New York City Health and Hospitals Corporation

Selected General Controls Over Data Center Security (Follow-Up Report)

The New York City Health and Hospitals Corporation (HHC) operates the hospitals, clinics and other facilities in New York City’s municipal hospital system. HHC maintains several major data centers to support these operations. In audit 2005-N-2, we examined the effectiveness of certain controls established by HHC over data center security and found that a number of improvements were needed. In particular, we identified weaknesses in controls that were intended to ensure that only authorized individuals had access to the medical information maintained by HHC. We also identified opportunities for improvement in business continuity and disaster recovery planning.

When we followed up on these matters with HHC officials, we found that they had taken actions to implement our audit recommendations and were continuing to take such actions. Due to the sensitivity of the information, our detailed audit findings and recommendations were not included in either our original audit report or our follow-up report.

For a complete copy of Report 2007-F-50 click here.