Lessons from Utah
This post, by Ted Augustinos and Eric Fader, is part of our ongoing series of contributed content.
There are lessons to be learned or reinforced by the breach of a database maintained by the Utah Department of Health (UDOH). The data breach, involving a malicious hacking of state computers, exposed records maintained by the Department of Technology Services (DTS), including medical records, Social Security numbers and other personal information.
Here are four key lessons, particularly for companies involved in healthcare.
- Know Your Vulnerabilities. As widely and repeated reported in the press, no company or government agency is realistically in a position to fend off highly sophisticated attacks. This creates a real challenge, particularly for healthcare entities and agencies, which are being pushed toward the use of electronic data that would be vulnerable to such an attack. DTS reported that its systems were configured to avoid this particular type of attack. There was reportedly a vulnerability in the configuration of a server, however, that resulted in the data breach. Recognizing and continually revisiting vulnerabilities are critical to establishing and maintaining data security.
- Testing and Retesting. Once a security program is implemented, testing and retesting of systems, infrastructure and policies is critical. With appropriate testing and retesting of its information security, DTS might have detected the weakness in the server configuration that created the exposure that resulted in the breach.
- Monitoring and Logging. This breach helps demonstrate the importance of monitoring and logging systems activity. While it appears that the initial intrusion may not have been detected, the unauthorized exporting of data appears to have been detected immediately, allowing the breach to be stopped and the damage to be relatively limited.
- Know Your Systems and Database. Although the response by DTS and UDOH appeared to have been quick, initial reports indicated that 24,000 records were affected by the breach. Over the ensuing days, however, it was announced that there were actually 24,000 files, each of which contained hundreds of records. Ultimately, it was revealed that personal information of over a quarter-million individuals was affected, and that less sensitive data of almost a half-million additional individuals were involved. A better, more immediate understanding of the affected database would have resulted in more accurate initial reports, and would have avoided the need for corrective communications.
Ted Augustinos and Eric Fader are members of the Privacy and Data Protection Group at Edwards Wildman Palmer LLP.