Data Breaches and Regulatory Requirements
Data Breach Incident and Its Cause
The country has witnessed several high-profile data breaches which have affected institutions both in South Carolina and Utah. In Utah, a breach created vulnerability in health records and was associated with the action of Eastern European hackers. Through this act, over 780,000 people lost their records in a breach facilitated by a computer server in the state of Utah (Good, 2016). The breach affected multiple recipients including Medicaid and a healthcare program that was developed for low-income children living in the state of Utah according to the official statement that was released by Utah’s department of health.
Through the exploitation of the technician’s weak passwords, the hackers were able to breach the servers and gain access to the health records. The breach was characterized by multiple actions by the hackers which are common in recent data integrity issues. Within the time that they were in control of the system, the Eastern Europeans were able to download 24,000 files and transferred to computers in their country with each file containing hundreds of files for patients. While the initial release by the department of health indicated 24,000, the figure was later changed to 780,000 with 280,000 losing their social security details.
Security experts have alluded to multiple factors which may have contributed to this breach and led to the loss of thousands of personal information. Storage of personal health information in bulk was considered as the primary cause that necessitated the breach and also contributed to the loss of this volume of information (Good, 2016). Storage of personal information in bulk give hackers the opportunity to steal millions of credits card information all at once, and this was the scenario in Utah. Recent advances in cybersecurity have also motivated players in the financial sector to improve their security layers, forcing hackers to target the more vulnerable health sector. Presence of personal information on health and insurance records has made the industry a major target in cybercrime, and this is made easy by lack of enough safeguards.
Compliance with Regulatory Requirements and Guidelines
The data breach at Utah Department of Health could have been avoided if the state adopted better adherence and compliance with requirements and guidelines. Different regulatory and legislative frameworks have been introduced to reduce risks of a breach, especially in government agencies. For instance, the Federal Information Security Management Act (FISMA) outline safety measures that if adopted would have prevented the data breach in Utah. Compliance with FISMA is considered as a matter of national security through events at Utah demonstrated lack of compliance in the health department. With FISMA, their different keys are introduced based on the National Institute of Standards and Technology provisions. Access control (AC) introduces 22 controls which form the family of security guidance, introducing control-based policies and procedures. If the Department of Health followed the guidelines, physical access to the servers and computer-based information systems would have been restricted, allowing only access to authorized individuals (Good, 2016). System control is a system that is introduced to enable an authority to have control to access to different areas and resources where the physical server is located.
In the case of Utah, access by the Eastern Europeans was facilitated by the use of a weak password. From the previous account, it is evident that the department failed to follow the awareness and training component of FISMA. The AT introduces five different controls by enhancing awareness and training of the staff to understand the risks of a data breach. Security assessment and authorization is another aspect of FISMA that if implemented, would have prevented the data breach in the department (Good, 2016). With the CA, seven controls are introduced based on the security assessment plan which introduces procedures that can eliminate potential loopholes for breach.
HIPAA also introduces a new set of rules that can help in the elimination of cybersecurity risks. While the suggestions by the act are not technical like encryption, it introduces simple practices that would have helped in preventing the breach in Utah. Based on the Act, a guideline is introduced that help protects the personal information of patients in the event of unauthorized disclosure of ePHI or even the breach of ePHI. Based on the HIPAA privacy, a breach occurs with there is unauthorized exposure to the ePHI or even the disclosure of patient information (Perlroth, 2012). One aspect of a security breach is a failure to report an incident that can lead to the disclosure of information. In the case of Utah, previous trends that showed high levels of vulnerability were not reported, and this provided leeway for the Eastern Europeans to access the department of health in the state.
Deficiencies in the Regulatory Requirements
Different regulatory requirements have been created to enhance the safety of the blogosphere and eliminate risks of breaches. With the attack at Utah’s department of health, some deficiency has been emerged with the regulatory framework already adopted. The regulatory framework introduced by both legislation and government agencies have not enhanced insurance for cybersecurity (Perlroth, 2012). There is no room for additional testing of vulnerabilities especially within government agencies further complicating the efforts of the different agencies. The procedures developed have also not been effective in securing or even limiting access to devices (NIST, 2016). In the case of Utah, lack of effective procedure for restricting unauthorized access may have contributed to the server access and the data breaches. Hardware and software updates are also crucial in ensuring that different systems are protected against possible attack (Lohman, 2012). However, there are still deficiencies in the regulatory requirement, and most agencies fail to update their software and hardware, leading to higher risks of a potential attack.
Changes must be introduced to ensure that there are better safety measures and enhance the security of data systems. Changes should be introduced to guide agencies on their actions and how both action and inaction can contribute to the risks of an attack. Some adjustments should be made to existing regulatory frameworks to mitigate these data breaches. HIPAA focuses on a post-event approach in which the different agencies must adopt specific standards to avoid a possible repeat of the same events (NIST, 2016). Such a framework is weak primarily within the healthcare sector where hackers are currently shifting their attention due to the richness of private information and credit card details. Additional adjustments should also be introduced on NIST mandate to ensure that it achieves the goal of safer cybersecurity.
Lohman, D. (2012). Dark Clouds Over Technology: Pondering Action After Recent State Government Data Breaches. Government technology. Retrieved from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Dark-Clouds-Over-Technology-042212.html.
Perlroth, N. (2012). Utah Breach Shows Vulnerability of Health Records. New York Times. Retrieved from https://bits.blogs.nytimes.com/2012/04/10/utah-breach-shows-vulnerability-of-health-records/.
NIST. (2016). Federal Information Security Modernization Act (FISMA) Implementation Project Overview. NIST. Retrieved from https://csrc.nist.gov/projects/risk-management
Good, T. (2016). HIPAA and Data Breaches. Datica. Retrieved from https://datica.com/academy/hipaa-and-data-breaches/
O’Reilly, P. D. (2018, March 19). Federal Information Security Management Act (FISMA) Implementation Project. Retrieved June 12, 2018, from https://www.nist.gov/programs-projects/federal-information-security-management-act-fisma-implementation-project
Data Breaches and Regulatory Requirements