Oops. We’ve Done It Again. Ken Block
Ken Block, MINDSETTER™
Oops. We’ve Done It Again. Ken Block
Deloitte is the vendor Rhode Island hired to build and support these two systems.
GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST
This weekend’s crisis follows on the heels of the monumental ineptitude of the Rhode Island Department of Transportation’s Washington Bridge failure. Remember the Commerce Corporation’s 38 Studios mess? How about when nearly every working Rhode Islander had a false unemployment insurance claim filed against their name, and most of those claims were paid by the Department of Labor and Training? There are far too many more examples to list.
The common denominator for all of the above is the Rhode Island government and the toxicity of RI politics to competent decision-making.
Let’s focus on the crisis of the day, RIBridges and HealthSource RI. These massive computer systems are still unstable years after they were turned on. They collect our most sensitive and confidential data, and apparently, someone made off with all of it.
Before I get into it, you should understand my background. My software company was the prime contractor to the State of Texas for the Lone Star Card, the state’s Food Stamp (SNAP) system. I helped design and build it. We maintained, supported, and modified this system for years. We had similar systems in Illinois and Puerto Rico. I am an expert in the business and technical sides of welfare benefits delivery.
The State of Rhode Island is directly responsible for this failure. The state should audit these systems to ensure adherence to requirements and identify security weaknesses. Once problems are identified, aggressive deadlines should be set for the vendor to address them.
RIBridges has problems far beyond security issues. For example, many Medicaid recipients enrolled in the program are older than 65, the age beyond which they must move into other programs. These are conversations for another day and column.
Who protects us from our government mismanaging our data? No one.
This summer, to great fanfare, the Rhode Island legislature passed the Data Transparency and Privacy Protection Act, which places boundaries and expectations on systems that collect and process confidential information from individuals. Incredibly, the law exempts state and local governments from the requirements it places on private businesses. This is no small thing because, in the last three years, the following state and local computer systems experienced security breaches (this is not a comprehensive list):
RIBridges (UHIP) / HealthSource RI (health insurance exchange)
Providence Public Schools
RI Housing’s mortgage vendor
The Town of North Kingstown
RI Department of Health
Narragansett Bay Commission
Rhode Island Public Transit Agency (RIPTA)
What Should Be Fixed?
All RI government computer systems should be compelled by law to adhere to the same security standards that apply to private businesses. This is common practice within the industry. Then we should add security requirements on top of that for state and local government computer systems, including:
Rhode Island could have prevented, or at least detected and mitigated, the breach before the bad guys got their hands on the data. Confidential data sitting in computers (technically called data at rest) should be encrypted—electronically scrambled—so that no one can read it if it is stolen. The state should have insisted that Deloitte build this requirement into their systems, but it has not been done.
Special security hardware can help to detect and prevent the unauthorized transfer of large data files from critical computer systems. This also appears not to have been put in place.
Mandatory security training for every state and municipal employee interacting with a government computer. Some of the worst data breaches are made possible by the careless mistakes of these users.
Enact and enforce requirements for strong, hard-to-hack passwords for every user on every device.
Mandatory implementation of two-factor authentication through a mobile phone or authenticator app.
What can you do if your data has been stolen?
The Bottom Line
Time and again, RI's elected and appointed leaders have sought scapegoats to deflect blame from terrible state decision-making. Is the governor’s office already lining up lawyers to sue over the RIBridges/HealthSource RI data breach to avoid internal accountability, like the Washington Bridge debacle?