Cybersecurity, cyber risk, and liability in local government

Cybersecurity, cyber risk, and liability in local government

A comprehsnsive approach to building a cybersecurity program in local government

What's the state of cybersecurity in county and municipal governments in the United States? In this 28-minute video, I present a comprehensive overview of cybersecurity, risk, and liability in county and municipal government for executives, directors, and senior manages and provide a detailed roadmap for local governments to build more effective cybersecurity programs with little capital investment.

Want to talk about cybersecurity in your organization? Get in touch for a free consultation.

Call (607) 731-4097

Links and References (under construction!)

HIPAA Security Rule

HIPAA Privacy Rule

42CFR Part 2

NACD

Ponemon Institute

Resources (Under Construction!)

Text of the Video

Introduction

Does your local government have a world-class cybersecurity program in place? Probably not. But there is no reason why you shouldn’t. In this 30 minute video for public sector directors and executives, I will dispel many cybersecurity myths, answer important cybersecurity questions, and explain exactly how to build a public sector information security program. There is a companion document that goes with this video that contains all references and relevant links.

Welcome to Cybersecurity, Cyber Risk and Liability in local government. What’s the state of cybersecurity in local government right now? What should it look like in your organization and how do you improve it for your local government?

This video is for senior managers, executives and elected officials. We’ll talk about what your cybersecurity program should look like from executive and management perspectives and I’ll provide specific, actionable information for you to build or improve your program based on accepted industry standards.  

Questions

I want to start by asking 11 questions every local government should be able to answer about their cybersecurity program and by the end of this video, you should be able to answer all of these questions in the context of your organization.

  1. What kind of information do local governments collect and maintain?
  2. Is local government regulated?
  3. What regulations apply?
  4. What are the risks?
  5. What’s the liability?
  6. How are they assessing and managing risk?
  7. How do you build a cybersecurity program in the public sector?
  8. What does the management structure look like?
  9. How do you staff it and
  10. How much does it cost?
  11. What are the responsibilities of directors, managers elected officials and staff throughout the organization?

By the end of this video, you should be able to tell the difference between a real cybersecurity program based on accepted standards and a weak or fake one.

Definitions

Let’s get some definitions out of the way. Cybersecurity is about protecting digital data and assets.  Information Security is about protecting all your information assets, regardless of form. Information Governance is the security, control, and optimization of information and it is the superset governing cybersecurity and information security. These days, cybersecurity is often used synonymously with Information Security but technically, that’s incorrect, but for our purposes today, it really doesn’t matter. These are simple programs to put in place, but they’re not necessarily easy to implement.

From the security point of view, we care about three dimensions of information (CIA):

  1. Confidentiality - We make sure that information is only available to those authorized to see it
  2. Integrity - we ensure that the information is correct or valid
  3. Availability - it is always available to those who need it when they need it

Simple in concept –CIA - 3 dimensions to worry about, at least from the security perspective. Every activity, policy, and procedure in your security program has to do with ensuring these three dimensions of information security.

How well are local governments doing at this?  Some local governments are doing it well, many, if not most are doing it poorly and a bit further on I will show you exactly how I come to that conclusion.  Before we move on to our 11 questions though, let’s take a look at the scope of local government in the United States.

The landscape of local government

There are 3000 counties, nearly 14,000 school districts, and almost 40,000 general purpose local governments along with many municipal water, power, and sewer authorities in addition to special districts. Who regulates all these and, more importantly, who is paying attention to information security in these 60,000 or so organizations?

Insurance, healthcare, banking, pharmaceuticals, these industries are all highly regulated, but local governments, as a whole, are not, although individual departments may be. Unfortunately, regulation doesn’t guarantee compliance and it tends to be used as a negative reinforcement but lack of a regulatory authority is no excuse for having a poor cybersecurity program. Local government employees are often unaware of the regulations under which they are covered.

What kind of information do local governments collect and manage?

What kind of information do local governments manage? Let’s put it in context and start with counties, but let’s ask a more fundamental question.

