State Auditor releases audit of Controlled Substance Database
By Nicole Davis
The Office of the State Auditor announced the release of its Information Systems Audit of the Controlled Substance Database.
The database was created by statute to facilitate the identification of the following issues with respect to controlled substances:
—Patterns of prescribing and dispensing.
—Practitioners prescribing in an unprofessional or unlawful manner.
—Individuals receiving prescriptions in quantities or frequencies inconsistent with generally recognized standards.
—Individuals presenting false prescriptions to a pharmacy.
—Individuals admitted to a general acute hospital for poisoning or overdose.
The Controlled Substance Database is operated by the Division of Occupational and Professional Licensing within the Department of Commerce. The state’s Department of Technology Services provides technical support.
This audit was conducted to assess the quality of security and access controls for the Controlled Substance Database. The office reviewed the design of 22 information technology controls related to four areas: Logical Access, Computer Operations, Change Management, and Data Security. The audit report contains nine findings, which were provided to the management of the database six months ago to allow the agency time to correct issues identified in the audit:
—Inadequate Controlled Substance Database password requirements do not comply with Division of Occupational and Professional Licensing policy.
—Password requirements for back-end database users do not conform to required Department of Technology Services policy.
—Several unlicensed individuals received database accounts without proper approval.
—Database user accounts are not periodically reviewed for appropriateness.
—Practitioners with expired licenses were improperly allowed to perform queries in the database.
—Management has not defined activities that should be monitored.
—Inadequate monitoring of user activity.
—Insufficient monitoring of testing documentation for application changes prior to deployment.
—Data retention policy exposes the Division of Occupational and Professional Licensing to unnecessary risk.
“Privacy protection is important to many Utahns,” said State Auditor John Dougall. “I am impressed with the proactive steps DOPL has taken to remedy issues identified in the audit. I am encouraged by DOPL’s willingness to work with the Utah Legislature regarding defining the appropriate retention schedule for personally identifiable information in the Controlled Substance Database. Excessive retention of PII can expose Utahns to unnecessary privacy risk.”
The report may be found online.
Articles related to “State Auditor releases audit of Controlled Substance Database”
CCHR’s “Psychiatric Drugs Create Violence & Suicide” report a wakeup call on mass violence
Synthetic drugs threaten public safety, and they’re arriving by international mail
