The database Utah uses to monitor controlled substances needs better cybersecurity, an audit released Wednesday said.
The Controlled Substance Database allows many doctors, pharmacists and other professionals with access to the database to log in with just a state-issued ID and a four-digit pin, auditors found. Those who are required to use passwords are often allowed to use and reuse weak ones.
That means the Controlled Substance Database “has increased susceptibility to security breaches,” auditors wrote.
Any licensed physician can be granted access to the database, but the audit found that the Utah Division of Occupational and Professional Licensing, which maintains the database, sometimes failed to remove access to physicians whose licenses had expired.
The database helps monitor against prescription drug fraud or overprescribing, but administrators and regular database users must have legitimate medical or law enforcement reasons to query the database. DOPL has not been proactive in safeguarding against inappropriate searches of the database, the audit said. Auditors recommended implementing a better system of monitoring queries by doctors and the division’s administrators.
The audit did not examine any role the database has in prescription drug addiction or deaths in Utah. The word “opioid” does not even appear in the audit.
In a response included in the audit, DOPL Director Mark Steinagel said that agency was already working to implement some of the recommendations or would begin doing so.