Editorial: Maine scored 39 out of 100 in a recent IT security review. That is alarming.
The BDN Editorial Board operates independently from the newsroom, and does not set policies or contribute to reporting or editing articles elsewhere in the newspaper or on bangordailynews.com. There are enough cyber threats out there in the world without the State of Maine accidentally posting roughly 20 people’s confidential mental health information online. A recent Bangor Daily News review found that the Maine Department of Health and Human Services displayed at least 20 documents on the state government website that “contained names and, in some cases, addresses, dates of birth and phone numbers, for those receiving mental health and substance use treatment.”
Public and private data is being weaponized. All levels of government need to be shoring up cyber defenses against these threats. The last thing Maine people need is for the state to be jeopardizing confidential information on its own.
We reached out to the administration of Gov. Janet Mills to better understand where the cybersecurity responsibilities lie within the state government and get a clearer picture of the current practices and requirements in place. The answer was detailed, but also alarming.
According to Kelsey Goldsmith, the spokesperson for the Maine Department of Administrative and Financial Services, which oversees the Maine Office of Information Technology (now known as Maine IT), the Mills administration “has prioritized IT security” and sought a third-party assessment of the state’s IT defenses last year. The results of that assessment? An eye-opening score of 39 out of 100.
It’s hard for us to know exactly what that score means, given that we don’t currently have the full assessment.
DAFS Commissioner Kirsten Figueroa mentioned it in a presentation to lawmakers in February, and Goldsmith told us Friday the department is working with Maine’s Attorney General to determine whether the assessment “can be shared without compromising IT security.” We do, however, feel fairly comfortable in assuming that 39 out of 100 isn’t exactly a passing grade. Goldsmith provided a lengthy list of actions the Mills administration has taken in response to “improve the security of Maine’s technological infrastructure,” such as establishing the State of Maine Cybersecurity Advisory Council in January, reestablishing the Project Management Office to “ensure that the State’s myriad and complex technological systems are fully integrated and protected,” dedicating nearly £5 million in federal coronavirus relief funds to address hacking and other digital threats, and proposing millions more funding for IT security and systems upgrades.
Those are encouraging steps.
But on the increasingly active front of cybersecurity, Maine clearly has much more work to do. As for the DHHS website displaying confidential information, “the isolated error, which affected approximately 20 individuals, was not indicative of a gap in policy,” Goldsmith said on May 12. DHHS spokesperson Jackie Farwell said in a separate statement that her agency “regrets that this isolated incident occurred and we remain committed to protecting the privacy of those we serve,” and that DHHS has worked with technology partners to add more confidentiality protection.
“When DHHS became aware of this issue, we took immediate steps to deactivate the link to the website, remove the information, and initiate a thorough review that included notifying and seeking legal counsel from the Maine Office of the Attorney General,” Farwell said in a May 10 statement. “The review, which DHHS conducted in consultation with the attorney general’s office, definitively determined that an electronic system error led to certain confidential reports from the Division of Licensing and Certification becoming available online. We are not aware of any misuse of this information, which did not include Social Security, credit card, or insurance information.”
Rep. Jon Connor, a Republican from Lewiston, has called for an independent review of the situation.
He told the BDN editorial board he wants to make sure “that the process is in place to prevent things like this from happening in the future.” Amen to that. There is no such thing as being too thorough or too cautious when it comes to safeguarding data in the hands of the state. DHHS said it has been working to find current contact information and notify the 20-or-so people impacted by the confidential information being posted on the website. “While DHHS is not required by law to make these notifications, we take the protection of confidential information seriously and seek to make affected individuals aware,” Farwell said.
As Connor has suggested, those notifications absolutely should be required. The state needs to do everything it can to protect digital information across departments. But if it falls short in that effort, at the very least, the people impacted need to be alerted.
Much of this conversation is complicated.
That shouldn’t be.