Legislative auditors say the Public Employees Benefits Program needs to upgrade the security of its computer software.
The report issued this week says the system that automatically updates operating systems on its computers and laptops failed to perform updates to 13 out of 20 computers tested and that the problem was not detected because employees were not verifying whether updates were successfully installed.
In addition, auditors said PEBP had the same problem with anti-virus updates. Those updates were not successfully installed on 24 of 55 computers tested at the agency.
Auditors said the agency was disabling user accounts when employees left PEBP but wasn’t removing the obsolete accounts from the system. Nor was the agency routinely reviewing user access privileges.
They criticized the agency for not doing background checks on IT contractors even though those contractors have access to sensitive information about state employees.
Finally, they said PEBP’s system recovery and business plans don’t contain enough information to restore critical services in the event of a system, application or hardware failure. The plan is out of date and references obsolete equipment and software.
They listed a series of recommendations to better protect employee information, minimize security vulnerabilities and ensure that PEBP can recover from damage to its systems.
PEBP provides and manages the health care program for some 43,000 primary participants and 27,000 covered dependents, a total of over 70,000 individuals, providing employees, retirees and their families with access to health care benefits.