Introduction
Data breaches have become an unfortunate reality for information systems, both government and private. When government agencies are faced with breaches, it leads to compromised citizen data. Any computer system is susceptible to cyber incidents that result in serious consequences and public backlash. Cyber threats and data breaches can vary significantly, being internal or external in origin (Lohrmann, 2012). Despite sophisticated control systems being in place, the industry is still developing protocols which would effectively prevent data breaches, which may require a radically different approach. This report seeks to examine a case of government data breach and evaluate the regulatory requirements meant to prevent such incidents.
Data Breach
A data breach in Utah’s Department of Health computer server in 2012 led to personal and health records of 780,000 people being stolen including 280,000 social security. By exploiting a weak password of a server technician, hackers downloaded 24,000 files to a server in Eastern Europe (Perlroth, 2012). Victims included participants of Medicaid and other health programs, such as one for low-income children.
A variety of other personal data such as client demographics and addresses, provider identifiers, tax identification numbers, and procedure codes meant for the health condition and claims data billing was compromised. It is considered the largest healthcare data breach in history as reported under the HIPAA breach notification rule since it went into effect on 2009. Affected clients were notified and kept updated with many being offered free credit tracking afterward.
Primary Causes
The data was stored on a state server which was managed by a technology services department. A configuration error transpired during authentication which gave a hacker the ability to circumvent the security protocols. The breached server was not properly configured in this incident. The server was launched without an appropriate layer of security in place (Anderson, 2012). A primary problem as noted by security experts was the bulk storage of personal records on one server. Large aggregate databases are increasingly vulnerable, and a single data breach results in the loss of records for hundreds of thousands of people. Network penetration results in an all-or-nothing scenario (Perlroth, 2012).
Prevention of Data Breach
There are two primary federal regulatory guidelines applicable to this case. The Federal Information Security Modernization Act (FISMA) is a risk management framework meant to protect critical information infrastructure. It consists of key security guidelines for categorization, security requirements, controls, and monitoring of systems. The management of organizational risk is meant to prepare systems to prevent or potentially address data breaches. It focuses on conducting essential activities within information systems that focus on impact analysis of risk and continuous monitoring and assessment of security controls (Ross, Dempsey, Pillitteri, Jacobs, & Goren, 2019).
Meanwhile, the Health Insurance Portability and Accountability Act (HIPAA) has aspects of information security, producing standards for sensitive patient data protection. It requires organizations with such health information to have the physical, network, and process security measures to ensure compliance. Security standards emphasize limited access with secure authorization controls in place. Furthermore, there should be restrictions regarding the transfer or disposing of electronic information. Those with access should have unique IDs and passwords, emergency access procedures, encryption protocols, and automatic log tracking (De Groot, 2019).
The Department of Health and Human Services Office of Inspector General conducted a thorough investigation and audit of the Utah Department of Health. It was found that there were 39 highly vulnerable security flaws and a noticeable pattern of security mismanagement. There was a lack of an effective enterprise security control structure and insufficient protocols for covering access controls management as well as security operations and program planning, configuration management, and service continuity (HIPAA Journal, 2016).
Utah’s Department of Health failed to follow federal requirements regarding computer security by not establishing formal policies and procedures for all its information systems regarding controls management. Particularly, access controls management which is meant to detect and limit unauthorized access or modification. Configuration management and security operations meant to maintain the integrity of the IT system with appropriate security protections throughout its development and operation were not followed. The DOH did not meet security requirements on a number of occasions partially due to lack of oversight and appropriate governance of the private network and monitoring compliance (Jarmon, 2016).
Security experts note that many government agencies and private healthcare clinics struggle with the security issues described above. Causes of breaches are not immediately addressed in organizations. Furthermore, there is no effective method to audit for potential vulnerabilities. Therefore, even if those responsible for implementing and managing information security are competent, they face significant challenges in maintaining compliance with regulations. There was an inherent lack of commitment to security management and a system was not implemented to identify any external accessing of data which leaves it vulnerable to further breaches. Furthermore, a security firm appointed by the Utah Department of Health was blocked from accessing parts of the network (McGee, 2016).
The audit recommended that effective security management practices and oversight procedures should be established to maintain the implementation of general controls as well as raising security standards in accordance with federal regulations.
Deficiencies in Regulatory Requirements
Hacking is relatively rare for data breaches as only 7 percent of more than 400 reported breaches has directly involved hacking (Anderson, 2012). However, hacking targets the vulnerabilities in the system and can result in intentional transfer and consequent misuse of information which is inherently dangerous and should be prevented. The regulatory requirements themselves, both FISMA and HIPAA protocols are thorough and theoretically highly effective at ensuring security protection as risk management is addressed at physical, technical, and administrative levels. The challenge remains in the practical application of these rules to create a realistic protection process.
Each risk must be mitigated by countermeasures on each of the levels. However, the standards for HIPAA compliance, for example, are not prescriptive but rather provide generic criteria to which the organization then must respond. Therefore, in many areas, the standards should be addressed to include tangible and practical recommendations for countermeasures which would be unified and meet federal security standards for all organizations (Schymik & Shoemaker, 2013). This would significantly improve compliance rates and pragmatically establish a system of risk management.
Conclusion
It is evident that data breaches are a consistent threat to government information systems. Although vulnerabilities can be exposed through data breaches, it is vital to develop control protocols for security management which will prevent such incidents. Current FISMA and HIPAA protocols are adequate for the current state of the industry, although they could be improved in some respects. However, there are issues with the implementation and enforcement of the guidelines on all levels of government which leads to data breaches because of human or technical error. Therefore, it is vital to develop a more comprehensive and integrated method of server protection among government organization to comply with the security recommendations.
References
Anderson, H. (2012). Utah health breach impact grows. Web.
De Groot, J. (2019). What is HIPAA compliance? 2019 requirements. Web.
HIPAA Journal. (2016). OIG publishes findings of Utah Department of Health security audit. Web.
Jarmon, G. L. (2016). Inadequate security management practices left Utah Department of Health sensitive Medicaid data at risk of unauthorized disclosure. Web.
Lohrmann, D. (2012). Dark clouds over technology: Pondering action after recent state government data breaches. Web.
McGee, M. K. (2016). Breached Utah Health Dept.’s security gaps pinpointed. Web.
Perlroth, N. (2012). Utah breach shows vulnerability of health records. The New York Times. Web.
Ross, R., Dempsey, K., Pillitteri, V. Y., Jacobs, J., & Goren, N. (2019). Risk management. Web.
Schymik, G., & Shoemaker, D. (2013). Managing government regulatory requirements for security and privacy using existing standard models. Web.