Auditors conducted the initial review of the period between January 2013 and March 2015 to determine how well the institute safeguarded computerized patient information and whether it had policies in place to make notifications when such data is lost or stolen. Both are requirements under federal laws governing health information technology.
That initial audit from July 2015 found "a highly developed information security program" at Roswell Park but made four recommendations to address weaknesses identified by auditors.
The Comptroller's Office said in its follow-up audit that Roswell Park has implemented two recommendations and partially implemented two others.
The two that are only partially completed, according to the office, are taking steps to resolve risk items that remained open for an extended period and putting in place procedures to better support its risk-mitigation decisions. Roswell Park did continue putting in place better physical security and technical safeguards around its electronic health information.
"Regarding the few issues that were highlighted as opportunities for improvement, all of them have either been addressed already or will be by our deadline for follow-up," a spokeswoman said in an email.
©2016 The Buffalo News (Buffalo, N.Y.) Distributed by Tribune Content Agency, LLC.