What kind of business is a county?

First of all, County governments are healthcare operations in a big way. They often run hospitals, nursing homes, public health departments, mental health, and substance abuse services.

In fact, two-thirds of all counties run public health departments, and about a-third run hospitals and other health operations.

Additional services include other Medicaid services, veterans services, child protective services, and correctional services including jails and probation.

Information services include County recorders, prothonotaries, and legal departments and the information they maintain is often statutorily protected and sensitive. 

What sort of statutorily protected information do counties have?

Shiploads of PHI, including medical and mental health records, substance abuse treatment records, drug testing records, and HIV status.

They’ve also got truckloads of PII, including SS#, names, address, phone numbers, financial information and court records, some of which may or should be protected.

All this information comes in many forms and it is stored in many places. Here are a few examples.

Here are some of the locations you might find digital data.

And how about offsite storage of data? Do you know if employees have information at home or in their cars?

Here are some places where you might find physical instruments.

When you look at the second-degree data used in a county, the universe of information really expands. There are dozens or hundreds of connections to partner organizations, vendors, state and federal databases, cloud services, and online financial transactions. How is security being supervised and managed at every level? This is a question all senior county executives should be able to answer at least in a general way.

Regulations

Is the information local governments manage and maintain regulated by federal and state authorities?

Absolutely.

If you have any health operations, regulations that apply include the HIPAA Security rule, the HIPAA Privacy Rule, and 42CFR Part 2. In my experience, many local government healthcare organizations do a reasonable job with the HIPAA Privacy Rule, but compliance with the HIPAA Security Rule is very low or nonexistent.

On top of the federal regulations, there are state regulations covering all this information as well in addition to standards and guidelines from State Archives agencies, state DOH, and many others.

Other standards and regulations include CJIS  from DOJ, Payment Card Industry Data Security Standard, IRS computer security rules, and FTC safeguards from GLBA.

Cities and Towns

Let’s talk for a moment about cities and towns.

When we look at these entities, we find a great deal of critical infrastructure. Some of the services cities might provide include traffic management, utilities, and zoning and code enforcement. 

Cities and counties sometimes provide overlapping or duplicated services.  Together, between towns, cities, and counties we have a huge amount of sensitive or protected data.

In other words, counties and cities provide a tasty, all-you-can-eat buffet for criminal data connoisseurs and even for the non-malicious but curious employee or resident. How are we keeping these folks from the all you can eat information smorgasbord?

Ponemon

There aren’t a lot of studies of what’s happening in local government from the cybersecurity point of view, and when there are, the samples are very small. One such study is the Ponemon Institute study from 2015.

According to the study, only 29% of respondents thought their security priorities were clearly defined and only 13% thought they had mature security programs. Lack of skilled security personnel is a major problem.

Negligent insiders, failure to patch, and contractor mistakes were the biggest threats identified and I would add employee mistakes to this list and this includes IT mistakes.

In a typical municipal organization, management of information security is often delegated to the CIO or IT Director who is not only responsible for all information security; he or she is the de facto risk manager and is unilaterally taking on risk on behalf of the entire organization without the informed consent of the governing body.   

Should IT be in charge of security? The simple answer is NO, IT should not be responsible for information security. First of all, there is a question of separation of duties, and the same people responsible for implementing security should not be solely responsible for overseeing it. Second, it is a rare IT Director who has the breadth of knowledge to oversee the regulatory landscape we have discussed so far. Most are simply not qualified. Moreover, there tends to be a lack of oversight when IT is running the security show. Managers and executives who don’t have IT backgrounds tend to shy away from deep involvement in IT processes and procedures because they are afraid of showing ignorance.

This is unfortunate because there is no such thing as an IT project or IT decision. There are only business projects and decisions.

Shared Infrastructure

A big issue in both cities and counties is shared infrastructure. A county or city may have dozens of departments and all the different data, with different regulations and security concerns, are being handled by the same staff members, who may or may not be aware of the statutory requirements, and privacy and security concerns.

