Audit reveals protected data was at risk in College of Medicine

Alyssa Elso/ Contributing Writer

The Herbert Wertheim College of Medicine had flaws within its Information Systems Security Controls which allowed terminated employees to still have access to their user accounts.

The Office of Internal Audit’s 2012-2013 report of the Herbert Wertheim College of Medicine revealed those flaws, which have since been addressed by the college, set the college’s protected data at risk of inappropriate disclosure.

According to the administrative controls section of the audit, which is responsible for managing the conduct of personnel in relation to the protection of data and the maintenance of security measures to protect sensitive data, the College of Medicine’s Department of Human Resources recruitment and termination process was in need of improvement.

In fall 2009, the College of Medicine’s Information Technology Department consisted of five staff members. In 2011-2012, with an approved budget of over $1 million, the staff grew to nine employees.

Human Resources, in the recruitment process, must ensure that background checks are performed on all candidates, ensure that they meet the necessary skills listed to perform job duties and take prudent action in regards to employee termination.

During the termination process, Human Resources failed to expediently disable account access and file employment separation checklists within a timely manner of the employee’s effective termination date.

Of the 22 terminated employees, 12 had separation checklists, a form used as a guide for actions to be taken once an employee quits or is terminated. Ten were created after 12 days of termination and two were created after 28 and 75 days, respectively, of their effective employment termination dates. Many of these checklists also failed to reflect whether items such as ID cards and computer equipment were collected from terminated employees.

After termination, the disabling of user accounts, handled by University Technology Services, should have also be completed within a timely manner, yet six of the 22 former employees were still enabled in the system’s active directory at the time of the audit.

Human Resources Director for the College of Medicine Ana Poveda and Office of Internal Audit Director Allen Vann were unavailable for comment, but the University’s Media Relations sent a statement to Student Media.

“The audit found some areas that needed improvement such as recovering/revoking access control devices and passwords upon employee separation. HWCOM has moved swiftly to address these issues and we now have controls consistent with best practices in the field. All of the auditor’s recommendations regarding this matter have been implemented.”

The HWCOM completed the recommendations listed in the audit as soon as immediately following the audit’s completion, October 2012, and as recent as February 2013.

The audit of the HWCOM Information Systems Security Controls included information gathered from June 1, 2011 through December 31, 2011. The audit was created to determine whether established internal security controls and procedures over protected data were effective, adhered to and following with University policies, rules and regulations.

The report found that IT controls were in need of improvement to reduce the risk of data breaches and increase the confidentiality of sensitive data. Of the 42 activities tested, 25 needed improvement to effectively function.

To improve the function of these systems and decrease the risk of unauthorized disclosure of protected data, the Office of Internal Audit recommended that security awareness training be established, provided to staff members and periodically evaluated to ensure that it is effective and up to date.

In response to findings and recommendations reported in the audit, management responded with a plan of action to improve IT controls. The plan included carrying out and documenting back-up procedures, periodic testing, and review of the back-up jobs. Yearly reviews were changed to bi-annually.

According to the audit, Human Resources completed a background check on the director of IT in August 2012. In June 2011, they created one standardized separation of employment checklist. They have been working to ensure that employees’ access are disabled within a regular schedule as well as creating various security training programs that are available to staff and will continue to work to improve the protection of sensitive data.