Summary
Summary
| Report Number: | 2008-015 |
| Report Title: | Department of Health - State Health Online Tracking System - Information Technology Audit |
| Report Period: | 02/2007 - 06/2007 |
| Release Date: | 09/10/2007 |
The Bureau of Immunization (Bureau) within the Department of Health (Department) is responsible for enhancing immunization services to promote and protect the health of all children and adults in Florida through the reduction and eventual elimination of vaccine-preventable diseases. The Bureau uses the Florida State Health Online Tracking System (SHOTS), which is a Statewide, centralized on-line immunization registry that helps health care providers, schools, and parents keep track of childhood immunization records.
Our audit focused on evaluating selected information technology (IT) controls related to SHOTS for the period February 2007 through June 2007. The results of our audit are summarized below:
Finding No. 1: We noted instances where the Department could not provide documentation supporting that SHOTS program changes had been reviewed and approved prior to implementation of the changes.
Finding No. 2: Health care practitioners’ data within SHOTS did not always contain accurate license expiration dates for practitioners. Additionally, we noted instances where practitioners with expired licenses retained SHOTS access privileges, contrary to Florida law.
Finding No. 3: Instances were noted where the Department did not uniquely identify and authenticate system users for purposes of granting access to the SHOTS database and the production environment where SHOTS resided.
Finding No. 4: We noted instances where the Department’s access controls did not enforce an appropriate separation of incompatible duties for certain personnel.
Finding No. 5: Improvements were needed in certain security controls protecting the SHOTS system, in addition to the matters discussed in Findings Nos. 3 and 4.
Finding No. 6: The Department’s testing of its IT disaster recovery plan indicated a lack of sufficient alternate processing capacity to provide adequate service levels in the event of a disaster.
The State Surgeon General's response is included at the end of this report as Appendix A.