Michigan's Department of Technology, Management and Budget (DTMB) failed to establish effective security management and access controls for several departments leaving systems used to process child welfare information, food assistance programs, and cash management as well as others used in administering state benefits vulnerable to unauthorized access, according to a report released by the state's Office of the Auditor General.
The latest Single Audit Report found that the Department of Health and Human Services (MDHHS) system to administer federal programs was found to be at risk for an attacker to initiate unauthorized payments that could go undetected.
Despite recommendations made last year, the DTMB still hasn't implemented numerous security measures for the Community Health Automated Medicaid Processing System (CHAMPS). As a result, the agency cannot ensure that the program's data is protected from unauthorized modification, loss or disclosure.
Electronic grant, food nutrition and fiscal services systems used by the Michigan Department of Education (MDE) were also at risk.
The Department of Community Health (MDCH) and the Department of Human Services (DHS) were called out as well for using systems lacking proper security measures.
“It's a finding that we have in many audits and it's not something we accept,” Caleb Buhs, public relations officer told SCMagazine.com.
“With access controls it's kind of a system by system basis," Buhs said. "It comes down to each department working with DTMB to build a governance model that utilizes best practices when granting and removing access rights."
He explained that the agency is constantly working with other departments to implement new security measures and strengthen old ones. Buhs said that although the potential for breaches existed, Michigan hasn't yet experienced a major breaches. The DTMB IT team is continuously monitoring traffic in and out of the departments to identify any potential breaches, he added.
The audit is conducted annually by the auditor general to determine if agencies are in federal compliance.