Audit Report on the New York City Human Resources Administration’s Home Care Services Program’s Controls over Personally Identifiable Information
June 26, 2018 | SI18-061A
We audited the New York City Human Resources Administration (HRA) Home Care Services Program’s (HCSP’s) controls over personally identifiable information (PII) to determine whether the HCSP (1) has adequate controls over the PII that is being collected and stored; and (2) is properly securing personal information from unauthorized access.
HRA provides economic support and social services to families and individuals through the administration of various programs, including Cash Assistance, the Supplemental Nutritional Assistance Program, Medicaid, Child Support Services, HIV/AIDS Services, Adult Protective Services, assistance for survivors of domestic violence and Home Care Services, the program covered by this audit.
The HCSP provides access to a variety of Medicaid-funded long-term care programs designed to help eligible elderly or disabled individuals remain safely at home, rather than in a nursing home or other institution. Specifically, the HCSP provides home care services to eligible clients and determines Medicaid eligibility for the clients of New York State’s Managed Long Term Care program. To achieve its goal, the HCSP uses several specialized applications to collect, process, store and transmit information, including PII, about its clients.
Audit Findings and Conclusions
Although HRA has several information security controls in place, including firewalls and antivirus software to protect its IT systems, physical security for work areas and paper-shredding contracts, the audit found weaknesses in HRA’s controls for IT application access, data protection, and data classification. As a result, PII is not fully protected in HRA’s computerized environment.
Among other issues, password functionality controls did not work in two applications, and HRA did not always implement applicable City password and lockout policies, disable the application user accounts of former and on-leave employees or properly control access to private information for network folder users.
The audit also found that HRA’s business continuity and disaster recovery plan needs updating, data classification is incomplete and some hard-copy documentation containing clients’ PII was not properly secured while awaiting scanning. Finally, HRA needs to promptly address reported vulnerabilities in one of its applications that could allow attackers to gain unauthorized access to restricted information and an agency server.
To address the abovementioned issues, we made 15 recommendations, including that HRA:
- Ensure that its password functionality controls work so that they allow access to its applications to only those users who enter the correct passwords.
- Comply with City password, lockout and account-management policies.
- Immediately disable former and inactive employees’ user accounts in all of its applications and thereafter conduct periodic reviews to identify and disable the user accounts of former and inactive employees.
- Deactivate the accounts of any users who have not logged into the applications within the time frames established in the HRA Account and Password Management Policy.
- Ensure that access to the network folder is restricted based on users’ defined roles.
- Review and update HRA’s business continuity and disaster recovery plans to include the current applications.
- Perform the required disaster recovery testing.
- Identify and prepare an alternate site for data processing and communications functions.
- Ensure data classification is completed and appropriate controls are implemented to safeguard the data based on its classification.
- Comply with applicable regulations and HRA policy for securing and storing physical documentation that contain PII.
- Address all detected vulnerabilities by applying the proper patches and configuration changes; a follow-up vulnerability scan report should also be generated to confirm that mitigation of vulnerabilities has taken place.
In its response, HRA generally agreed with 14 of the 15 recommendations and partially agreed with one recommendation.
HRA’s written response to the draft report expressed a concern that certain section headings of the draft “g[a]ve the impression” that password controls were lacking generally in the agency rather than in specific aspects of its IT environment, as the report sections themselves made clear. We adjusted the headings to eliminate any such concerns. HRA’s additional comments are presented in the relevant sections of this report.
The full text of HRA’s response is included as an addendum to the report.