Shared services exacerbate the problem considerably. Municipal IT departments are often run more like fire departments and other emergency services. They tend to be reactive rather than proactive.

And they typically aren’t using generally accepted management frameworks for running the operation. They don’t have many of the controls in place that private sector managed service providers use to keep a handle on quality, cost, risk, and accountability.

So, let’s cook down county and city operations to their essence and see what we have. Here’s one way of looking at local government.

  1. Healthcare Operations
  2. Information/Data Warehouses
  3. Critical infrastructure
  4. Customer & Community Services

Is your information security program being managed in a way that reflects this reality?

Threats,  Risk & Liability

It should now be clear that there is a great deal of risk involved with the type of information that local governments maintain. What’s your appetite for risk? Has your county commission or city council signed off on all this risk? Are they even vaguely aware of the level of risk they are facing in terms of information and cybersecurity?

Some of the consequence of poor security include data loss, financial loss, breach, litigation, mitigation costs, and damage to your organization’s reputation.

Another consequence of poor security might be your picture on the front page of the news explaining how a major breach or loss of data occurred on your watch. This might be the best reason to take charge of your security program. For instance, we don’t know the name of the low-level culprits who were actually negligent in the Equifax breach, but we all know the name of the CEO who was fired for it.

OCR, the office of civil rights investigates HIPAA complaints, breaches, and performs random audits of covered entities.

Currently, they have an open criminal investigation in Adams County Wisconsin for a breach of PHI of 258 thousand residents that occurred over a period of 5 years. 5 Years! Their security protocols were so poor that they had no idea that a breach had even occurred! Skagit County Wisconsin recently paid a $215 thousand dollar fine for poor security practices. In the private sector, Anthem insurance was recently assessed with a 16M fine for a breach. MD Anderson Cancer Center, part of the University of Texas, was recently assessed with a $4.3 Million dollar fine.

Are your security protocols good enough to identify whether a breach even occurred? In most local government organizations, the answer to that question is probably not.

Assessing and managing risk

Do you have a relatively current risk assessment report you can lay your hands on? It doesn’t matter whether it was done by external consultants or in-house.

If you don’t have one, you don’t have a cybersecurity program, or at least not a very good one. Periodic, formal assessment of risk is a required component of a solid, standards-based security program.

How do you build a cybersecurity program

Over the last 13 minutes, we’ve covered a lot of background about information risk in local governments and now its time to talk about how to build a cybersecurity program in your organization, especially if you are getting the sinking feeling that comes from the realization of the risk you are facing. Don’t worry. It can easily be fixed. Let’s talk about building a solid security program based on standards and best practices. It isn’t hard to do and it doesn’t have to cost a fortune.

We’re going to talk about 4 essential components of your program, a governance committee, a comprehensive security policy, roles and responsibilities, and procedures.

Let’s start with a governance committee that will be responsible for developing policies and generally overseeing the program.

The committee should have representation from across your organization and should include executive and management representation as well as the inclusion of staff members who actually work with protected information. A good picture of what the group should contain would include an executive; IT, your corporate counsel, HR, corporate compliance, and I always like to include a member of the governing body such as a county commissioner or a city council person. Everyone should have skin in the game.

Policy

A major task for the governance committee is to establish policy and oversee the program. They don’t have to start from scratch.

There are many tools available to help organizations develop policy and some of these include the HIPAA Security Rule, ISO/IEC 27001, the NIST Cybersecurity Framework, and others.

Here’s another view of these tools. These tools are either free or they cost very little so there is no reason not to use them. In fact, I would encourage you to build your program off one tool and then use other tools to augment your program. Developing a policy may take some time and it is not unusual for it to take the committee several months if you don’t already have a significant set of policies in place already. Using experienced consultants can speed the process up considerably.

