Data Breaches and Regulatory Requirements
Case Study 2: Data Breaches and Regulatory Requirements
Due Week 6 and worth 100 points
The National Institute of Standards and Technology (NIST) provides an extensive amount of information, resources, and guidance on IT and information security topics. The Federal Information Security Management Act (FISMA) provides standards and guidelines for establishing information security within federal systems. However, there have been, and continues to be, numerous security incidents including data breaches within federal systems. Review the information about FISMA at the NIST Website, located at http://csrc.nist.gov/groups/SMA/fisma/index.html. Additionally, review the information, located at http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Dark-Clouds-Over-Technology-042212.html, about the data breaches within government systems.
Select one (1) of the data breaches mentioned to conduct a case analysis, or select another based on your research, and research more details about that incident to complete the following assignment requirements.
Write a three to five (3-5) page paper on your selected case in which you:
Describe the data breach incident and the primary causes of the data breach.
Analyze how the data breach could have been prevented with better adherence to and compliance with regulatory requirements and guidelines, including management controls; include an explanation of the regulatory requirement (such as from FISMA, HIPAA, or others).
Assess if there are deficiencies in the regulatory requirements and whether they need to be changed, and how they need to be changed, to mitigate further data breach incidents.
Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements:
This course requires use of new Student Writing Standards (SWS). The format is different than other Strayer University courses. Please take a moment to review the SWS documentation for details.
Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the source list are not included in the required page length. – Best research paper writing services in USA
The specific course learning outcomes associated with this assignment are:
Describe legal compliance laws addressing public and private institutions.
Examine the principles requiring governance of information within organizations.
Use technology and information resources to research legal issues in information security.
Write clearly and concisely about information security legal issues and topics using proper writing mechanics and technical style conventions.
Data Breaches and Regulatory Requirements.
Large internet companies operating online go through data breaches due to problems brought about by failing to secure personal data. Security breaches so far have affected millions of accounts in both the private and public sectors (Ramsey, and Shankar, 2017). National institute of standards and technology work together with private and public organizations in overcoming cybersecurity issues. At the same time, federal information security management protects federal information against data breaches and security threats. The paper is a case analysis of data breaches incident and regulatory requirements.
The Utah breach is one of the worse data breaches to have occurred involving a Medicaid server. According to the Utah department of technology and department of health, the data breach was caused by a configuration error. Attackers are believed to have originated from Eastern Europe accessing the health department network as well as the security controls through the configuration error. The organization had placed security control measures in place to secure the server, but due to the mistake, the attackers gained access to the vulnerable area.
The attack accessed about twenty-four thousand claim records, which includes social security numbers, tax identifications, treatment codes, as well as social security numbers. According to a proper investigation, the data breach caused more and worse harm than recorded earlier (Garner, 2017). The breach affected Medicaid data, the state’s children’s health insurance plan data as well as individual personal data. Generally, the incident affected about two hundred and fifty-five thousand people from patients who had visited the facilities, Medicaid, and children’s health insurance. The victims had to be notified, and the affected given exceptional treatment service of one-year free credit monitoring services.
Utah department of health could have prevented the data breach through the use of strong authentication as well as complex passwords. Additionally, the health department could have made commitments in security management to protect sensitive information from disclosure (Garner, 2017). The security control, on the other hand, was not placed according to the standards of FISMA, as well as to conduct an annual Assessment of healthcare practices to determine effectiveness and vulnerabilities. If the security controls were according to federal laws standards, the data breach could not have occurred.
The network system used by the Utah health department was not reviewed by the proposed enterprise security group, which could have identified security vulnerabilities and resolved the problem before the breach. Healthcare providers should have considered securing critical datasets in the organization through data encryption methods to prevent hackers from accessing the server (Ramsey, and Shankar, 2017). The medical organization could have applied strict security policies according to the standards of FISMA to protect data. More so, modernized methods to control and manage sensitive data such as the use of virtual servers and electronic health records could have played a significant role in protecting the organization from the data breach.
Through FISMA and health insurance portability and accountability act (HIPAA) regulations, the Utah health department could not have undergone the data breach. HIPAA applies administrative controls through policies in managing, developing, and implementation security control measures to protect health information and electronics. Health industries are urged to adopt HIPAA because the policies and procedures are simple and directly safeguards healthcare systems (Ramsey, and Shankar, 2017).
Different organizations are advised to approve the applicable policies according to daily operations, for instance, large healthcare organizations have a different set of policies and procedures compared to small sectors. For example, the organization is deciding on offering regular education and training to employees about security measures and procedures, how to identify vulnerabilities/malicious activities as well as the adoption of new electronic devices. Understanding information management, maintain compliance through the use of HIPAA unique user identification as well as working together with other health organizations is the key.
The regulatory requirements and guidelines manage the most critical security weaknesses, such as user authentication, excessive user permission, as well as endpoint leakages. However, public sectors undergo various deficiencies that are common and identified through effective response (Bieker, et, al, 2016). Some of the weakness in the regulatory requirements includes IT operation deficiencies, reporting deficiencies as well as compliance deficiency. One of the recent shortcomings is the challenge in controlling user access administration and activities. Inappropriate user access by the agencies, for instance, HIPAA, may lead to serious security risks such as data breach.
Unauthorized changes are also severe in creating vulnerability to the organization. Organizations are urged to get compliance that entails an organization’s policies and procedures that identify all shared information and control statements (Bieker, et, al.,2016). Carrying out a regular risk assessment in the organization is necessary to identify agencies’ unauthorized access, disruptions, modification of systems and information, the disclosure as well as destructions. Another deficiency involves the approach adopted, which lacks proper documentation of activities. Documentation is essential, especially in recording incidences. Agencies are advised to take weaknesses as a priority and address them accordingly.
To sum up, data security has been a big problem for most organizations brought about by the high rate of internet use. NIST, FISMA, and HIPAA regulatory requirements are adopted by most organizations to enhance the security and protection of data. The case of the Utah health department on data breach was the worst case, which affected many people, including leakages of personal information. The health department adherence to HIPAA and NIST regulations could have protected the organization from the data breach. The agencies are, however, not safe because of deficiencies identified in compliance, reporting as well as IT operations which need attention.
References
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., & Rost, M. (2016, September). A process for data protection impact assessment under the european general data protection regulation. In Annual Privacy Forum (pp. 21-37). Springer, Cham. – Best research paper writing services in USA
Garner, R. L. (2017). Evaluating Solutions to Cyber Attack Breaches of Health Data: How Enacting a Private Right of Action for Breach Victims Would Lower Costs. Ind. Health L. Rev., 14, 127.
http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Dark-Clouds-Over-Technology-042212.html,. Published 2020. Accessed February 14, 2020.
Ramsey, S., & Shankar, A. (2017). HIPAA and FISMA: Computing with Regulated Data (A CCoE Webinar Presentation).