The State of Security

What’s Changed Since Hackers Breached a State Medicaid Server?

By Gaylen Webb

August 9, 2013

When hackers broke into a state Medicaid server in March 2012, they stole the personal information of 780,000 Utahns, including 280,000 Social Security numbers. Fallout from the breach resulted in the ousting of Utah’s Chief Information Officer, Stephen Fletcher. His successor, Mark VanOrden, who came to the Utah Department of Technology Services (DTS) from the Department of Workforce Services, has been on the job as state CIO for a little more than a year.

What led up to the breach and what has the DTS done to shore up data security at the state level since VanOrden took the helm? Under questioning by lawmakers shortly after the breach, VanOrden highlighted a variety of security flaws he had found: breakdowns in protocol, human errors, management issues and security holes (such as unencrypted data).

Security Response

In the 18 months since he became state CIO, VanOrden’s security response has been thorough, even exhaustive. “The people that are attacking us are very sophisticated and they are persistent. We block, on average, 50 million potentially malicious attacks a day through our firewalls in our data center,” he says.

Security measures VanOrden has implemented include the reorganization of the entire security group, putting all of the security people under Tim Hastings, state chief information security officer (CISO). Previously, some of the security people were working in the hosting group and others in the desktop support group. Hastings further divided the group into two teams, one that monitors statewide issues and security products and another that focuses specifically on supporting the state agencies with their risk-based security decisions.

VanOrden also went to bat for more money from the State Legislature to fund an increase in cyber security. He upgraded the state’s firewalls and security monitoring software and implemented 24/7 monitoring of the data center. VanOrden says two people are onsite at the data center at all times, including holidays. One person monitors network operations while the other monitors all incoming and outgoing network traffic.

“We are constantly looking for things that are not right and then taking immediate action according to what we see,” he says.

Other measures include the revision of all state information security policies to meet the specifications of the National Institute of Standards and Technology (NIST). He also updated all processes and procedures for developing and deploying new applications. “We’ve tightened everything up and revised our entire change-management process for implementing any hardware and software changes,” he says.

Security Assessment

The DTS recruited auditing firm Deloitte & Touche to perform an information security assessment of all 22 cabinet-level agencies. VanOrden’s team is currently working through each of the assessments and taking action on security issues identified by Deloitte. “The assessment identified things we could certainly do better,” he says, noting that some of the state agencies pushed back regarding the new information security efforts until the Deloitte & Touche assessment was complete.

“After that, most of them saw the light now and understand the security. No one wants to be the next agency to have a security breach,” he says.

VanOrden says other improvements include the organization of a new incident response team and additional security training for the development teams. The mistakes that were made a year ago were typically in the development team areas, he explains, noting that after the security breach in 2012, the department didn’t respond as well as it should have.

Security Council

VanOrden has also implemented a statewide security council under the direction of the governor’s office that includes five cabinet members, the chief operating officer and the CISO. The council meets monthly to discuss security issues, policies and best practices, and guides the implementation of statewide information security policies. Thanks to the security council, each state agency is getting more involved in information security than ever before.

“Now they are compelled to do so because of the security council,” says VanOrden.

The DTS recently assisted the state agencies in completing risk assessments for each one of about 1,100 applications the agencies use and the classification of agency data. The assessments helped determine where the vulnerabilities are. The DTS then categorized the vulnerabilities as high, medium or low.

“We’ve looked at where we have high risks and are taking immediate actions on those,” he explains. “We needed help from the agencies and they needed to take charge, so we supported them in the assessments, but it was under their direction.”

Page 12
Utah Business Social
UB Events View All
Best Companies to Work For 2015Utah Business Event
Dec 10, 2015
Utah Business magazine is thrilled to announce the 2015 Best Companies to Work for Event! This y...
Community Events View All
Empowering Self and Others: Become and Awakener
Dec 1, 2015
Uncover the secrets of empowerment. Whether you are a parent, a teacher or a Coach, you’ll find ...
Secrets to Financing your Business
Dec 1, 2015
Register:  |  90 South 400 West, Ste 650 Salt Lake City, Utah 84101   |  (801) 568-0114

Advertise with Utah Business

Submit an Event

* indicates required information
* Event Name:
Price (general):
Website (if applicable):
Coordinator's Name:
Coordinator's Email:
Coordinator's Phone:
Venue Name:
Venue Address:
Venue City:
Venue Zip:
Event Capacity:
* Event Description: