Identity Management in New Jersey: Not Worth the Effort

If your agency’s auditor concluded that because your networks didn’t have the ability to monitor which employees were accessing personally sensitive information â€" say, like, Social Security and tax identification numbers â€" would you respond to the audit by saying that such a security practice was adequate and that to do monitoring wasn’t worth the time and effort?

That’s how John Guhl, New Jersey’s Medicaid director, responded when the state’s auditor concluded that New Jersey’s Department of Human Services lacks the security policies and procedures to protect personal information on the computer system it uses to process claims for more than 1 million Medicaid patients, according to an article posted by Newsday.

Here’s an excerpt from Newsday on what Guhl wrote in response to the auditor’s report:

In a written response to the audit, [Guhl] … said all employees take training in federal requirements for personal health information.

But he wrote even the best procedures would not guarantee security and said he believes "the current security provisions are adequate."

"As indicated by the auditors, the implementation of this recommendation would require substantial time and effort," Guhl wrote. "This cost would be continuous as resources and time would be needed to monitor and maintain this function."

He told senators during a recent budget hearing that employees cannot access the entire system, only the areas in which they work. He said supervisors know what employees logged into the system and when but not what record was viewed.

"We don't have that level of detail," Guhl said.