Skip to main content Skip to office menu Skip to footer
3 golden objects Minnesota Legislature

Office of the Legislative Auditor - Financial Audit Division

Report Summary
Minnesota Immunization Information Connection
Information Technology Audit

Financial Audit Division January 2023


Conclusion

The Minnesota Department of Health (MDH) and Minnesota Information Technology Services (MNIT) generally complied with applicable policies, standards, and best practices designed to protect the confidentiality, integrity, and availability of the Minnesota Immunization Information Connection (MIIC) system and its data. However, we found certain gaps in controls, some of which exposed the system to unnecessary risks.

Findings

  • Finding 1. MDH does not actively monitor whether users or participating organizations with access to MIIC comply with data use requirements. (p. 14)

  • Finding 2. MIIC does not meet all of the requirements defined within MNIT’s logging and monitoring standard. (p. 15)

  • Finding 3. MIIC contains testing and training data in the production system. (p. 20)

  • Finding 4. MNIT did not use code analysis software to test for security coding vulnerabilities for all of its updates to the MIIC software. (p. 23)

  • Finding 5. MIIC contained exploitable vulnerabilities that could have allowed a compromise of user accounts and private data. (p. 24)

  • Finding 6. In the case of a disaster, MNIT may not meet expected system restoration timelines for MIIC due to an incomplete disaster recovery plan and architecture limitations. (p. 25)

  • Finding 7. MDH and MNIT did not complete a risk assessment on MIIC or use MNIT’s central management tool, as required by MNIT’s standards. (p. 27)

More Information

Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155 : legislative.auditor@state.mn.us or 651‑296‑4708