HIPAA

If your organization maintains protected health information, it makes sense start with HIPAA. If you are a county government, I recommend you bring the entire organization up to the minimum standards set by HIPAA. One reason for this is that HIPAA is actually a pretty low bar. Another reason is the shared infrastructure we discussed earlier. Managing security in your organization with different security postures for different departments is administratively difficult. It makes much more sense to operate your entire organization at the same common denominator.

The HIPAA Security Rule has a set of 40 requirements and it is a relatively straightforward process to convert the HIPAA requirements into a security policy. HIPAA breaks down its requirements into 3 major areas, administrative, physical, and technical security requirements. It is over 20 years old now, so its missing quite a few things that you can find in other sources, but if you are protecting PHI, it’s a good place to start so you can achieve your immediate objective of securing PHI.

Some key requirements of HIPAA include periodic risk assessment, a risk management process, and an assigned security responsibility. The assigned security responsibility is pretty straightforward, someone has to take responsibility for security and it shouldn’t be anyone from your IT Department. Remember when we talked about separation of duties?  This doesn’t mean that you have to hire a dedicated information security officer, but someone has to fill that role and counties have plenty of people who can do this including corporate compliance or law enforcement officers who are already somewhat experienced in security matters. It also doesn’t mean that the person performing the role is an information security expert, but they will have to learn a lot to fill the role and will be responsible for ensuring that everything gets done.

Procedures and Documentation

Policy development is the first step, but you’ll also need to develop a comprehensive set of procedures and routinely document activities in order to prove you’re actually doing what your policy says you’re supposed to do. Good documentation is really important. I’ve done assessments and audits on organizations where they had policies but they weren’t following them and they documented nothing. and this led to significant problems such as downtime, data loss, breach, substantial mitigation costs, legal and litigation costs, and reputational loss.

One organization I recall had an acceptable backup plan, but no one was verifying and validating the backups. So, even though the plan existed, backups weren’t actually happening. When it came time to restore data, they found out that the automated backups didn’t exist. I’ve also seen this with patch management – automated systems for patch management weren’t working but no one bothered to check for months. This resulted in a serious malware infection that spread throughout the network and brought down their e-mail system for 500 users for over a week.

A few examples of the many policies you must have in place, regardless of what framework or standard you are using include backup, patch management, log management and review, disaster recovery, remote access, acceptable use, and data classification. As I said before, compliance with the HIPAA security rule alone requires at least 40 or more policies and a complete security policy for a county government may run from 25 – 50 pages and will have many associated policies and other documentation in support of it.

For example, let’s look at a simple server backup policy. By the way, this is not a real policy. In a production environment with critical data, the policy would contain much more detail and address many more issues. The policy is pretty simple, but let’s look at the context of the policy along with its procedures, documentation, and chain of accountability.

The policy would be part of a comprehensive policy approved by the governing board. An accompanying set of procedures would be developed, possibly by IT whether that is in-house personnel or contractors and approved by the information governance committee and security officer. Required documentation would be defined and approved and clear accountability would be established so every level.

You’ll notice in the accountability column I refer to Responsibility, Accountability, Consulted and Informed. This is called the RACI model and all of the activities, policies, and procedures associated with your information security program should clearly define who is responsible, accountable, consulted, and informed for every process.

ISO/IEC 27001

Another tool you can use to build a Cybersecurity program is ISO/IEC 27001. It is a universally recognized, International Standard developed by the International Organization for Standardization and it is a compact 30 pages. It is comprehensive, technology neutral and maps to other ISO standards as well as other security frameworks. There is a small cost associated with licensing the standard, but it is reasonable and well worth the cost.

The approach to ISO/IEC 27001 and any other standard would be the same as described under HIPAA. You establish a multi-disciplinary committee, inventory assets, perform a risk assessment, identify threats and develop policy, procedures, and documentation.

NIST CSF

The NIST CSF is free from the US Government and it is a risk-based approach to developing a security program. It also maps to other security frameworks and standards and it was developed to be used in conjunction with other frameworks rather than as a standalone framework.

