MDH - Internal Controls, Audit Compliance and Information Security

11/11/2025

09/11/2025

Today, we honor and remember the nearly 3,000 lives lost, the families forever changed, and the first responders who ran toward danger to save others.

We also recognize the continued sacrifice of our firefighters, police officers, EMS providers, 911 dispatchers, and emergency responders — then and now — who dedicate themselves to protecting our communities.

Our mission is rooted in remembrance: to prepare, respond, and recover so that we are always ready to meet the challenges ahead.

🕯️ We Remember. We Honor. We Prepare.

04/23/2025

MDH Office of Internal Controls, Audit Compliance & Information Security (IAC/S) is recruiting for a Deputy Chief of Information Security. Please see the job announcement linked below:

We are hiring for DEPUTY CHIEF, INFORMATION SECURITY OFFICER (REPOST).

04/16/2025

MDH Office of Internal Controls, Audit Compliance & Information Security (IAC/S is recruiting for an IT Auditor (Internal Auditor II). Please see the job announcement linked below:

We are hiring for IT Auditor.

01/02/2025

The Maryland Department of Health is looking for an Administrator III (Health Policy Analyst) to join our SDI team This position at our Baltimore headquarters offers hybrid telework flexibility and a competitive benefits package. Apply today:

We are hiring for Strategic Data Initiative - Health Policy Analyst.

06/10/2024

MDH CISO, Matt Ottwell will be moderating a Security Panel in Critical Infrastructure Security for the State at this year’s Maryland Digital Government Summit.

The Digital Government Summit brings together technology focused public-sector professionals with leading industry partners to connect on innovative approaches, get inspired and discover new technologies. Join us and let’s improve the future of government together!

05/06/2024

The Maryland Department of Health is looking for an auditor to join our team! If you have three years of experience conducting financial and operational internal audits, this may be the job for you. This position at our Baltimore headquarters offers hybrid telework flexibility and a competitive benefits package. Apply today: https://www.jobapscloud.com/MD/sup/bulpreview.asp?b=&R1=24&R2=004373&R3=0003

05/01/2024

We are hiring for AUDITOR (INTERNAL AUDITOR II).

01/12/2024

IAC/S InfoSec Updates:

Happy New Year! As we start 2024, many of us are making new year’s resolutions to achieve a goal, improve behavior, or continue good practices, whether personally or professionally.

In the spirit of the tradition, we asked our cybersecurity team to share the top resolutions end users and organizations can make to improve their security posture in the new year.

Implement multi-factor authentication (MFA) whenever possible. Strong passwords are a great start, but implementing MFA is even better. MFA is a key defense against phishing attacks, creating an additional step to the account login process to protect your accounts.

Uninstall unused apps. Be sure to take advantage of your smart device’s settings that may allow you to set up automatic app cleanup.

Install patches and updates. Your security is only as up to date as your software, so it’s important to commit to regular patches and updates as needed. The majority of these are done automatically, either triggered by a restart or prompted through push notifications.

Avoid public Wi-Fi whenever possible This cybersecurity best practice is pretty self-explanatory, but still one of the leading security concerns for individuals and organizations. Even if the Wi-Fi network is legitimate, it doesn’t mean it’s safe—and you don’t know who is on the network with you. If you must use public Wi-Fi, avoid accessing any sites with personal information or credentials, and use a VPN for additional security.

Regularly check if your information is part of a breach. Chances are your information has been part of a breach in recent years. If so, you may have received an email or letter with a vague explanation of the breach and an offer for free credit monitoring, but we recommend being proactive by using verified resources, such as https://haveibeenpwned.com, to find out if your information is exposed. If your data is out there, be sure to check your credit report, change passwords, and check the breached party’s website for additional resources.

10/27/2023

In honor of National Cybersecurity Awareness Month, we will highlight some critical themes that are important to all of us in weekly email communications.

Social Engineering

We’ve focused Cybersecurity Awareness month on social engineering due to the challenges that it presents to individuals across the organization. Part of what makes social engineering effective is that the attacks are customized to the targeted individuals. There is a lot of information available to hackers that gives them the ability to target people more effectively. People provide this information via various social media sites like LinkedIn and Facebook all the time.

Here are some tips to keep in mind when utilizing social media and in other day-to-day interactions:

1. Set strong, unique passwords.
2. Consider only allowing family and friends the ability to access your profile.
3. Do not accept friend requests from individuals that you either do not know or have not researched to determine who they are and why you would want to provide them with access.
4. Do not post information regarding being out of the office or on vacation until you have returned.
5. The internet is forever. Although you can remove posts, there is a chance that they were viewed and potentially printed out or saved when they were live.
6. Beware of scams of all kinds. Social media is being used more and more for schemes of all kinds.
7. Protect yourself and your devices with security software. Even if you make a mistake, you may still be protected.

