While rapid-fire cost-savings and consolidation efforts typically dominate an IT executive's annual to-do list, what's getting the green light this year are multiphase projects that protect organizations from regulatory fallout and data leakage.
At the California Department of Health Care Services (DHCS), for example, increased federal mandates and heightened media attention have led to a focus on projects that prevent data loss, says Christy Quinlan, CIO at the Sacramento agency.
"I know that whatever we spend on projects to secure data would be a whole lot cheaper than having to deal with even one leak," she says.
IT executives in a cross-section of industries, including government, education and the private sector, share the sentiment. In fact, three specific project areas -- privacy, enterprise rights management and data center automation -- are all getting the go-ahead because they can enable better data protection.
Since she took office as CIO in 2005, Quinlan has had a laser-like focus on improving the systems at the DHCS, a 2007 Enterprise All-Star Award honorable mention designee. She describes herself as a doer, not a talker, and doesn't understand why implementing new technologies takes some IT teams so long. Being a doer served her well earlier this year when the U.S. Social Security Administration (SSA) notified her team that its main system, Medi-Cal, was in violation of the Health Insurance Portability and Accountability Act regulations.
The mainframe-based application lacked the ability to prove that only need-to-know personnel were gaining access to private patient information, the SSA said. More than 70,000 workers in 58 counties use Medi-Cal to access Medicare and Medicaid claims.
To come into compliance, Quinlan needed to install role-based access privileges coupled with auditable time-stamping. "The SSA said we only had a short time to fix the problem or it was going to deny us access to its network," she says. The DHCS had no time to rewrite the Medi-Cal application code itself or to do any major system changes.
Instead, the agency opted to tack IBM's Resource Access Control Facility (RACF) onto the mainframe to manage and log role-based permissions atop the Medi-Cal system's own basic built-in privileges. Now Quinlan can set multilevel security policies based on users and the types of files they are trying to access. "This depth of tracking allows us to create a full audit trail," she says.
To avoid passing the complexity of a layered system on to users, Quinlan's team synchronized username and passwords for RACF and Medi-Cal. "They have a single point of entry and don't have to log on with separate identities," she says.
Having met the SSA's deadline, Quinlan has since returned to other privacy initiatives, including encrypting the more than 8,000 DHCS desktops and laptops in accordance with -- and in some cases ahead of -- state and federal regulations. "There's still no requirement to encrypt desktops, but why wouldn't you when you could have tremendous damage to the organization's credibility if data were lost?" she says.
Andreas Antonopoulos, senior partner at Nemertes Research, applauds organizations that are tackling privacy problems head-on. "You can easily protect against data loss with checks and balances and separation of duties," he says.
He also recommends prioritizing what data you need to retain and for how long. "The best security policy is not storing data you don't need," he says. Also, he advises IT teams to avoid using Social Security numbers and other critical data as identifiers.
In Pennsylvania, the Department of Agriculture follows right-to-know policies to make farmers feel safe providing sensitive information, says Sean Crager, CIO at the Harrisburg agency. "By having strong privacy policies, we increase enrollment in important [animal disease] awareness programs," he says.
For instance, the department encrypts sensitive information at the field level in its SQL Server database. This gives the department a two-fold advantage, Crager says: It allows the agency to be granular in the data that is secured as well as to avoid performance hits that would arise from encrypting the entire database.
Crager also ensures he stores only necessary information, offloading tasks such as credit-card processing to trusted third parties. "My goal is to keep as little personal data as possible. If we don't need it, I don't want it," he says.