DMH Did Not Revoke the Access of 13 Former Employees to Its Mental Health Information System in a Timely Manner.

Of the 20 DMH employees in our sample whose employment with DMH ended during the audit period, 13 did not have their access to the agency’s Mental Health Information System (MHIS) revoked immediately upon termination of employment; their access was revoked an average of 128 days after their employment ended. As a result, there is an increased risk of terminated employees improperly accessing and/or altering personal information in MHIS, such as clients’ names, addresses, dates of birth, and medical records.

DMH’s Information Security Handbook states,

When a DMH Workforce Member ends employment with DMH . . . all access to the DMH Network and/or a DMH Application Not On The DMH Network shall be disabled and/or removed by the time of the Workforce Member’s departure from DMH, or if that is not feasible, as soon thereafter as is feasible.

The Massachusetts Executive Office of Technology Services and Security requires all executive department agencies and any agency or third party that connects to the Commonwealth’s wide-area network (Massachusetts Access to Government Network) to comply with its “Access Management Standard,” which states,

6.1. User and System Access Management

User or system access shall be managed throughout the account life cycle from the identification of a user to the granting, modification or revocation of a user’s access privileges. . . .

6.1.6.    Revoke access privileges: Upon a transfer, termination or other significant change to a user’s employment status or role, Commonwealth Executive Offices and Agencies must ensure that the user’s previous supervisor shall be responsible for informing security administration personnel to take appropriate action.

6.1.6.1  Privileges that are no longer required by a user to fulfill his or her job role shall be removed.

6.1.6.2  If the termination date of personnel is known in advance, the respective access privileges—specifically those with access to confidential information—shall be configured to terminate automatically.

6.1.6.2.1.    If not, access must be manually removed within 24 business hours. [Emphasis added.]

Although DMH has a policy that requires all former employees to have their access to the DMH network disabled as soon as possible, it has not established a formal process, procedures, or monitoring controls to ensure that this policy is adhered to.

DMH should establish a formal process (e.g., what steps are to be taken, when, by whom, and with what documentation) for disabling former employees’ network access as soon as possible, as well as monitoring controls to ensure that this process is followed.

The Department agrees with the Audit Finding concerning not revoking the access of 13 former employees to MHIS in a more timely manner. However it is important to note that the system can only be accessed from within the Commonwealth's firewall protected IT system; therefore it would be extremely unlikely that such former employees would have been able to access the system, and in fact there is no evidence that they gained such access. Although during the audit period DMH did have protocols calling for deactivation of such access, we agree that they were not rigorously followed or audited. Since the audit period, DMH has strengthened its processes to ensure timelier deactivation of access and more rigorous auditing. We are committed to continued attention to this important security function.