The Comptroller General of the Republic alerted the Ministry of Health (Minsa) on risks that could affect the security, integrity and reliability of the registry of information related to people vaccinated against COVID-19 in the Healthcare System (HISMINSA), within the framework of the vaccination campaign that takes place throughout the country.
It was possible to verify that the HISMINSA system in charge of the Health sector has different modules and one of them is the “Immunizations Module“, Which allows consulting the nominal information of vaccinated at the country level during the execution of vaccination campaigns, as is the case of the national day against COVID-19. In this way, the system provides information on immunized patients in real time, providing the necessary support for decision-making.
LOOK HERE | Vaccine against COVID-19: this will be the care in vaccinations during Christmas and New Year
According to the Office Orientation Report 29319-2021-CG / SADEN-SOO After the preventive intervention of a control team and whose evaluation period runs from December 14 to 16 of this year, it is revealed that HISMINSA users have profiles of “Administrator” and “Digitator” that they have registered for passwords and user codes to their DNI numbers, which shows that the regulatory provisions referring to security for the use of passwords have not been complied with.
The document called “Nominal Electronic Vaccination Registry”Of the Pan American Health Organization (OPS) and the Regional Office for the Americas of the World Health Organization (WHO) points out that health sector information systems are key to producing the information that will guide strategic, managerial, and operational decisions for immunization programs within each country.
ALSO REVIEW | The omicron variant changes the government’s strategy: Is it enough?
By entering a DNI number as a user code and as a password, the Comptroller’s auditors were able to access the HISMINSA system, and with it, the options for registering and editing vaccinated people, patients, among others.
“This situation contravenes the Peruvian Technical Standard “NTP ISO / IEC 17799: 2007 EDI. Information Technology. Code of good practices for the management of information security. 2nd. Edition”, where it is indicated that ‘users must select passwords of good quality and that they are not based on something that anyone can guess or obtain using information related to the user’ “, says the release.
MORE INFORMATION | Omicron | Third dose of COVID-19 vaccine: who can get it and since when
Based on the tests carried out by the control commission, it was possible to verify that a user with a “Digitator” profile has functional actions within the system. HISMINSA, how to register vaccines, inquiries and downloads of information on vaccination registration, vaccinated list, view vaccinations, view histories, search for vaccines and search for vaccinated.
While in the revision of the “User Manual: Immunization Module in Health Campaigns” it was possible to know that users with a “Digitator” profile have access to the immunizations option and can search for a patient through filters such as ID, surnames and names, description or by age range.
Regarding the registration of people, in said manual of user indicates that the “Digitator” has access to the options for registering and editing patients, and vaccinated people.
ALSO REVIEW | Ómicron in Peru: What is known about the detected cases of the new variant?
Given these facts, the The control report recommends informing the Minister of Health, Hernando Cevallos, of everything detected, in order to adopt immediate measures to safeguard the registration of information in the HISMINSA computer system, in order to ensure the achievement of the objectives of the process of people vaccinated against COVID-19.
It is also recommended to the Minsa holder that he must communicate to the Institutional Control Body (OCI) of the entity, its action plan, with the measures to be implemented.
The report prepared by the Comptroller’s Complaints Attention Deputy Manager is published in the Control Services Report Finder from the institutional portal www.gob.pe/contraloria for the sake of transparency and access to information.
According to the criteria of