Missouri State Auditor Nicole Galloway recommended the Department of Health and Senior Services (DHSS) beef up its cybersecurity protocols after an audit found weaknesses in the way the department protects vital records.
The department does not have a formal security plan for the administration of its Missouri Electronic Vital Records (MoEVR) system, which stores documents such as birth and death certificates, according to the audit report released Thursday.
The database can be accessed by people who record vital record events including medical personnel, funeral directors, coroners and staff of county health departments.
A formal security plan would help ensure proper control measures of the data and delineate clear responsibilities to each department that manages the MoEVR system. The audit found while DHSS has general security policies in place, there is no plan to guide those policies.
"The Missouri Department of Health and Senior Services is responsible for safeguarding some of our most personal information and must be held to the highest standards of accountability," Galloway said in a news release. "Those who want access to personal information for inappropriate and illegitimate uses will continue to experiment with new strategies and methods to exploit any weaknesses."
The MoEVR system is maintained by DHSS, the Office of Administration's Information Technology Services Division and the system's vendor. Galloway's audit found a lack of coordination between DHSS and ITSD in managing the system and its data.
DHSS also wasn't sure what information in the database was being backed up or how frequently it was being backed up.
"As a result, DHSS management does not have assurance the MoEVR system data can be restored in the event of a disaster or other disruptive incident," Galloway said in the report.
The report included responses from DHSS, which said it is addressing the issues found during the audit.
"The department will work with ITSD to develop further and formalize its security policy standards and procedures," the department said. "This process has already begun."
The report noted some former employees were able to access the MoEVR system after they left their jobs. According to the report, Galloway found two former state employees who had access to the system 30 days or more after termination.
The audit also identified nine former employees of county health departments, hospitals or coroners' offices who had access to the system after leaving their jobs. Increasing efforts to review user accounts could reduce the risk for unauthorized access, Galloway said.
DHSS said it has a policy to review the system and remove users on a semi-annual basis. The next review is scheduled this summer.