Auditors said they did not uncover instances in which personal information had been compromised, but they said a state system lacking in central control and reporting requirements might make it impossible to know of every problem.
Over a two-year period ending last year, agencies that control residents’ personal information reported just five Internet attacks to the state department responsible for cybersecurity — a fraction of the total that workers told auditors they had identified internally.
The report also says two agencies that have authorized state employees to use laptops or tablets to store and access residents’ personal information, including personal health data, did not adequately protect the information, such as by having it in fully encrypted files.
Those agencies were the Department of Health and Mental Hygiene, which maintains Medicaid, health-care data and vital records, and the Department of Human Resources, which administers scores of state programs, including foster care and child support.
Varying levels of weaknesses were also found at the offices of the Maryland comptroller, which controls tax information; the Department of Public Safety and Correctional Services, which oversees sex-offender and criminal records; and the Department of Motor Vehicles, which issues driver’s licenses.
“Although state law assigns [the Department of Information Technology] the responsibility for enforcing information security, DoIT had delegated this responsibility to the individual agencies,” the report says. “Consequently, DoIT had not established a formal oversight process for ensuring that state agencies took appropriate actions to protect information systems and data.”
Raquel Guillory, a spokeswoman for O’Malley, said the administration’s information technology department had considered the audit to be “diagnostic in nature” and has agreed to implement most of the recommendations.
“In the IT security field, continuous diligence, audit and improvement is a good process.”
Auditors said that a revision to the administration’s cybersecurity policy that was approved in April should help address problems of reporting Internet attacks to DoIT. And in a response to the audit, Secretary of Information Security Elliott H. Schlanger agreed to implement many of the auditors’ proposed recommendations to tighten security.
Although auditors urged DoIT to monitor cybersecurity effectiveness at state agencies, Schlanger said the department lacked the resources to do so. Only four DoIT employees are tasked with cybersecurity, the audit found, and each has other responsibilities, too.
In short, the audit criticized the administration for not following some of the same cybersecurity rules that the General Assembly has mandated for businesses that operate in the state.
More broadly, the audit report suggests that in the realm of cybersecurity, O’Malley’s administration has not instituted the sort of top-down and real-time data review for which it has won accolades in other areas, including crime and environmental monitoring.