In the aftermath of a massive health data breach last year and a smaller incident this year, the state of Utah is taking a number of steps, including creating a data security office within the health department.
In addition, Utah's governor also recently signed a new law that calls for implementing security and privacy best practices at the department of health, as well as in other executive branches of state government.
The actions come in the aftermath of a March 2012 hacking incident that exposed health department data on about 780,000 individuals.
In January, a smaller breach involved a contractor who lost an unencrypted USB drive containing health department data for 6,000 individuals.
Funding for Staff
Just before the state's legislative session ended in late March, legislators approved $300,000 in funding for the health department to create the new security office, says Robert Rolfs, M.D. In addition to being Utah's health IT coordinator, Rolfs also is deputy director and state epidemiologist at the health department.
The money will help enable the department to build a team of two-to-four staff members working on security and privacy issues on a part-time or full-time basis, Rolfs says. Until now, no one in the department was dedicated to data security and privacy work. Instead, the department relied on the state's centralized IT services department and some third-party contractors to handle security- and privacy-related issues.
"In retrospect, it's naïve to think you can decentralize something ... and assume third parties will do well without any monitoring," Rolfs says.
Staff at the new office within the health department will tackle shortcomings in privacy and security that were discovered after the 2012 breach, Rolfs says. The new office will also help with ongoing issues, such as HIPAA Omnibus Rule compliance.
"Our focus in the office is guided by our internal assessment and the audit done by Deloitte & Touche," Rolfs says. The health department hired the firm to conduct the analysis after the March 2012 incident.
The key areas of weakness highlighted by the analysis that are now being addressed include:
- Data risk assessment and classification;
- Vendor management;
- Data security procedures and training;
- Systems development, life-cycle and change management;
- Contingency and disaster planning;
Although the health department has encouraged technology-enabled innovation, Rolfs acknowledges that data security and privacy risks weren't always adequately addressed.
Moving forward, the department will need to better balance creativity and risk, he says. "We don't want to put molasses in the gears ... but we've learned that the world is a dangerous place."
The massive March 2012 breach incident involved Eastern Europeans hackers gaining access to a Utah state server managed by the Department of Technology Services. The breach exposed health department data on Medicaid clients and Children's Health Insurance Plan recipients. It also exposed data on others because providers often check whether their patients are eligible for state programs by entering information about them into the health department system's database.
Of those affected by the incident, 280,000 individuals had their Social Security numbers breached.
In the aftermath of that breach, the department learned that closer attention needs to be paid to change management during the entire life cycle of an IT system, Rolfs says. "We learned that over the life of a data system, during times of change, you have to have controls in place so that you don't lose sight of issues that crop up that could give you problems down the road."
According to an health department statement issued shortly after the incident, "A configuration error occurred at the password authentication level, allowing the hacker to circumvent the security system. "The Department of Technology Services has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure," the statement noted.
In the second breach, which occurred in January of this year, the health department notified 6,000 Medicaid clients that an unencrypted portable USB drive containing their personal information had been misplaced by an employee of third-party contractor, Goold Health Systems.
This breach illustrates the need, as spotlighted in the recent audits, to improve vendor management efforts, Rolfs says.
The creation of the new health data security office is just the latest of several steps the state of Utah has taken since the breach incidents.
As a result of the March 2012 breach, Gov. Gary Herbert fired the state's director of technology. He also appointed a consumer healthcare advocate, Sheila Walsh-McDonald, to the newly created position of health data security ombudsman to provide outreach services to individuals affected by breaches (see: Accessing Utah's Post-Breach Efforts).
The state also recently extended for an additional year free credit monitoring services to individuals affected by the breaches, Walsh-McDonald says. So far, 59,500 individuals have signed up for the credit monitoring.
In addition, the governor in late March signed the State Security Standard for Personal Information bill, which takes effect July 1. Among other things, the law requires healthcare providers to inform patients in privacy notices that some their personal identifying information may be shared with the state's Medicaid and Children's Health Insurance Program eligibility database.
Other provisions in the bill include requiring the state's chief information officer to:
- In coordination with the governor's office, convene a group of experts to identify industry best practices for data security standards;
- Apply industry best practices for data security standards at the Department of Technology Services and executive branch agencies;
- Modify the state's executive branch IT strategic plan to incorporate the best practices.
In the aftermath of the breaches and the post-incident analysis, Rolfs says, "we have a much clearer idea what we need to do as an agency internally and what we need to demand from the various third parties, including vendors, contractors and [the state's] department of technology services."