Kristen Wyatt of Associated Press reports:
Medical marijuana patients asked Colorado health authorities on Wednesday to destroy and rebuild the state’s 107,000-person marijuana patient registry because of security breaches.
The Board of Health unanimously rejected the emergency petition. But officials expressed alarm about a recent state audit showing the Colorado Department of Health and Environment isn’t keeping the registry confidential, as required by law.
Read more about their concerns on Kansas City Star. On the registry’s home page, there’s the following statement about computer security:
The Colorado Department of Public Health and Environment takes the role of data security seriously and incorporates all statutory requirements in its computer systems. The computer system used by the Medical Marijuana Registry (MMR) uses the same computer security methods that are used by the computer system housing birth records. Only MMR employees have access to the MMR computer system, and that access is controlled by defined roles. For example, an employee can only access the portion of the MMR computer system necessary to perform the functions of his/her job.
Statute requires that the department respond to law enforcement inquiries to verify that an MMR certificate is valid. MMR employees manually look up records for law enforcement using procedures that comply with Colorado law. The department is working with law enforcement to automate those queries. Any future automated queries will be subject to the same submission requirements as the current manual inquiries, and the information released in response to such inquiries would be identical to what is currently being supplied manually. All queries will be recorded and logged for audit purposes.
An audit published in June, however, found significant problems with protection of the confidential information of patients, physicians, and caregivers:
Overall, we identified three main problems related to Public Health’s management of confidential Registry data: (1) lack of controls over contractors and staff of other state departments whom Public Health has authorized to access confidential Registry data; (2) access by law enforcement officials/agencies of confidential Registry data under circumstances that the Colorado Constitution does not appear to allow; and (3) confidential data breaches.
The audit also identified a number of database control issues, including lack of ability to log who was accessing and/or making changes to records in the registry. The state agreed with many of the findings and recommendations in the audit, but noted that it was not feasible, given the current system, to make the recommended database control changes and that they would investigate procuring another system that would enable such controls. The auditor responded:
The Medical Marijuana Registry is a confidential registry intended to maintain an accurate record of individuals authorized to use marijuana for medical purposes. If modifying the system that currently houses the Registry is not possible, Public Health should take immediate steps to implement other controls to address risks identified in the audit. Public Health should not wait until it has explored options to procure a new system to strengthen controls over the sensitive data in the Registry.
Indeed.