication settings. However, it should establish a documented process to manage the encryption of critical data and IT assets.
The Board did not always appropriately restrict user access to key information resources. The Catalog requires state entities to restrict access to only the level necessary to accomplish the users' job duties, known as the "principle of least privilege." User access must also ensure adequate separation of duties.
However, several of the Board's information technology employees had administrative access to all of the Board's servers, which did not align with the principle of least privilege. Other employees had access that increased the risk of unauthorized activities. Because the Board handles sensitive and confidential information and processes financial transactions, it is important that system access is appropriate.
The Board did ensure that user access to agency databases was appropriate based on the users' job duties.
The Board had processes to ensure that information security considerations were included in its development of information systems. However, it should establish consistent change management processes for its information systems.
Auditors identified significant weaknesses in the Board's ability to address cybersecurity incidents. To minimize security risks, auditors communicated details about the identified weaknesses separately to the Board's management, in writing.
Pursuant to Standard 9.61 of the U.S. Government Accountability Office's Generally Accepted Government Auditing Standards, certain information was omitted from this report because that information was deemed to present potential risks related to public safety, security, or the disclosure of private or confidential data. Under the provisions of Texas Government Code, Section 552.139, the omitted information is also exempt from the requirements of the Texas Public Information Act.
Graphics, Media, Supporting documents