On Monday, I fought the traffic to get into the office early. I hadn't been able to get in touch with my boss over the weekend, but I hadn't tried very hard either. Now, I stepped into his office and gently tapped on the door.

Then I really got his attention by telling him that a security incident had come to my attention on Friday evening and I needed to get him up to speed before he heard about it from someone else. I told him what details I had at that time and explained that I would at that point be following policy and procedure in handling the investigation. But he needed to understand that under HIPAA and state law, if the results of my investigation turned out unfavorably, we would be required to inform all our clients that their personal information had possibly been compromised.

After he absorbed this disturbing news, I asked him what he knew about the site's design. The answer: very little. (My boss has a background in software development and programming, but I wasn't surprised that he didn't know much about the architecture of this site.) I said the site would have to be redesigned, with several layers of security added. The least of that would be making sure that personally identifiable information resides in a database behind a firewall, not on a public Web server. Then we spent a few moments commiserating, since we are both relatively new to the public sector and are still prone to making assumptions about the way things are done. For example, we both assumed that a state-run Web site would be constructed properly.

Looking to the Future

I'm in the midst of the investigation now. The key will be determining whether any "unauthorized" disclosures were made. The employee who stumbled across the problem is authorized to access the data in the directory, so there's a chance that no unauthorized disclosure took place. Right now, I'm searching through a year's worth of Web site logs and identifying the source IP addresses from which the various URLs were accessed. I have also imported the Web site to one of our local servers in order to perform a security review. I'm hoping I find nothing worth reporting.