Partially implemented security program leaves data at risk

DHSS did not have a fully developed security management program. Accepted standards state policies are necessary to set organizational strategic directions for security and assign resources for the implementation of security.  (See page 5)

Risk assessment process not fully implemented

DHSS had not fully implemented a formal risk assessment process or had policies to conduct such assessments, although informal risk assessments are regularly performed. Risk assessments need to be documented and the HIPAA Security Rule states risk assessments are necessary to protect data confidentiality and integrity.  (See page 6)

No requirement to confirm user access rights

DHSS management did not require periodic confirmation of user access rights. Such review would ensure access rights are commensurate with the user's job duties.  (See page 9)

Reinvestigation of employee backgrounds not performed

DHSS had not reinvestigated backgrounds of employees in technology positions. Accepted standards call for reinvestigations every 5 years.  (See page 9)

Not fully compliant with federal security rules

The HIPAA Security Rule required health information be secured by April 2005. DHSS did not meet this deadline, although officials did comply with several parts of the Security Rule. HIPAA includes provision for fines of $100 per violation for non-compliance with Act requirements.  (See page 11)

Default password settings

leave system vulnerable

Auditors found password settings to gain access to some systems were left at default settings, which did not comply with department security policies or accepted standards. Information systems staff said resetting the passwords was not a priority due to the limited number of users for the applicable systems.  (See page 12)