Objective

To determine whether the security over Erie County Medical Center Corporation’s (ECMCC) critical systems is sufficient to minimize the various risks associated with unauthorized access to systems and data. The audit period covered the period from December 2023 to December 2024.

About The Program

ECMCC is a leading health care provider and academic medical center in Western New York with 573 inpatient beds. It specializes in various services, including oncology, transplantation, behavioral health, primary care, and more than 30 outpatient specialty services. ECMCC is recognized as a verified Level 1 Adult Trauma Center and serves as a regional hub for burn care and rehabilitation. As a teaching facility affiliated with the University at Buffalo, it plays a vital role in medical research. A core value of the organization is privacy, which involves respecting everyone’s right to confidentiality.

ECMCC’s IT Security Architecture emphasizes key principles such as the least privilege, data classification, and separation of duties. Additionally, the IT security framework covers essential aspects like physical security, wireless network protection, and contingency planning. Contingency planning involves crucial elements such as data backups, emergency operations, disaster recovery, and business continuity to ensure a robust response to potential incidents. To protect against unauthorized access to systems and data, ECMCC adheres to important laws and guidelines, including the Health Insurance Portability and Accountability Act (HIPAA), Federal Information System Controls Audit Manual (FISCAM), National Institute of Standards and Technology (NIST) standards, and its internal policies.

Key Findings

We identified areas where ECMCC could improve certain security controls in place to minimize the various risks associated with unauthorized access to its systems and data. Due to the confidential nature of our audit findings, we communicated the details of these findings with eight recommendations in a separate, confidential report to ECMCC officials for their review and comment. ECMCC officials generally agreed with our findings and recommendations and, in several instances, indicated they were planning actions to address them.

Recommendation

Implement the eight recommendations included in our confidential draft report.