Breached Utah Health Dept.'s Security Gaps PinpointedBut Shortcomings Cited Are Commonplace Elsewhere, Experts Claim
In its comprehensive review of security at the Utah Department of Health conducted in the aftermath of two data breaches, including a major hacker attack, a government watchdog agency found 39 "high-impact" weaknesses.
These findings indicate "a pattern of inadequate security management practices in the areas of access controls management, configuration management, security operations, security program planning and service continuity," according to a newly released report from the U.S. Department of Health and Human Services' Office of Inspector General.
The weaknesses are considered high-impact "because the loss of data's confidentiality, integrity or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals," OIG wrote.
In a letter included in the OIG report, a Utah Department of Health official writes that the department agrees with the OIG recommendations for improving security and "plans to ... implement the recommendations."
Many other federal and state government agencies - as well as private healthcare organizations - struggle with the same security issues, security experts say.
"These are a lot more common than we'd like to think," says Mac McMillan, CEO of the security consulting firm CynergisTek. "Verizon's last analysis of breaches determined that 99.9% of the weaknesses exploited during hacks were more than a year old, the majority between five and eight years old. What that means is everything the OIG found [at Utah DOH] is happening virtually everywhere."
Rebecca Herold, CEO of the consulting firm The Privacy Professor, adds: "This highlights the challenges, and outright problems, faced by those with the responsibility for implementing and managing information security for a hospital, insurance company, government agency or any other type of organization."
Two security incidents prompted the review of Utah health department security controls.
A March 2012 incident involved Eastern European hackers gaining access to a Utah state server managed by the state's Department of Technology Services. The breach exposed health department data on about 780,000 Medicaid clients and Children's Health Insurance Plan recipients.
In the second breach, which occurred in January 2013, the health department notified 6,000 Medicaid clients that an unencrypted portable USB drive containing their personal information had been misplaced by an employee of third-party contractor.
As a result of the March 2012 breach, Gov. Gary Herbert fired the state's director of technology and appointed a health data security ombudsman to provide outreach services to individuals affected by breaches (see Post Breach, Utah Boost Info Security).
The HHS OIG report, which was released on Jan. 29, is the culmination of two audits OIG conducted of Utah DOH security.
"While performing a limited review of information system general controls in March 2013, we noted numerous significant weaknesses related to DOH's computer system security controls," the OIG report says. "In response to the previously reported breaches and the number and severity of the weaknesses noted during our March 2013 review, we decided that a broader review of DOH's information system general controls was necessary. Therefore, we conducted a comprehensive information system general controls audit in late 2013 that resulted in the issuance of five restricted audit reports ... detailing DOH's information system general control weaknesses."
The deficiencies put health department data at risk for breaches, the report notes.
Unless rectified, "the weaknesses will continue to put Utah Medicaid data at risk of unauthorized disclosure," the report says. "Without adequate computer system security management at Utah Department of Technology Services, information system security weaknesses could go undetected, leaving the DOH Medicaid eligibility determination and claims processing systems and data vulnerable to additional breaches."
Failure to remedy these weaknesses could adversely affect the state's ability to obtain program funding from HHS, the report notes. "If the weak security controls that we have identified are not remedied, DOH runs the risk that those weaknesses will be carried forward into future Medicaid information system implementations."
The report notes that the information systems operated by Utah DTS were used to determine eligibility for approximately 377,000 Utah Medicaid recipients, for whom Utah's DOH processed approximately 6.5 million claims in calendar year 2013. Total Medicaid claims in Utah for 2013 totaled approximately $2.2 billion, OIG writes.
Based on OIG's comprehensive information system general controls audit, the watchdog agency recommend that DOH work with the state's department of technology services to:
- Implement effective security management practices and;
- Establish oversight procedures to ensure that adequate information system general controls are implemented that correct the security weaknesses identified and to comply with federal information system security requirements.
The security control weaknesses highlighted by OIG indeed put data at risk for cyberattacks and other breaches unless they're properly mitigated, says McMillan, the consultant.
"Blocking and tackling - hardening, patching, change control, access control, etc. - is necessary to eliminate a lot of the risk we experience, [and] is without a doubt some of the most important processes organizations need to accomplish," he says.
A lesson that other organizations can learn from the OIG's review of Utah DOH's security controls is the importance of adopting "a solid standards-based approach to security management," McMillan says. "Focus on accountability in processes and utilize technology to assist. Engage a third party to regularly test your systems."
Herold, the consultant, boils down the main lesson that can be learned from OIG's Utah report to this: "More attention, time, effort and budget needs to be given to information security and privacy."
Utah's Department of Health did not immediately respond to Information Security Media Group's request for comment.