Be smart at work and home when it comes to social engineering. Obviously, the Human Element is never going away. It’s up to you to use the education you’ve been provided to protect yourself and the organization by making good decisions in your work and personal life.

10/20/2023

IAC/S Cybersecurity Month Week 3: social engineering

In honor of National Cybersecurity Awareness Month, we will highlight some critical themes that are important to all of us in weekly email communications.

We’ve been focusing on social engineering this month because it is a favorite technique used by cyber criminals. You should consider yourself a target when at work and at home for these types of attacks. A recent LinkedIn article highlights the vulnerability of human targets and the importance of staying vigilant. “Human factors play a significant role in information security, as people are often the weakest link in the security chain,” according to Cyber Security Analyst Yazan Abbas.

“Factors such as lack of awareness, negligence, trust, and the desire to help others can make individuals susceptible to social engineering attacks. Attackers exploit these factors to bypass technical controls and gain unauthorized access. Recognizing the importance of human factors is crucial in developing comprehensive security strategies,” Abbas says.

The following recent examples show how dangerous social engineering is:

Casino giant MGM expects $100 million hit from hack

MGM Resorts, which owns casinos and hotels, is still working to resolve some of the issues that resulted from a social engineering attack that began in September. The company has not disclosed how it believes the breach happened, but an organization that follows the hacker community claims a well-known ransomware group called ALPHAV, also known as BlackCat, compromised MGM by using LinkedIn to find an employee's information and then engage in a 10-minute conversation with the Help Desk to gain access.

Social media app attacks

There has been a recent increase in social engineering attempts in the form of pop-up ads on various social media apps such as Twitter and Facebook. Many of the ads are focused on products that you would typically shop for. The ads will direct you to a fraudulent website that looks exactly like the legitimate site. For example, instead of directing you to nike.com, the link will take you to something similar such as shop.nike.com. After you provide credit card information, you may receive an email confirmation that your order has been placed, but you won’t receive the merchandise and your card will be charged for the full amount due.

Gift card scams

Most gift card scams start with a phone call from someone impersonating a branch of the government or a business. The caller might threaten to freeze your bank account and tell you that you must buy gift cards to avoid arrest or to keep access to your bank account. They will tell you to stay on the phone as you head to the store to buy gift cards to "solve the problem.” They will also ask you to provide the numbers on the back of the card you buy. These are all signs of a gift card scam. If you find yourself heading to the store to buy gift cards because someone on the phone told you to, stop. No matter who calls, texts, or emails you telling you to pay for something with a gift card, it is always a scammer. The government and legitimate businesses will never call you demanding payment with a gift card. Gift cards are for gifts, not for payments.

Hopefully the information we have provided will help you protect yourselves and MDH by remaining vigilant against these types of attacks. They certainly are not going away

10/13/2023

In honor of National Cybersecurity Awareness Month, we will highlight some critical themes that are important to all of us in weekly email communications.

week 2

This week we are focusing on social engineering and the steps you should take at work and home to avoid being a victim. The more you practice working within and creating a secure environment both internally and externally, the more comfortable you’ll be in establishing a culture based on “Securing the Human.”

How to report phishing scams targeting your email

We have already discussed what you should look for to determine if an email is a phishing attempt. If you sense you’ve received a phishing email, here is how you can report the threat based on the top services:

phishing
Google

Open the message.
Next to Reply, click More.
Click “Report phishing.”
Outlook

Select the suspicious message.
Go to the Home tab and select Junk.
Select Report as Phishing if you suspect the message is a phishing email or select Report as Junk if you think the email is regular spam.
Yahoo

Click the box next to each email you want to mark as spam in your Yahoo Mail account.
Click the icon of a downward-pointing arrow to the right of the Spam button at the top of the Inbox.
Click Report a Phishing Scam to both report the email to Yahoo and move the email into your spam folder.
Comcast

Webmail Users

Select the message you wish to report as spam.
Click the Spam button in the right-hand corner of the webmail console.
Email Client Users (Windows Mail, Outlook, Thunderbird, etc.)

Select the message you wish to report as spam.
Forward the spam message as an attachment to [email protected].
Employ Dual Factor

Another way to protect yourself is to use Dual Factor to prove that it is actually you logging into your account. Most major vendors are now requiring or at least offering this additional layer of security.

In most cases you will supply your password and a code that will be sent to your mobile phone.

What about Smishing?

Smishing is similar to phishing except the threat arrives via text message, not email. You should use similar caution with these messages as you would a phishing attempt.