Data Breaches and Regulatory Requirements Case Study

Exclusively available on Available only on IvyPanda® Made by Human No AI

Introduction

Data breaches have become an unfortunate reality for information systems, both government and private. When government agencies are faced with breaches, it leads to compromised citizen data. Any computer system is susceptible to cyber incidents that result in serious consequences and public backlash. Cyber threats and data breaches can vary significantly, being internal or external in origin (Lohrmann, 2012). Despite sophisticated control systems being in place, the industry is still developing protocols which would effectively prevent data breaches, which may require a radically different approach. This report seeks to examine a case of government data breach and evaluate the regulatory requirements meant to prevent such incidents.

Data Breach

A data breach in Utah’s Department of Health computer server in 2012 led to personal and health records of 780,000 people being stolen including 280,000 social security. By exploiting a weak password of a server technician, hackers downloaded 24,000 files to a server in Eastern Europe (Perlroth, 2012). Victims included participants of Medicaid and other health programs, such as one for low-income children.

A variety of other personal data such as client demographics and addresses, provider identifiers, tax identification numbers, and procedure codes meant for the health condition and claims data billing was compromised. It is considered the largest healthcare data breach in history as reported under the HIPAA breach notification rule since it went into effect on 2009. Affected clients were notified and kept updated with many being offered free credit tracking afterward.

Primary Causes

The data was stored on a state server which was managed by a technology services department. A configuration error transpired during authentication which gave a hacker the ability to circumvent the security protocols. The breached server was not properly configured in this incident. The server was launched without an appropriate layer of security in place (Anderson, 2012). A primary problem as noted by security experts was the bulk storage of personal records on one server. Large aggregate databases are increasingly vulnerable, and a single data breach results in the loss of records for hundreds of thousands of people. Network penetration results in an all-or-nothing scenario (Perlroth, 2012).

Prevention of Data Breach

There are two primary federal regulatory guidelines applicable to this case. The Federal Information Security Modernization Act (FISMA) is a risk management framework meant to protect critical information infrastructure. It consists of key security guidelines for categorization, security requirements, controls, and monitoring of systems. The management of organizational risk is meant to prepare systems to prevent or potentially address data breaches. It focuses on conducting essential activities within information systems that focus on impact analysis of risk and continuous monitoring and assessment of security controls (Ross, Dempsey, Pillitteri, Jacobs, & Goren, 2019).

Meanwhile, the Health Insurance Portability and Accountability Act (HIPAA) has aspects of information security, producing standards for sensitive patient data protection. It requires organizations with such health information to have the physical, network, and process security measures to ensure compliance. Security standards emphasize limited access with secure authorization controls in place. Furthermore, there should be restrictions regarding the transfer or disposing of electronic information. Those with access should have unique IDs and passwords, emergency access procedures, encryption protocols, and automatic log tracking (De Groot, 2019).

The Department of Health and Human Services Office of Inspector General conducted a thorough investigation and audit of the Utah Department of Health. It was found that there were 39 highly vulnerable security flaws and a noticeable pattern of security mismanagement. There was a lack of an effective enterprise security control structure and insufficient protocols for covering access controls management as well as security operations and program planning, configuration management, and service continuity (HIPAA Journal, 2016).

Utah’s Department of Health failed to follow federal requirements regarding computer security by not establishing formal policies and procedures for all its information systems regarding controls management. Particularly, access controls management which is meant to detect and limit unauthorized access or modification. Configuration management and security operations meant to maintain the integrity of the IT system with appropriate security protections throughout its development and operation were not followed. The DOH did not meet security requirements on a number of occasions partially due to lack of oversight and appropriate governance of the private network and monitoring compliance (Jarmon, 2016).

Security experts note that many government agencies and private healthcare clinics struggle with the security issues described above. Causes of breaches are not immediately addressed in organizations. Furthermore, there is no effective method to audit for potential vulnerabilities. Therefore, even if those responsible for implementing and managing information security are competent, they face significant challenges in maintaining compliance with regulations. There was an inherent lack of commitment to security management and a system was not implemented to identify any external accessing of data which leaves it vulnerable to further breaches. Furthermore, a security firm appointed by the Utah Department of Health was blocked from accessing parts of the network (McGee, 2016).

The audit recommended that effective security management practices and oversight procedures should be established to maintain the implementation of general controls as well as raising security standards in accordance with federal regulations.

Deficiencies in Regulatory Requirements

Hacking is relatively rare for data breaches as only 7 percent of more than 400 reported breaches has directly involved hacking (Anderson, 2012). However, hacking targets the vulnerabilities in the system and can result in intentional transfer and consequent misuse of information which is inherently dangerous and should be prevented. The regulatory requirements themselves, both FISMA and HIPAA protocols are thorough and theoretically highly effective at ensuring security protection as risk management is addressed at physical, technical, and administrative levels. The challenge remains in the practical application of these rules to create a realistic protection process.

Each risk must be mitigated by countermeasures on each of the levels. However, the standards for HIPAA compliance, for example, are not prescriptive but rather provide generic criteria to which the organization then must respond. Therefore, in many areas, the standards should be addressed to include tangible and practical recommendations for countermeasures which would be unified and meet federal security standards for all organizations (Schymik & Shoemaker, 2013). This would significantly improve compliance rates and pragmatically establish a system of risk management.

Conclusion

It is evident that data breaches are a consistent threat to government information systems. Although vulnerabilities can be exposed through data breaches, it is vital to develop control protocols for security management which will prevent such incidents. Current FISMA and HIPAA protocols are adequate for the current state of the industry, although they could be improved in some respects. However, there are issues with the implementation and enforcement of the guidelines on all levels of government which leads to data breaches because of human or technical error. Therefore, it is vital to develop a more comprehensive and integrated method of server protection among government organization to comply with the security recommendations.

References

Anderson, H. (2012). . Web.

De Groot, J. (2019). . Web.

HIPAA Journal. (2016). . Web.

Jarmon, G. L. (2016). Inadequate security management practices left Utah Department of Health sensitive Medicaid data at risk of unauthorized disclosure. Web.

Lohrmann, D. (2012). Dark clouds over technology: Pondering action after recent state government data breaches. Web.

McGee, M. K. (2016). . Web.

Perlroth, N. (2012). . The New York Times. Web.

Ross, R., Dempsey, K., Pillitteri, V. Y., Jacobs, J., & Goren, N. (2019).. Web.

Schymik, G., & Shoemaker, D. (2013). Managing government regulatory requirements for security and privacy using existing standard models. Web.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2021, July 9). Data Breaches and Regulatory Requirements. https://ivypanda.com/essays/data-breaches-and-regulatory-requirements/

Work Cited

"Data Breaches and Regulatory Requirements." IvyPanda, 9 July 2021, ivypanda.com/essays/data-breaches-and-regulatory-requirements/.

References

IvyPanda. (2021) 'Data Breaches and Regulatory Requirements'. 9 July.

References

IvyPanda. 2021. "Data Breaches and Regulatory Requirements." July 9, 2021. https://ivypanda.com/essays/data-breaches-and-regulatory-requirements/.

1. IvyPanda. "Data Breaches and Regulatory Requirements." July 9, 2021. https://ivypanda.com/essays/data-breaches-and-regulatory-requirements/.


Bibliography


IvyPanda. "Data Breaches and Regulatory Requirements." July 9, 2021. https://ivypanda.com/essays/data-breaches-and-regulatory-requirements/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1