Utah Breach: Governor Takes ActionNew CTO Named, Independent Auditor Hired
Utah Gov. Gary Herbert has taken several steps, including replacing the state's chief technology officer, in the wake of a hacker attack against an unencrypted server that exposed state health department information on 780,000 individuals.
On May 15, Herbert announced:
- The resignation of Stephen Fletcher, executive director of the Department of Technology Services, and appointment of Mark VanOrden as his replacement;
- The hiring of Deloitte & Touche to conduct an independent security audit of all information technology across all state agencies;
- The creation of a new position, health data security ombudsman, who will work with breach victims on case management, credit counseling and public outreach.
At a May 15 press conference, Herbert said data stored on all state servers will be encrypted, rather than just encrypting data in transit, according to the Salt Lake Tribune. And the state also plans to hire a public relations firm to help handle "crisis communications," the newspaper reports.
The governor also said at the press conference that he had asked Fletcher to step down, according to the newspaper.
In an earlier statement, health department officials noted: "Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities."
Health department officials acknowledged that the breach, which they believe was the work of East European hackers, involved a server managed by the Department of Technology Services that was protected with a weak password. The information that was exposed was stored for months, when standard procedure was for it to be erased within a day, officials said.
The Right Moves?
Utah's governor has made some good moves, but the state needs do to more, says security expert Rebecca Herold of the consulting firm Rebecca Herold & Associates.
Conducting an independent audit is an important step, she says. "Judging from the numerous gaps in the management of the IT area that have been reported, it sounds like they have not been doing audits, or perhaps their audits have not been accurate, of the appropriate scope, or perhaps management dismissed important findings."
Attorney Adam Greene of Davis Wright Tremaine sees the independent audit as "a good primary step." He adds: "The key is to consider human error in such a risk assessment and attempt to mitigate those errors."
Greene suggests that the state needs to develop a long-term security strategy. "If Utah wants to avoid a similar incident in the future, it will need to spend significant resources to address the critical vulnerabilities that it is likely to identify in the months ahead. Otherwise, it will have spent a lot of money simply to have received warning of where its next breaches are likely to arise."
Herold says widening the use of encryption - as Utah plans to do - is important for all holders of personal data. "Encryption is something that should be used much more, but often isn't until after a breach, such as this one, occurs," she notes.
The governor appears to be making the right personnel moves, Herold adds. "Replacing leadership that seems like it was either being ineffective or did not provide enough controls around activities may be a good idea," she says, stressing that her conclusion is based on available details.
She also praises the creation of the health data security ombudsman role, saying it's "a good position to have in any organization that possesses a large amount of personal information. Such positions can provide valuable, objective guidance for privacy breaches."
Other important steps Utah should take, Herold suggests, include conducting a risk assessment in addition to the audit; monitoring the after-effects of the breach; providing extensive training to all staff members involved in the area where the breach occurred, in addition to ensuring comprehensive training throughout the organization for all workers; and creating a data inventory of every location where personal information is stored.
Greene stresses that no organization can achieve perfection when it comes to security; there will always be some level of risk. "The question that I have is whether Utah previously conducted a thorough risk assessment and, if so, whether they anticipated the threat that a server might be misconfigured due to human error," he says. "If their policy was merely that all servers should be properly configured, but they did not recognize the risk of human error or consider a strategy for monitoring configurations, then a breach like this may have been inevitable."
In a recent blog, Herold and Greene pointed out that the Utah incident calls attention to the need for all healthcare organizations to take steps to thwart hackers.
The state is offering the 280,000 individuals who had their Social Security numbers exposed in the breach a year's worth of free credit monitoring services.
Originally, the Utah Department of Health reported that Medicaid clients and Children's Health Insurance Plan recipients had their claims data compromised. As a result of their continuing investigation, however, the department later reported that other patients affected include those whose information was sent to the state by their healthcare provider to determine if they were eligible for Medicaid.
Exposed claims may include client names, addresses, birth dates, Social Security numbers, physician's names, national provider identifiers, tax identification numbers and procedure codes designed for billing purposes, authorities said. The content of Medicaid eligibility transactions varies widely, but could include a mix of the same information as in claims, they added.
The Utah breach is the largest healthcare hacking incident reported since the HIPAA breach notification rule went into effect in September 2009.