The database Utah uses to monitor controlled substances needs better cybersecurity, an audit released Wednesday said.
The Controlled Substance Database allows many doctors, pharmacists and other professionals with access to the database to log in with just a state-issued ID and a four-digit pin, auditors found. Those who are required to use passwords are often allowed to use and reuse weak ones.
That means the Controlled Substance Database “has increased susceptibility to security breaches,” auditors wrote.
Any licensed physician can be granted access to the database, but the audit found that the Utah Division of Occupational and Professional Licensing, which maintains the database, sometimes failed to remove access to physicians whose licenses had expired.