Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Lessons from Utah's Massive Data Breach

Utah's former CIO Steve Fletcher says cybersecurity is everyone's job.

Just a few years ago, Utah CIO Steve Fletcher was garnering recognition and praise from his peers for leading the state's enterprisewide IT consolidation and centralization. He was even named a 2010 Public Official of the Year by this magazine. Today, he's looking for a new job -- a casualty of a cybercrime epidemic that's rapidly becoming a Catch-22 for technology officials.

Fletcher submitted his resignation in May, after Utah IT officials discovered that health and Medicaid data for nearly 800,000 residents -- including 280,000 Social Security numbers -- had been stolen from a poorly secured server operated by the state's Department of Technology Services. The massive breach couldn't have come at worse time for Fletcher, whose boss, Gov. Gary Herbert, is running for re-election. Along with accepting his CIO's resignation, Herbert launched a statewide security audit and appointed a new health data security ombudsman.

For Fletcher, the new focus on information security obviously comes too late. "Until you have a breach, nobody really wants to step up and pay extra money for security," he says.

In the four months preceding the event, cyberattacks against state information systems had spiked by 600 percent, leaving IT staff stretched dangerously thin. "We had so many attacks that we were fighting those fires as opposed to spending resources to scan our network," Fletcher explains.

He says the state's 18-month budget cycle makes it tough to react to quickly evolving cyberthreats-and eliminating security risks is flat-out expensive. In a perfect world, for instance, the health information sitting on that compromised server would have been encrypted, so that even if hackers got to the data, they couldn't read it. But that would have cost an extra $10 million to $12 million the state didn't have.

What's the solution? Better data classification, Fletcher says. Instead of trying to provide high-level protection for all information collected and used by agencies, governments need to get better at sorting data into categories based on its sensitivity and importance. Once those categories are established, they can be matched to the right security measures-highly sensitive records get the best, most expensive safeguards; mundane stuff gets less attention.



Many agencies balk at the idea because sorting and classifying the mountains of data they collect is much harder than it sounds. But good classification schemes, coupled with clear-eyed risk analysis, would go a long way toward both strengthening information security and making it more affordable. "That would be so much more effective and people would sleep a lot better," Fletcher says.

For that to happen, however, cybersecurity can't be just the CIO's problem. Agency managers and policymakers will need to be part of the solution. Until then, IT security remains a no-win situation for public CIOs.

Ironically, Fletcher says it's a testament to Utah's security organization that the state could spot abnormal traffic on its computer network, which led to the discovery of the breach. In some other organizations, he says, the situation could have gone unnoticed.

But that's cold comfort for the highly regarded CIO -- and I suspect many of his peers will be tossing and turning at night until cybersecurity is a business problem instead of a technology problem.

Elizabeth Daigneau is GOVERNING's managing editor.
Special Projects
Sponsored Stories
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.