- Connecticut’s HIE security is potentially lacking, and it may need to develop a better management control system to properly respond to security deficiencies, according to a recent auditor’s report.
State auditor’s reviewed Connecticut’s HIE (Access Health CT) for fiscal years 2012 and 2013, finding deficiencies in internal controls, apparent non-compliance with legal provisions and a need for improvement in management practices and procedures that they deemed reportable. However, security concerns were first raised following a June 2014 data breach where 400 lines of PII of exchange customers were compromised.
In the 2014 data breach, a call center employee reportedly left a backpack containing names, Social Security numbers, and dates of birth was left on the street.
“The subsequent investigation by the contractor and the Exchange found that the call center contractor, Maximus, was not abiding by its policies and procedures,” the report said. “The third party security expert performed what was described as a ‘Snapshot Assessment’ that identified ‘high-level vulnerabilities and risks that need immediate attention, and provide[d] recommendations, principles, physical safeguards and guidelines designed to assist AHCT in identifying cost-effective security solutions.’”
The third-party investigation found through interviews that “there was uncertainty as to where Policies and Procedures and Plans reside and which staff had ownership/responsibility.” Moreover, interviews with Exchange employees also showed a lack of security training, awareness, and responsibilities. The report explained that when asked about critical assets, high-risk or sensitive areas, and physical security, individuals referred to either another person or department as having responsibility.
In order to improve HIE security, it was recommended that the Exchange “develop a management control system that holds the organization accountable for responding in a timely manner to reported deficiencies in the security of the Exchange, in order to provide assurance that the PII in its possession is secure.”
In response, Access Health CT (AHCT) said it hired a company in January 2015 to perform physical security assessments and “has taken many steps to improve security all with the goal of better protecting consumers’ personally identifiable information.”
For example, the call center vendor has improved its physical security measures, and has worked with AHCT to improve and monitor its security practices. AHCT added that its security policies are described in the employee handbook, which employees must read and sign on their first day of work. An annual IT security training course is also required for staff members.
Training sessions conducted by the Privacy Officer will also be administered to employees and contractors, and will include guidance on proper handling of PII. AHCT added that the Privacy Officer and IRD supervisors will also “vigilantly monitor the protection of PII, and conduct daily checks for unsecured PII in AHCT’s offices.”
“Any unsecured PII found is either secured or destroyed,” AHCT explained in its response to the audit. “The Privacy Officer addresses any problems that may arise with employees and staff teams. AHCT is contracting with a security vendor to provide a full security audit of AHCT’s office and the State of Connecticut Data Center at Groton, Connecticut pursuant to federal government requirements.”
The state auditors had two other recommendations for the Exchange:
- Develop a management control system that holds the organization accountable for responding in a timely manner to reported deficiencies in the security of the Exchange, in order to provide assurance that the PII in its possession is secure.
- Respond with appropriate action based upon the opinion of the office of the Attorney General on the legal sufficiency of the “faithful performance” rider.
To read the complete auditor’s report, click here.