Legislative auditor releases report on state’s immunization database

Minnesota health and technology officials need to make some changes to better ensure data in the state’s immunization registry is safe, a new report says.

Monday, Minnesota’s Office of the Legislative Auditor (OLA) released its report regarding the Minnesota Immunization Information Connection (MIIC) system. MIIC, which is managed by both the Minnesota Department of Health (MDH) and Minnesota Information Technology Services (MNIT), is the system that combines individuals’ immunizations into a single record to help medical personnel more easily track vaccinations and ensure patients get the right vaccines at the right time.

The program was launched in 2002 and contains information on nearly 127.5 million immunization doses for more than 9.5 million Minnesotans, the state says.

According to OLA’s report, MDH and MNIT followed most policies and practices to protect information stored in MIIC. However, the auditors still found some areas that need to be addressed due to potential vulnerabilities.

OLA found that MDH doesn’t actively monitor users to make sure they follow all data use requirements, the MIIC system doesn’t meet all of MNIT’s logging and monitoring standards, MNIT didn’t have a complete disaster recovery plan for MIIC, and both MDH and MNIT failed to complete a risk assessment on MIIC. Some testing and training data — fake names with immunization records — were also found in the system.

Additionally, OLA reported that MNIT didn’t use code analysis software to test for vulnerabilities when updating MIIC, in part because the development team didn’t have clear criteria for when the scans should happen. OLA says its testing found three security vulnerabilities that MNIT didn’t identify as part of its review, which could’ve allowed someone to exploit the system and access private data.

The auditors offered several recommendations for MDH and MNIT to close the gaps found in its evaluation of MIIC and better protect the private data in the system.

In a joint response to OLA’s report, MDH Commissioner Brooke Cunningham and MNIT Commissioner Tarek Tomes said the departments have either already implemented fixes or plan to make certain changes to address the issues noted by OLA. That includes more regular scans of MIIC and more controls to close the identified vulnerabilities.

MNIT added that it has also updated its disaster recovery plan for MIIC and is working to move MIIC closer to automated scanning.

CLICK HERE to view OLA’s full report.