Objective

To assess the extent of implementation of the two recommendations included in our initial audit report, User Access Controls Over Selected System Applications (Report 2019-S-34).

About the Program

A part of the State University of New York (SUNY) system since 1950, Upstate Medical University’s (Upstate) mission is to improve the health of the communities it serves through teaching, research, and patient care. Upstate, the only academic medical center in Central New York, comprises four colleges, a research enterprise, one hospital with two locations (Upstate University Hospital and Upstate University Hospital at Community Campus), and over 80 outpatient clinics and other centers. To facilitate its clinical care, education, research activities, and communication, Upstate owns and/or administers approximately 200 system applications.  As these applications may contain a broad range of sensitive and personal information that is considered confidential for a variety of programs, controls over their access are especially important.

Our initial audit report, issued on June 10, 2020, sought to determine if Upstate’s access controls over select Upstate applications were effective to prevent unnecessary or inappropriate access to those applications. Our audit covered the period January 1, 2015 through October 8, 2019. Overall, we determined that Upstate’s access controls were not sufficient to prevent unnecessary or inappropriate access to various applications. We found that Upstate employees maintained unnecessary and inappropriate access to applications after a change in the users’ status (e.g., employment separation, death). Some of these user accounts were logged into during the period of inappropriate active access. We also found users who maintained unnecessary and inappropriate access to certain clinical applications after they had transferred to new jobs that did not require that access.

Key Finding

Upstate officials have made significant progress in addressing the problems we identified in the initial audit. Both of the initial report’s recommendations were implemented.