FIXING OUR SECURITY
Both the Utah Department of Health (UDOH) and the Utah Department of Technology Services (DTS) are taking significant steps to make sure a data breach like this never happens again.
How Did the State First Respond?
When the data breach was first detected by the DTS, the breached server was immediately shut down.
Also, Utah Governor Gary Herbert asked for the resignation of the head of the DTS.
Currently, the type of data that was compromised during the breach is now encrypted while it resides on state servers.
What Outside Help Is the State Getting?
We have hired two internationally recognized audit firms to conduct full-scale reviews of the data breach and our ongoing response.
Deloitte and Touche, a global leader in risk, security, and privacy services, is conducting a forensic analysis of the breach and making a full-scale assessment of the state's data security and data-storage systems.
Hogan Lovells is assessing how well our overall response and our communication with affected people comply with the Health Insurance Portability and Accountability Act (HIPAA).
What Are State Agencies Doing Internally?
DTS and UDOH have each conducted extensive internal assessments of their data security and data-storage systems, including:
- Analyzed all state servers for vulnerability to hacking.
- Increased network monitoring and intrusion-detection capabilities.
- Improved security controls and equipped each server with many layers of security:
- Perimeter security
- Network security
- Identity management
- Application security
- Data security
- Reviewed all security policies and procedures, and trained all staff members to know them inside-out.
- Encrypted the type of data that was breached.
- Reviewed our health-information security and privacy policies with the Digital Health Services Commission.
Deloitte is currently performing a Security Control and Technical Vulnerability Assessment of all State Agencies.
- Objective: Assist the State in assessing security processes and controls against regulatory requirements and industry-leading practices
Framework: Utilizing an 18 point framework based on the National Institute of Standards and Technology (NIST) 800 standards for assessment
- NIST Provides compliance with FISMA (Federal Information Security Management Act)
- NIST provides standards and guidelines on information security and has publications that provide management, operational and technical security guidance
DTS and UDH have taken several actions during the assessment based on recommendations from Deloitte to help strengthen security:
- Established a Security Council to provide an enterprise view for agency security issues and help agencies in assessing any issues.
- DTS has weekly security meetings to address any issues.
- Increased network monitoring
- Increased security staff
- Increased training for IT staff
- Reviewed and revising policies