Summary of Report 03-009

November 2002

Report Number 03-009

System access and security control weaknesses at some Texas academic medical institutions have the potential to place electronic protected health information at risk. Individuals both inside and outside these medical institutions could gain unauthorized access to automated systems and read, copy, and possibly modify and delete electronic health information. Intruders also could disrupt the operations of systems that are critical in providing health care. In addition, the disaster recovery plans and physical security for information systems may not be adequate to prevent emergencies and natural disasters from causing significant disruptions to critical systems.

Academic medical institutions use and collect an extensive amount of protected health information for the purposes of student education, research, patient care, and public service. Unauthorized access to or alteration of this information could result in substantial financial losses from the assessment of federal and state civil penalties, lawsuits, and erosion of consumer confidence.

This report provides a general summary of the system access and security, disaster recovery, and physical security weaknesses we identified at selected academic medical institutions. To minimize the risks associated with public disclosure, this report does not include the institutions' names or reveal specific vulnerabilities that could further jeopardize the confidentiality of electronic patient health information. We have provided the medical institutions we audited with detailed information describing the specific vulnerabilities and recommendations for correcting them.

Contact the SAO about this report.

Download the PDF version of this report. (03-009.pdf)

HTML Equivalent (utilizing Adobe's PDF Conversion by Simple Form).