The Social Security Administration (SSA) is responsible for making correct and timely payments to individuals entitled to benefits under social insurance and welfare programs and for providing support functions for the medicare program. These programs generate millions of records on workers and beneficiaries that are maintained in automated data banks and files.
The GAO found that personal files within the data system contain valuable private information that is necessary to support present and future social security benefits. SSA uses a vast computerized telecommunications network to process its workload and to handle inquiries from the public. The telecommunications system contained certain security weaknesses: the ability to create as well as query beneficiary files from most terminals, failure to use audit trail features within the system, failure to always lock terminals during nonworking hours, and unlimited unrestricted access to terminals.
Files containing personal data on beneficiaries such as earnings records, financial status, and medical evaluations were not being properly safeguarded from potential loss, destruction, abuse, or misuse. SSA had not issued guidelines or criteria for establishing physical security measures at field offices and had not determined if adequate security was provided in the handling of information by States in administering welfare programs and by insurance companies in administering medicare.
The GAO recommended that the Secretary of Health, Education, and Welfare direct the Commissioner of the SSA to correct weaknesses in the telecommunications network and continue to pursue an active security program to assure Congress, the public, and beneficiaries that records are properly safeguarded. In this effort, the Secretary should conduct a risk analysis to determine how best to correct physical security weaknesses, including measures which will achieve a balance between good service to beneficiaries and good security.