Poor Security Puts California Medical Records, Other Data at Risk
California's databases, which house medical records and other personal information, are "vulnerable to unauthorized use, disclosure or disruption" because of a lack of safeguards, according to a state audit, the Sacramento Bee's "The State Worker" reports.
The audit included responses from 77 state departments, all of which were anonymous except for the Department of Technology.
Audit Findings
According to the audit, 73 departments were not in compliance with security standards, most of which "have not planned for interruptions or disasters." Among five departments reviewed more closely, all had "security deficiencies" (Ortiz/Miller, "The State Worker," Sacramento Bee, 8/25).
The audit noted, "In some cases, the failure or disruption of information systems would jeopardize public health and safety," particularly among reporting entities involved with health and safety (Audit, August 2015).
The audit also found issues with the security self-assessments that state departments file with the Department of Technology.
Such flaws "may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not." According to the audit, 37 of 41 departments were not in compliance, despite reporting otherwise.
Meanwhile, the audit criticized the Department of Technology for poor security oversight, noting that until the audit, officials were not aware that many agencies were not in compliance with security requirements. In some cases when technology officials were aware, they allowed the deficiencies to go uncorrected for years, according to the audit.
For example, 30 of 38 departments that were noncompliant in 2014 reported that they submitted "remediation plans." However, just four agencies said the Department of Technology followed up with them ("The State Worker," Sacramento Bee, 8/25).
Recommendations
The audit recommended that the Department of Technology:
- Clarify security standards;
- Develop a self-assessment tool that agencies can use to determine their compliance with security requirements;
- Follow up annually with remediation plans;
- Implement an ongoing risk-based audit program for on-site visits; and
- Offer more effective oversight.
In addition, the audit recommended that the California Legislature:
- Authorize the Department of Technology to redirect funds to fix information technology issues; and
- Require the Department of Technology to assess security compliance among all reporting entities every two years (Audit fact sheet, 8/25).
According to "The State Worker," all departments included in the audit agreed with its recommendations ("The State Worker," Sacramento Bee, 8/25).
This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.