Cybersecurity audit shows tax, court and medical records at risk in Oregon

Auditors didn't name a responsible party, and the state's CIO noted that accepting a certain degree of risk is just the way it goes in a budget-constrained organization like state government.

In an extensive security audit led by Oregon’s Secretary of State Jeanne Atkins, officials are warning state and IT leadership of widespread vulnerabilities in 13 agencies.

The report, published Nov. 30, observed that in all of the agencies reviewed, staff user accounts were highly susceptible to intrusion. Auditors found that many accounts had been left active long after employees left state service. The report noted that much of the state’s anti-virus software and security updates were either outdated or missing entirely, and 11 agencies were found to have computers with outdated operating systems. 

More funding and oversight is needed, Atkins said in a release, to protect the private data of citizens — including tax, court and medical records — contained on the state’s networks.

“It’s crucial that the state IT system keep up with security protocols to protect sensitive data,” Atkins said. 


State Chief Information Officer Alex Pettit said in a statement he agreed with the majority of findings and recommendations and is instructing staff to focus on the most pressing challenges immediately while creating a new “enterprise security plan” to be published and implemented this summer to handle the more complicated matters.

“Not all the gaps identified in this audit are of equivalent risk level,” Pettit said. “With limited resources, a balance must constantly be struck to address the highest risks while mitigating and or accepting some of the smaller risks. … Ultimately, some level of risk will always need to be accepted.”

The analysis showed greater efforts are required to centralize the state’s IT and security management within the CIO’s office. Consolidation was initiated through an executive order from Gov. Kate Brown in 2015 to make the state’s IT administration more effective and responsive.

“Our audit found that this is a critical time for the Office of the State CIO to provide more leadership and oversight to ensure the security of our state computer systems,” Atkins said. “We also need the legislature and the governor’s office to continue engaging on this mission so that the CIO has adequate support as more and more government services are provided online.”

Primary threats identified by the audit consisted of phishing, ransomware, software weaknesses and attacks from malicious software such as viruses and worms.


Despite the severe review, auditors did not make any accusations against specific officials for poor performance. Rather, the report contextualized the deficiencies as part of the state’s ongoing mission to protect citizens in an evolving digital landscape. Recommendations to the CIO’s office were to collaborate with state agencies on centralizing IT administration, to develop statewide standards and processes for oversight, to lead state agencies in confronting specific weaknesses, and to petition the governor, legislature and agency directors so they may appropriate additional staffing and resources. 

StateScoop reached out to the Oregon Secretary of State’s office to see if the state believed new funds would become available as a result of the auditor’s report, but a comment was not received in time for publication. The governor released a budget proposal for 2017 through 2019 that had to accommodate for a $1.7 billion shortfall, Oregon Public Broadcasting (OPB) reported Thursday.

“I had to make some very difficult decisions,” the governor told OPB.

The proposed budget summary does not make it clear whether increased funding will be dedicated to cybersecurity. The proposal allots $66.2 million to the CIO’s office, a figure that represents a 30 percent increase over the 2015 to 2017 budget approved by the legislature. But much of the new funding is allocated to consolidating IT positions previously funded by other agencies. Further, the budget shows an eight percent decrease in funding — now funded at $146.9 million — for the State Data Center program, which manages data security.

Latest Podcasts