Archive for Thursday, October 23, 2003

KDHE computers at ‘high risk’

Audit finds vulnerability to hacking, viruses in state health department

October 23, 2003


— The state agency in charge of protecting the public's health and safety is having trouble protecting its own computers and information system, according to an audit released Wednesday.

Operations of the Kansas Department of Health and Environment "were at an extremely high risk of fraud, misuse or disruption," auditors with the Legislative Division of Post Audit concluded. "Computer data -- much of it confidential -- was at an equally high risk of loss or inappropriate disclosure."

KDHE is a large regulatory agency that collects records and information about Kansans on everything from child-care licensing to vital statistics. The agency is the leader for dealing with hazardous wastes, epidemics, immunizations and, most recently, the state's bioterrorism program. It is the official custodian of Kansas birth certificates.

The problems with security of information at KDHE were so severe that auditors met Aug. 14 with KDHE Secretary Rod Bremby to go over their initial findings. That was an unusual measure because auditors normally disclose the audit findings to agencies when their reports are in final draft.

Auditors found that KDHE's computers easily could be breached by hackers, its computer anti-virus system was "badly flawed" and its security systems were generally inadequate or missing.

Using a standard password-cracking software, auditors were able to determine more than 1,000 employee passwords, which is about 60 percent of the total, in three minutes. Ninety percent of the passwords were cracked within 11 hours.

Given the simple pattern to KDHE computer passwords, current or former employees would have been able to log onto any computer.

"This weakness put the entire network and all agency data at severe risk," auditors reported.

During one lunch hour, auditors easily walked into empty offices where computers were logged on to the network and unlocked.

The audit also revealed that many agency computers were infected with computer viruses that could send files and passwords to computer addresses outside the agency, and some 200 computers had no anti-virus software installed.

In case of a disaster, the audit said, KDHE had developed a plan in 1999 for Y2K to continue operations but hadn't updated that contingency plan since then. That plan leftover from Y2K "would be nearly useless in an ordinary disaster," the audit said.

After meeting with auditors, KDHE officials "acted strongly and swiftly to address these problems," according to the audit report.

KDHE hired a new security officer, increased controls on computers, beefed up training of employees and hired a consultant to help with security. But the auditors said that KDHE still had a long way to go.

Even so, just days after the Aug. 14 meeting, the Sobig computer virus that spread worldwide infected the KDHE computers, forcing the agency to temporarily shut down the external e-mail systems.

Bremby said that he agreed with the audit's findings and recommendations and that he hoped to have an action plan to give to the Legislative Division of Post Audit by January.

"Each employee will be informed that they are personally a part of the KDHE security team, that they are responsible and do make a difference," he said.

Commenting has been disabled for this item.