Utah Bill Aimed at Breach PreventionPuts Pressure on State Agencies to Protect Data
In the aftermath of a data breach last year that affected 780,000 individuals, Utah legislators are considering a bill that would mandate state agencies identify and implement best practices for protecting data.
S.B. 20, sponsored by Sen. Stuart Reid, R-Ogden, was passed by the Utah Senate on Jan. 30 and is on its way to the House, where it's being sponsored by Rep. Paul Ray R-Clearfield.
The bill would require that the state's Department of Technology Services, which provides IT services to all state agencies, work with the governor's office to convene a team of experts to identify best practices for safeguarding data privacy and then see to it that the practices are appropriately implemented.
The proposal comes in the wake of a March 2012 breach incident involving Eastern Europeans hacking into a Utah state server managed by the Department of Technology Services. The breach exposed Utah Department of Health claims data for 780,000 Medicaid clients and Children's Health Insurance Plan recipients.
And in a January breach, the state health department notified 6,000 Medicaid clients that an unencrypted portable USB drive containing their personal information had been misplaced by an employee of third-party contractor, Goold Health Systems.
As a result of the March 2012 breach, Gov. Gary Herbert fired the state's director of technology. He also appointed a consumer healthcare advocate to a newly created position of health data security ombudsman to provide outreach services to individuals affected by the breach (see: Assessing Utah's Post-Breach Efforts.)
Putting on Pressure
While it could be argued that all state technology departments should follow security best practices, if signed into law, the legislation would put pressure on Utah's technology leaders and executive agencies to ensure those practices are followed, Reid tells HealthcareInfoSecurity.
"Under my legislation, the department must apply best practices," he says. "The application of those best practices [would be] monitored on an ongoing basis by a committee of experts."
The law also would require an audit every two years to assess whether best practices are being executed. If they are not, the governor and legislature would be informed. "If they cannot apply the best practices because of budgetary reasons, the legislative leadership [would be] informed, and they would determine the risk/cost factors to determine if additional funding will be applied," Reid says.
But the state already is implementing best practices for data security, says David Patton, executive director of the health department. "The legislation codifies something we should be doing, and makes it more permanent," he says.
In the aftermath of last March's breach, Utah hired consulting firm Deloitte & Touche to assess data security at the state's departments of health and technology services. One of the recommendations was for Utah to create a security council with representatives from state agencies, departments and the governor's office. The newly formed council has identified some security best practices that are being implemented, says Patton, who is a council member. That includes asking each state agency to perform formal risk assessments to identify data that needs to be protected, determine how it's being safeguarded, and investigate what needs to be done to better protect it.
All agencies have completed their initial assessments to classify their data, and the next phase of risk assessment is under way, Patton says.
More Specifics Needed?
Privacy attorney Stephen Wu, a partner at Cooke Kubrick and Wu, says the language of the Utah bill is vague in terms of "best practices," and he suggests the legislation "could've created an argument for more specifics, such as conducting risk assessments."
And while states should already be exercising best practices for data security, "there's more pressure and oversight on agencies when that's part of legislation," he adds.
While the legislation does not spell out consequences if the best practices are not followed, reprimands and penalties are left to the executive branch, Reid adds. That includes staff terminations.
By improving Utah's breach prevention, the state hopes to avoid the kinds of federal penalties that some organizations have been smacked with by the U.S. Department of Health and Human Services, including a $1.7 million penalty levied this summer against the Alaska department of health and human services (see: Inside a HIPAA Breach Investigation.)
S.B. 20 amends the Utah Technology Governance Act to require the state's chief information officer to:
- Coordinate with the governor's office in convening a group of experts to identify industry best practices for data security standards;
- Incorporate industry best practices for data security standards into the department of technology and executive branch agency practices;
- Modify the state's executive branch information technology strategic plan to incorporate the industry best practices standards as feasible within the department of technology or executive branch agency budgets;
- Inform Utah's House of Representatives and Senate if security standards are not adopted due to budget issues;
- Conduct an assessment of the department of technology and executive branch agency security standards at least once every two years;
- Provide a process in which a state agency that contracts for services from the Department of Technology can enter into an agreement with the department to audit the security standards implemented by the department.
The bill also makes changes to privacy notice requirements for healthcare providers that participate in the state's Medicaid or CHIP programs.
For instance, under the bill, those providers' notices of privacy practices must state that the healthcare provider either has, or may submit, personally identifiable information about the patient to the state's Medicaid and CHIP eligibility database. It also requires that before they give a provider access to the state's eligibility database, the state Medicaid program and CHIP verify that the healthcare provider's notice of privacy practices complies with federal and state law.
Other States' Actions
Utah isn't the only state that's been beefing up its data security and privacy regulations. Texas, Massachusetts, Nevada and California are among states that have recently toughened up their privacy laws in a variety of ways, and consultant Bob Chaput, CEO of Clearwater Compliance believes that's the start of a trend.
"Even with HIPAA omnibus, there were no changes to the [HIPAA] security rule, and so states are bringing their own laws up to date for today's more contemporary threats," he says. That includes adding requirements to use encryption to protect personal information, as Massachusetts has done. "HIPAA omnibus could've required encryption, but it doesn't," he says.
Consultant Mac McMillan, CEO of IT security consulting firm CynergisTek, also predicts that more states will be examining their privacy and security regulations, especially in the wake of data breaches that involved government penalties or class action lawsuits.
"Minnesota is in the process of enacting new legislation along the lines of the California and Massachusetts statutes as a result of the Accretive Health incident from last year," he says referring to a July 2011 incident that involved an unencrypted laptop that was stolen from the car of an Accretive employee. The breach, which affected about 20,000 individuals, ended up costing the Chicago-based billing and collections company $2.5 million in a July 2012 settlement with the state (see: Accretive Health Settles Minn. Lawsuit).