make a good business better

Blog Information Security

Print Divider Print Divider Branding

UCLA Health System Data Breach Highlights Need for Data Retention Policies

07/22/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

This week news broke that the UCLA Health System's computer network was breached, allowing hackers to gain access to sensitive information on as many as 4.5 million patients.

This is far from the largest data breach in recent memory. Just last month, it was revealed that more than 22 million people may have been affected in the U.S. government's Office of Personnel Management (OPM) data breach. In the OPM breach, hackers may have accessed Social Security numbers, health histories and other highly sensitive data — making the impact far more severe than originally estimated.

Given the scope of the OPM breach, the UCLA Health System theft might be viewed as a relatively minor deal. But it shouldn't. And while no breach should be treated as business as usual, the UCLA Health System breach is notable for other reasons.

Early reports indicate that the unauthorized access, which may have begun in September of last year, may have allowed hackers to gain access to information dating back to the 1990s! The parts of the network that were breached contained names, dates of birth, Social Security numbers, Medicare and health identification numbers and even sensitive medical information such as patient diagnoses and procedures. It doesn't seem that credit card or other financial information was stolen in this particular breach. Even more worrisome, it isn't even clear at this point if anyone knows the total breadth of older data that may have been accessed.

The question that must be asked is why was so much older data so easily accessed in the first place? It is hard to fathom a compelling reason why data — sensitive patient health information (PHI) at that — from the 1990s should still be accessible on a network.

It comes down to the fact that far too many organizations lack a data retention data policy and/or data purging process.

Data is information, and sensitive data should — and often is — backed up. This can include old data that is preserved on magnetic tapes. Transferring older data to tape is a best practice because archived data is nearly impossible for hackers to access since it is no longer on the network. The UCLA Health Systems breach occurred because data that should have been archived was not. Instead, it was data that was still active and accessible on network systems.

Why was it still there? Probably for the simple reason that no one was told to purge it. Data is often retained, which is still very different from preserved, to accommodate those business cases where it may need to be accessed.

While it is responsible and even required for legal and regulatory reasons — as well as business needs — to retain sensitive data, it is downright irresponsible to keep data on the network indefinitely! Data shouldn't be there simply because it has always been there.

Organizations need to have a retention policy that takes into account legally mandated terms for data preservation. Simply put, data should only be held as long as it is needed. An active computer network should not be used as long term storage under any circumstances.

Companies need to have an inventory of their sensitive data, and should perform regular audits of what is being retained. There needs to be much more than a general idea of the sort of data that is on the network. A data inventory should also provide details on where each dataset is stored as well as what systems can access it.

And don't forget third party access! Organizations must detail which third parties their data is shared with, because if that third party is breached, it will be the primary organization's responsibility to implement containment and cleanup.

Policies need to be in place so data retention meets business requirements and legal obligations. However, past that necessary point in time, there should be a data purging policy in place that governs and ensures that data is purged when it is no longer needed.

You only want to keep data as long as you need it. Beyond the fact that you don't want to pay to store it, you don't want to pay to manage it, and you don't want to pay to back it up, the biggest reason to have an active data retention policy and purging policy in place is that old data represents unnecessary risk to your organization.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!