Data Security Tip: Sometimes It’s What You Don’t Do That Makes a Difference

Don Miller

This is the last in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month (NCSAM).  As mentioned previously, bTrade is examining documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned of what “not-to-do” when it comes to data security.  This post will examine not one, but three separate cases involving two private companies from different industries as well as a government entity that was the subject of what some call the “most devastating cyber attack in our nation’s history.”

HIPAA Settlement Underscores the Vulnerability of Unsupported, Out-of-Date Software

An investigation was opened by Health and Human Services, Office for Civil Rights (OCR), after Anchorage Community Mental Health Services (ACMHS), a nonprofit mental-health care provider, gave notice of a breach involving malware that compromised unsecured electronic protected health information (ePHI) affecting 2,743 individuals.  OCR’s investigation revealed that ACMHS failed to: (1) conduct “accurate and thorough” risk assessments; (2) implement policies and procedures to safeguard its e-PHI; and (3) implement “technical security measures to guard against unauthorized access to e-PHI” such as installing firewalls and ensuring that “information technology resources were both supported and regularly updated with available patches.”

ACMHS agreed to settle potential violations of HIPAA’s Security Rule by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. The corrective action plan requires ACMHS to report on the state of its compliance to OCR for a two-year period.

What is the lesson learned from this data security case study?  Although multiple violations were alleged, OCR’s public statements focused on just one of ACMHS’s data security problems–running unsupported, out-of-date software.  For example, in a public bulletin issued after the settlement, OCR said the data security breach was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”  OCR Director Jocelyn Samuels echoed these same sentiments:

Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.

SEC Settlement Underscores the Need to Adopt Written Policies and Procedures to Safeguard Customer Information

The Securities and Exchange Commission (SEC) censured and fined a St. Louis-based investment advisor, R.T. Jones Capital Equities Management, for not having required data security policies and procedures in place.  According to the SEC’s order, R.T Jones stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted Web server.  The server was attacked by an unknown hacker who gained access and copy rights to the data on the server rendering the PII vulnerable to theft.

Without admitting or denying the SEC’s findings, R.T. Jones agreed to pay a $75,000 penalty to settle charges that it violated the “safeguards rule” because it “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, the SEC alleged that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server or maintain a response plan for cybersecurity incidents.

What is the lesson learned from this data security case study?  In a prepared statement, Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, provided the lesson:

As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.  Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.

OPM Lawsuit Underscores the Need, in Certain Situations, to Shut Down and Start Over

An FAA employee recently filed a federal court class action lawsuit arising out of multiple cyber-breaches of systems at the U.S. Office of Personnel Management (OPM).  OPM provides investigative products and services for over 100 federal agencies to use as a basis for suitability and security clearance determinations.  According to the lawsuit, hackers compromised the security of at least 21.5 million individuals and top lawmakers described the breach as the “most devastating cyber attack in our nation’s history.”

What do plaintiffs allege that OPM did wrong?  Plenty, according to OPM’s Office of Inspector General (“OIG”), the agency required under federal law to conduct annual audits of OPM’s cyber security program and practices.  OIG identified “material weaknesses” as far back as 2007 that OPM not only failed to cure, but in many areas OPM’s performance actually got worse.  According to a 2014 OIG report, the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.”  As a result, the OIG concluded that OPM’s software systems were so vulnerable that OPM should consider “shutting [them] down.”

What is the lesson learned from this data security case study?  Although this saga has not yet played out since the lawsuit was only recently filed, we now know that certain data security systems can be so bad that the best solution is to “shut them down” and start over.  At this point, it appears OPM’s problems result from the horrible operations of a government agency and its incompetent staff, rather than with technology or policies/procedures.

So stay tuned on this one because we guarantee it will produce lessons of what not-to-do when it comes to data security.  bTrade’s MFT Nation will keep you updated on events as and when they occur.

bTrade army