From the County Manager Column from July 6, 2021

Safer today: Efforts of IS, Compliance & Ethics, other partners bring our data security to next level

We are thrilled to share that after nearly three years, last week we were notified by the federal Office of Civil Rights that their investigation had concluded with a finding of No Violation – meaning no penalties or corrective action were warranted.

For context, I invite you to hop in the time machine for a moment – let us travel back to Aug. 9, 2018. On that day, Finance and Information Services became aware of an attempt by hackers to steal the electronic paychecks of 26 of our employees. The hackers had compromised the employees’ Outlook accounts through an email phishing scheme and were trying to illicitly re-route the direct deposits to their own coffers.

Eagle-eyed employees and quick action by Enterprise Risk Management, Finance, and IS prevented the theft. We notified appropriate authorities, locked down the network and implemented new safeguards within hours. Good news after a quick response to a close call, right? Yes! And no...That experience and its aftershocks – by no means unique to Ramsey County, but more and more a facet of everyday life for organizations public, private and otherwise – served to accelerate our work that was already broadly underway in data security and cybersecurity.

Protecting clients’ and employees’ private information

Following this incident, we contracted with data security experts to conduct a thorough investigation. What we ultimately found along with them was sobering. Although there was no evidence that the hackers accessed any employee email accounts, nonetheless emails in the accounts were exposed. In those employee email boxes were thousands of records containing clients’ Protected Health Information. PHI – is private information about clients that is in our records so we can serve them – things like name, addresses, birth dates, dates of service, telephone numbers, account numbers, health insurance information and medical information.

Use of PHI spans several areas at the county, but is used mostly in the departments of Health and Wellness. However unlikely, because it was even remotely possible that the hackers could have accessed this data, under the law’s requirements we notified our clients, the public and the federal government. OCR initiated their own lengthy and in-depth investigation of our response to the incident and our practices around protecting PHI. Elsewhere in the news at that time were stories of multi-million-dollar penalties that OCR had levied against organizations found in violation of not adequately protecting PHI… (gulp!).

Compliance & Ethics Office established

Deanna Pesik joined Ramsey County in October 2019 as the county’s first Chief Compliance and Ethics Officer and added Chris Bogut as the first Health Care Compliance Manager to begin working on a number of initiatives, including establishing the office which would be responsible for:

  • Providing independent and objective review and evaluation of compliance and ethics matters throughout the organization.
  • Promoting countywide compliance with relevant federal, state and local regulations in alignment with the county’s vision, mission and goals.
  • Ensuring that departments across the organization adopt a common approach to compliance in order to promote an ethical and transparent culture.
  • Help ensure that departments protect the privacy of client and employee data. 

The office assumed leadership of our ongoing response with OCR following the August 2018 incident in partnership with Information Security and support from the County Attorney’s Office.

Information Services opens many fronts to provide security defense

From the very first minutes of the immediate response to the August 2018 incident through accelerating our existing long-term cybersecurity plans, virtually the entire Information Services team has had some role in dramatically improving our security posture over the past three years. Some of the many efforts and achievements follow:

  • Improving our anti-malware resources to constantly detect any malicious activity on our network.
  • Segmenting our network resources to minimize the potential impact of a potential attack.   
  • Implementation of multi-factor authentication across our primary applications and systems, significantly increasing protection of our network.
  • Consolidating computer phone and computer resources across county departments in order to improve security practices through common platform.
  • Expanding a 24/7 fully staffed security operations center.
  • Adding functionality to proactively identify PHI in employee email accounts; providing notification and encryption.
  • Implementing email retention in Outlook to reduce the risk of emails and data being stored in Outlook instead of the proper, more secure systems of record.  
  • Enabling tools to report suspicious emails to prevent phishing attacks and running stealth training campaigns and exercises to monitor how we’re all performing at avoiding and reporting phishing attempts.
  • Adding security software to prevent Denial of Service attacks from overwhelming our websites, especially at critical times when people are seeking information – e.g. in the weeks before an election.
  • Positioning us to be able to add "cyber insurance" should we ever face the awful situation where hackers take over and then hold for ransom a company’s or local government’s information network.   

Collaboration nets real results  

Accompanying the wide-ranging efforts of IS to improve the security of our network and Compliance & Ethics to raise risk awareness and improve development, communications, training and enforcement of policies in collaboration with the County Attorney’s Office, Human Resources, Finance and Communications & Public Relations.

This team worked together to overhaul our annual mandatory data governance training into a much more effective approach for all employees. They also rolled out new trainings and regular information on implementing our email retention schedule. They worked together to provide regular reminders and tips through RamseyNet to reinforce compliance with data security practices and policies.

All this foundational work helped us immensely when faced with another data security incident in December 2020. A vendor that we – and many other local governments across the country – use for technology service was attacked by hackers in what is often known as a "ransomware" attack. The incident response team acted quickly to establish a new safe hosting environment to protect our client data (there is every indication that it worked because we’ve had no indication that any data was compromised by the hackers). For their efforts, the incident response team was recognized with a “Shining Star” award - read more here.

Back to the incident of August 2018. After nearly three years, last week we were notified by OCR that their investigation had concluded with a finding of No Violation – meaning no penalties or corrective action were warranted. In the time since 2018, we were able to show the federal investigators the work we had built on during and since the incident – as well as our plans to continue developing our comprehensive data security and compliance posture going forward. We felt especially good about this outcome knowing that the great work and commitment of IS, Compliance & Ethics and other departmental partners have invested to continuously improve our ability to protect the systems our clients and employees rely on.