The state of security: what's changed since hackers breached a state Medicaid server?

• Author: Webb, Gaylen
• Position: Techknowledge

When hackers broke into a state Medicaid server in March 2012, they stole the personal information of 780,000 Utahns, including 280,000 Social Security numbers. Fallout from the breach resulted in the ousting of Utah's Chief Information Officer, Stephen Fletcher. His successor, Mark VanOrden, who came to the Utah Department of Technology Services (DTS) from the Department of Workforce Services, has been on the job as state CIO for a little more than a year.

What led up to the breach and what has the DTS done to shore up data security at the state level since VanOrden took the helm? Under questioning by lawmakers shortly after the breach, VanOrden highlighted a variety of security flaws he had found: breakdowns in protocol, human errors, management issues and security holes (such as unencrypted data).

[ILLUSTRATION OMITTED]

Security Response

In the 18 months since he became state CIO, VanOrden's security response has been thorough, even exhaustive. "The people that are attacking us are very sophisticated and they are persistent. We block, on average, 50 million potentially malicious attacks a day through our firewalls in our data center," he says.

Security measures VanOrden has implemented include the reorganization of the entire security group, putting all of the security people under Tim Hastings, state chief information security officer (CISO). Previously, some of the security people were working in the hosting group and others in the desktop support group. Hastings further divided the group into two teams, one that monitors statewide issues and security products and another that focuses specifically on supporting the state agencies with their risk-based security decisions.

VanOrden also went to bat for more money from the State Legislature to fund an increase in cyber security. He upgraded the state's firewalls and security monitoring software and implemented 24/7 monitoring of the data center. VanOrden says two people are onsite at the data center at all times, including holidays. One person monitors network operations while the other monitors all incoming and outgoing network traffic.

"We are constantly looking for things that are not right and then taking immediate action according to what we see," he says.

Other measures include the revision of all state information security policies to meet the specifications of the National Institute of Standards and Technology (NIST). He also updated all processes and procedures for developing and...