More on the big Utah health records breach: “Medical data on the state’s computers aren’t encrypted, noting federal rules don’t require it,” the Salt Lake City Tribune reports, citing technology services director Stephen Fletcher. And the server was breached because a technician used a weak password. Take a couple of moments to digest that.
The data wasn’t encrypted because federal law doesn’t require it. Doesn’t require it. This from the folks who are boasting about multilayer security that was undone by an authentication error (the weak password). Baklava has layers also, but I wouldn’t say it’s particularly strong. Talk about compliance vs. security. You have a massive database, filled with sensitive, unencrypted information.
And let’s talk about that password. If it had been some complex pass phrase with lots of alphanumeric characters and $ instead of “s” rather than “password” or “admin” or the tech’s birthday or whatever,would that have been OK? Was one server password all that stood between the hackers and the big haul? One password gives a server admin access to read the data? Even if the data had been encrypted (and let’s think in terms of levels of encryption and access within the database according to need to know), would the admin have privileges to decrypt and read it anyway?
What about separation of duties and role-based access control? What about multifactor encryption appropriate to the level of access?
In a way, this is much worse than an organization that admits it’s clueless about data security. These people have the temerity to say they have strong, layered security and were undone because a tech failed to follow procedure. What they have is baklava.