DHSS on top of cybersecurity for vital record keeping


Galloway gives ‘good’ rating to DHSS vital record keeping, stresses more work needs to be done

JEFFERSON CITY, Mo. – State Auditor Nicole Galloway released a report Thursday saying work needed to be done by the Department of Health and Senior Services to protect the birth and death records of millions of Missourians.

Fortunately, the overall goal of the audit was a “good” ranking – the second highest rank there is – as many protections are already in place. Though Galloway stressed some safeguards were inadequate.

“The Missouri Department of Health and Senior Services is responsible for safeguarding some of our most personal information and must be held to the highest standards of accountability,” Galloway said in a statement. “Those who want access to personal information for inappropriate and illegitimate uses will continue to experiment with new strategies and methods to exploit any weaknesses. Government must never become complacent.”

The audit mainly examined the Missouri Electronic Vital Records Program (MoEVR) helps track birth and death records for the department, but funeral directors, physicians, medical examiners, and birthing facilities. It also tracks marriage and divorce records.

Galloway’s office found the DHSS had not created a proper data governance system for MoEVR. That system makes those records available to the bodies who may need them, but keeps them confidential for the people they’re about. The auditor also uncovered a risk that former employees of the department could access those confidential records because the department did not automatically or in a timely fashion terminate user accounts. Of the 72 employees sampled, two of them could still access their accounts more than a month after leaving their posts.

Beyond that and a few other concerns, Irl Scissors, a vice president with the Midwest Cyber Security Alliance, said the audit should be received as good news. He noted Missouri has ranked highly among state governments across all sectors for its steps to address cybersecurity. Former Gov. Jay Nixon made it a focus of his administration and even started the first Missouri Governor’s Cybersecurity Summit last year.

“The auditor gave the department a good performance rating,” Scissors said. “I think that is a hat tip to the Department for staying on top of cybersecurity protections for their area. It’s a hat tip to the state of Missouri and the Office of Administration. They’ve been way ahead of many states in the U.S. in terms of cyber protections, protecting data, personal data, and private medical information.”

Scissors stressed that more always needed to be done to address cyber threats as a small crack in the state’s cyber defenses can become a “gaping wound.” He said that did not just apply to personal records either.

“It is one thing to have state records, department records, personal information protected, but the state also needs to think about protecting natural resources, their grid, their transportation infrastructure,” Scissors said. “Things like that are just as critical in the cyber arena.”