Objective
To determine whether access controls over select State University of New York Upstate Medical University (Upstate) system applications are effective to prevent unnecessary or inappropriate access to those applications. This audit covered the period from January 1, 2015 through October 8, 2019.
About the Program
Upstate, the only academic medical center in Central New York, consists of four colleges, a research enterprise, a clinical system, and a hospital that includes a Level 1 trauma center and a dedicated children’s hospital and cancer center. To facilitate patient care, research, and education, Upstate owns and/or administers more than 200 applications that contain a broad range of sensitive and personal information that is considered confidential. Applications may be used not only by Upstate employees, but also by students, visiting or adjunct professors, and various non-employees such as consultants, contractors, emeritus professors, and vendors.
Key Findings
- We found Upstate’s access controls are not sufficient to prevent unnecessary or inappropriate access to various applications. Inappropriate access can lead to intentional or accidental modification, destruction, or disclosure of clinical, educational, and research – and otherwise confidential – information. Specifically:
- 352 user accounts for 113 users maintained unnecessary and inappropriate access to applications due to a change in the users’ status (e.g., employment separation, death).
- 61 of these user accounts were logged into during the period of inappropriate active access, including 8 accounts whose users were deceased at the time.
- We also found 27 users who maintained unnecessary and inappropriate access to certain clinical applications after they had transferred to new jobs that did not require that access. Further, in 12 of 27 instances, it took more than a month for access to be removed.
- Although Upstate has certain measures in place to review the appropriateness of user access, we question the thoroughness and extensiveness of these reviews. We identified 73 user accounts with inappropriate access to 11 different clinical applications that were not identified or remediated during the course of Upstate’s reviews.
Key Recommendations
- Improve controls over user access to Upstate applications to ensure they meet the applicable laws, regulations, and policy requirements.
- Remove access for improper user accounts identified in our audit.
Brian Reilly
State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271; Email: [email protected]
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236