Regardless of whether you build your program on HIPAA, ISO/IEC 27001, NIST CSF, or another framework, you’ll end up with a clear management and governance structure, comprehensive policies, procedures and documentation and you’ll have a program for continuous improvement. You’ll also have a lot more confidence and peace of mind.

How much does it cost?

There are definitely costs associated with an information security program, but if you build a  program based on best practices, policy, and procedure the way I have described it so far, you are using the collective intelligence of your own staff to do most of the work associated with the program. There will be staff time, there may be consulting fees if you seek outside assistance. There will be time spent in meetings on policy and procedure development, training and other activities as well. However, it may is possible for you to build a really solid program with little capital expenditure.

Additional hardware and software may require some capital and ongoing maintenance fees, but you may already have the right security products in place; although they may have to be tweaked so you can use them more effectively. What you actually need in terms of security products will naturally be revealed during the process of a risk assessment, policy and procedure development and other activities associated with the project and these requirements will vary widely among different organizations.

You’re building a custom program that is a perfect fit for your unique organizational requirements based on actual risk, so cookie-cutter approaches based on products rather than policy won’t work for you.

If you decide to have an outside firm assist with policy development, perform a risk assessment, penetration testing, or other activities in support of your program, the range of cost for these services is incredible. I have seen proposals for risk assessments for relatively small counties come in on RFP from a reasonable $15K to several hundred thousand dollars. There are also vendors who claim to perform security assessments for free, but these tend to be of a pretty dubious nature. Free is the most expensive product on the market.

Sometimes even relatively small organizations feel the need to hire large consulting firms because they think they’ll get a better outcome. However, a large national or regional firm may easily burn through $10,000 in consulting fees just walking in the door on the first day of the engagement. With a small firm, you can actually achieve significant outcomes for that kind of money.

If you are budget conscious and aren’t looking for a razzle-dazzle dog and pony show, sticking with small firms and clear scopes of work will make your tight budget go a great deal further.

Most of the consulting work associated with developing a security program can be performed without extensive travel and the use of online meetings can save a tremendous amount of money and make meeting time more productive.

Responsibilities

So, who is responsible for cyber and information security in local government?

The simple answer is everyone is responsible and that approach requires top down and bottom up management of the program. Cybersecurity isn’t something you simply delegate to your IT Director.

The governing body, a city council or county commission has a major role to play. The biggest responsibility is ensuring that a solid, standards-based cybersecurity program exists. It’s a good idea for a governing body to have a committee dedicated to information security and the NACD, the National Association of Corporate Directors has a great document describing questions boards should be asking.

Executives and managers, starting with the CEO, county executive or the city manager should provide leadership and routinely dedicate some of his or her CPU cycles to ensuring that the program is in place and properly managed as well as clearing obstacles for managers and the Information Governance committee. Good management consists of 10% telling people what to do and 90% making sure they do it, so make sure you’re paying attention to the 90%.

We already discussed the role of the Information Governance Committee extensively. This body will develop policy, oversee risk assessment and management activities, manage the continuous improvement process, develop and oversee training and report progress, problems, and obstacles to executive management and the board.

All staff members need to understand the policies and procedures that have been established and report concerns and problems to supervisors and managers. Security is everyone’s responsibility.

Summary

Let’s take a quick look at what we’ve covered in this video.

We talked about cybersecurity, information security, and information governance. We also covered the 3 dimensions of information we are concerned about – CIA – Confidentiality, Integrity, and availability.

We discussed 11 questions that every organization should be able to answer about information security in their organization. Hopefully, you can answer these questions, or at least know where to look in order to find the answers.

We talked about the kinds of information local governments collect and maintain and the risk and liability associated with this information.

We also discussed the extensive regulatory requirements affecting the different types of information collected by local governments.

We talked about solutions and resources for building your program, including the HIPAA Security Rule, ISO/IEC 27001, and the NIST Cybersecurity Framework.

Thanks for watching. If you have questions feel free to e-mail me or give me a call and check out the resource page for this video which includes links to the information presented here. Good luck with your program.

Call (607) 731-4097